Written by Yann Le Borgne, Vice President of International Threat Intelligence Engineering, ThreatQuotient
Before a business can successfully defend its assets against frequent cyber attacks that are endemic in modern commerce, it needs to know where the threats are coming from and what form they take. This is the basic aim behind building a cyber threat intelligence (CTI) practice, and it is something more and more organisations are seeking to explore as they strive to reduce risks and prevent the disruption caused by malicious cyber attacks. However, a well-structured CTI practice can achieve far more than that. Correctly developed and curated, it can become a high-value business asset.
A model developed by Accenture and explained in a recent joint Accenture/ThreatQuotient webinar by Christopher Foster, Senior Principal of Global CTI product strategy, describes the five typical stages of maturity of CTI practices. These range from basic and reactive through to optimised, proactive, and eventually, anticipatory, and innovative. Once organisations understand where they sit on the scale, they can start to take the steps that will move them to the next level.
Level One: the business knows it needs a CTI practice and wants to put one in place, but has no people, processes, or technology available to build one. For these organisations, an initial investment phase is needed. This involves establishing the ambitions for the CTI practice – perhaps by looking at what a mature practice can deliver at levels four and five as described below – to make the business case for budget holders to unlock the resources required.
Level Two: the CTI practice is an emerging entity and makes use of some intelligence feeds; typically, indicators of compromise (IoC) are part of this also. The feeds used are often basic open source feeds, which do have value but also limitations. Crucially, at this level of maturity, the nascent CTI practice has low or no relevance to the business’s current environment and industry-specific threats. There is no traditional SOC or SIEM in place. At this stage of maturity, there are often a lot of false-positive alerts generated, and little rigour around the processes to manage the CTI practice and how it relates to the business.
Level Three: at level three there is greater rigour around the management of intelligence, the curation of different feeds, and how intelligence applies to the current environment and events. However, technology implementations tend to be mainly reactive to incidents, and the mean time to detection is longer than ideal, meaning the organisation might miss responding to a major impact incident, or an espionage alert.
These first three maturity stages are tactical and reactive. CTI practices at levels two and three offer some value to the business, but they are not reaching their potential.
Another challenge commonly experienced in the earlier stages of CTI practice maturity is getting the balance of personnel and communications right. Often, we’ll see people with a pureplay technical background who find it hard to dial into the strategic risk factors, such as geopolitical pressures. Or alternatively, more strategically focused business teams can struggle to engage effectively with technical teams. Communication siloes are common and stop the practice from growing its influence outside its immediate scope of activity.
With reactive CTI practices such as those described above, organisations often fall into the pitfall of prioritising speed over accuracy. There may be some established processes and alerting functions, but these are often abandoned when an incident occurs or when an emerging threat hits the headlines. Reporting is often based on the threat of the moment, rather than on a detailed understanding of the different stakeholders within the business. As a result, reports offer limited value and insight for the wider organisation and may include technical details that cause confusion for less technically focused stakeholders.
Businesses that have attained level three maturity should examine what is missing that can take them to the optimisation stage. Typically, by this stage there are dedicated personnel and repeatable processes in place, but what’s lacking is intelligent integration of all the intelligence feeds and tools to create relevant context for the business.
Level Four: when organisations achieve this stage they should have a keen understanding of how what they are doing integrates not only with the enterprise security but also with the wider business environment. At this level, organisations can focus on the different ways in which they can action intelligence and understand the criticality of taking action and the risk of not acting on the intelligence that they have curated. The optimised CTI practice is tuned to identify threats relevant to the business and prioritise them accordingly, so that false positives are reduced, and resources are more effectively deployed.
Level Five: the most advanced level of CTI practice maturity sees the team innovating through a comprehensive fusion centre model that goes beyond pure focus on IT/OT threats and draws in other areas including incident response, vulnerability patch management, governance, risk and compliance, and more.
At this level, teams are doing more than just curating and managing and escalating threat intelligence; they are looking at threats to the business on a strategic level. They have visibility over how CTI links with multiple risk vectors, from insider threat and fraud to governance, risk and compliance, and legal risks. As the approach grows more sophisticated, the detail and completeness of metrics also increase. This allows teams to draw on the data and translate tactical information, such as a reduction in mean time to detection and response, into business threats such as downtime and/or financial losses prevented – all of which are easily understood and resonate with the board.
Armed with this information, teams should also be communicating proactively with the different parts of the business – such as marketing, legal and HR – sharing the impact each threat might have and how this might change over time. This supports the eventual coordination of incident response activities that include multiple stakeholders across the business, not just the immediate security team.
By developing and nurturing these cross-departmental relationships the profile of CTI is elevated and its value is more easily recognised. At its most sophisticated level, the CTI practice should be part of the conversation when the business is entering into mergers and/or acquisitions or expanding into new market geographies or industry sectors. By offering a complete understanding of the risk profile of intended targets or markets and the specific threats that will need to be incorporated into risk management strategies, the CTI practice really shows the advanced strategic value it can offer to the business.
A good CTI practice has the potential to not only protect the business but also offer a competitive advantage to organisations that invest in it. Understanding where the business sits on the maturity scale is the first step, and investing in the tools, processes, and people to move up the scale should be the target.