Cyber Threat Intelligence (CTI) is the discipline of obtaining and filtering information regarding the occurrence and assessment of cyber, operational, and physical threats in global cyberspace. “Organizations should collect and act on relevant CTI to mitigate the effects of potential attacks and harmful events occurring where and with whom they do business,” says Dayspring Technology Principal Consultant, Ryan Coleman. “This includes physical locations, digital environments, media platforms, markets, clients, vendors, and both regulatory and compliance spaces.”
Cyber Threat Intelligence Overview
CTI is a foundational component of any information security program and is required by both the NIST Cybersecurity Framework (ID.RA-2) and ISO27001:2022 (5.7). The discipline is divided into three focus areas:
- Operational Threat Intelligence – This actionable information provides details of the motivation and capabilities of cyber threat actors to security and privacy professionals, including their tools, techniques, and behaviors.
- Tactical Threat Intelligence – This actionable information provides details regarding technical intelligence such as known exposure targets, vulnerabilities, or indicators of compromise (IOC) on your network. Tactical CTI may include knowledge of actively exploited vulnerabilities or breadcrumbs such as known IP addresses, files, executables, or hashes, which enable engineers to identify evidence of compromise by criminal threat actors.
- Strategic Threat Intelligence – This actionable information provides governance and risk identification to drive your cybersecurity focus and strategy. Strategic concerns may include cybersecurity targets in a potential new market or physical location, the purchase of new technology, or a SaaS partnership.
Related Article: Complying With The Changes to ISO27001:2022 A “How To” Guide
Informally, threat intelligence is likely something most organizations already consider even if they haven’t adopted a fancy name or acronym. Simple examples of CTI include responding to local police bulletins regarding scams, news articles or third-party product warnings, and FCC notices regarding foreign technologies (Huawei, ZTE).
More advanced CTI, especially operational and tactical sourcing, has become largely commoditized by commercial platforms offering instantaneous threat updates. These subscription-based services provide tailored warnings and mitigation advice that enable security and network engineers to respond to operations and technical threats quickly and efficiently.
Focusing on Strategic CTI Improves Operational and Tactical Responses
Strategic threat intelligence provides the scope, governance, and direction to your tactical and operational information collection and should drive the relevance and priority of your responses. Sources of strategic threat intelligence should be an active component of your security program and not limited to a few questions in your annual Management Review, the whim of an executive, or annual account updates with your CTI platform provider. Similarly, evaluating CTI success should be much more than C-level summaries in quarterly KPI reports.
If you use a commercially available CTI platform, you should be receiving a consistent flow of general business threats from various third-party sources. This is a good place to start, but the information should be evaluated by the correct people to be useful! If you think it’s okay that your security engineers are evaluating strategic cybersecurity intelligence threats, imagine your VP of Product Development reviewing SIEM alerts. Instead, allow frequent, targeted updates of internal activities and direction to provide focus and priority to your strategic threat intelligence efforts. For example, consider how your latest M&A candidate’s third location in Asia will adjust your tactical intelligence focus. If you have purchased a CTI subscription, review your threat intelligence platform’s evaluation of the countries in which you may do business. Or, if your company’s new product is made of teak or other rainforest woods you might want to add eco-terrorism organization monitoring to your operations intelligence feed.
Allow your threat horizon to expand beyond traditional security to include threats to data privacy and corporate ethics declarations. As a CISO, consider informing your CTI provider, risk management, and cybersecurity teams about executive direction regarding investment plans, management’s ideological responses to ethics and social responsibility, the demographics of desired M&A targets, and, of course, both technical and business architecture plans. Consider the results of Privacy Impact Assessments (PIAs), Business Impact Assessments (BIAs), or other non-traditional sources of technical information such as ethics audits or quality and compliance reviews.
Maintain Strategic Threat Intelligence as a Component of your CTI Program
Once you have established strategic CTI plans, remember it isn’t a once-and-done activity! Setting up the right roles and responsibilities to continuously improve threat intelligence within your organization will require continuity. Make strategic CTI a recurring part of your documented cybersecurity program:
- Plan for useful periodic strategic CTI updates with security, risk management, and third-party providers.
- Each Quarter, define and revisit the content that will move through your strategic CTI framework and ask your technical experts how it will influence tactical and operational/technical threat intelligence. Hunt wisely!
- With each scheduled Management Review, document and monitor the usefulness of your strategic CTI framework just as you would your tactical and operational platforms. Determine what success looks like and track it appropriately.
By identifying your strategic cybersecurity threat intelligence needs, your organization will be able to better prioritize and focus on operational and tactical threats. Set the scope of your CTI program based on the uniqueness of how and where you do business and incorporate CTI into your information security program to keep your threat intelligence response current. Remember to document and track your plans and report your success!
Need help building Strategic, Operations, and Tactical Threat Intelligence into your Information Security Program? Contact Dayspring Technology at email@example.com or visit here to learn more.