Driving Threat Intelligence the Right Way

Intelligence requirements should ideally steer a CTI team, yet analysts can easily be led astray.

Driving Threat Intelligence the Right Way
Photo by Marcus Ganahl / Unsplash

A cyber threat intelligence (CTI) function should ideally map intelligence products to their stakeholders’ intelligence requirements and organisation’s threat profile. This sound incredibly straightforward, yet is often not followed in practice.

This is because there is plenty of distraction and other factors driving a CTI team’s outputs instead. This blog outlines some common pitfalls to help CTI leaders identify distractions as they start to creep up.

Product-Driven Threat Intelligence

Product-driven intelligence is produced out of habit rather than stakeholder need. These are intelligence reports developed regularly, yet rarely consumed in an actionable way. The only explanation for developing these products is that they have always been developed.

Product-driven intelligence can often arise with standing reports, such as a weekly intelligence summary or monthly industry report. Here, a CTI function can easily get into a rhythm without soliciting feedback or measuring how intelligence products are actually being utilised.

This pitfall can also occur when the format of an intelligence product is misaligned with stakeholder workflows. For example, a tactical intelligence report delivered via a daily email to a team that largely avoids communicating via email. The wrong format can dramatically increase the friction of actioning CTI reports, making it essential to capture these details as intelligence requirements are formulated and refined.

Analyst-Driven Threat Intelligence

Analyst-driven intelligence is driven primarily by the interests and concerns of CTI analysts. Threat intelligence analysts are a passionate bunch and there are certain topics that get the CTI community highly engaged.

Analyst-driven intelligence ultimately reflects the biases and backgrounds of CTI analysts. Technical analysts might incessantly analyse novel attack techniques, even if they are highly targeted and unlikely to impact their specific organisation. Conversely, analysts with previous experience in the military or a government intelligence agency might place a disproportionately high level of attention on nascent geopolitical trends.

This was apparent after the Iranian general Qasem Soleimani was assassinated. The incident led to reasonable and valid concerns that cyber operations could be part of the Iranian government’s retaliation. However, the issue received a disproportional amount of attention across many sectors and regions unlikely to be impacted. In-depth reporting on the topic might be justified for a US government department or defence contractor. Conversely, a Spanish telecommunication firm or a German retailer would only require more concise analysis.

CTI analysts should therefore always adjust their focus to remain aligned to their organisation’s threat profile. This ensures CTI reports address threats that matter, rather than just those that are particularly interesting.

Event-Driven Intelligence

Event-driven intelligence is highly reactive, with ad hoc reports developed based on headlines. Focus is often placed on the breaking news itself, rather than its impact and relevance to an organisation’s security posture.

When managed incorrectly, breaking news can introduce panic and distraction into a security function. For instance, by bringing attention to vulnerabilities that are not present on an organisation’s network or frequent reporting on threat actors that are not known to target an organisation’s sector or region.

Breaking news can and should be analysed in a structured way (i.e. assessed in relation to  existing intelligence requirements and an organisation’s threat profile).

Getting the Balance Right

Various factors can distract a CTI team from building products based on their organisation’s intelligence requirements and threat profile. These distractions become even more pronounced within insular CTI teams.

It is therefore essential to maintain active engagement with stakeholders. Gathering effective feedback from stakeholders is one of the most impactful things a CTI team can do, yet frequently neglected.

On the other hand the different forms of distraction outlined above should never be eradicated entirely. We want analysts to be agile in responding to breaking geopolitical developments. If analysts possess expertise in specific areas of interest, a security function should always look to leverage this. Providing intelligence functions and analysts with a healthy level of freedom empowers them to be more proactive.

CTI leaders therefore need to strike an appropriate balance. Multiple factors will influence intelligence products. This should be encouraged, provided they don’t underpin an entire CTI programme.

Intelligence requirements should drive the key outputs of a CTI team, yet should never act as a straightjacket.