CTI4U: A Practical Introduction to Starting a Cyber Threat Intelligence Program - Part 2

Welcome back

In the first part of this article we covered the nuts and bolts of laying the foundations for a CTI program.  In this part we will move on to where to get your intelligence from, how to measure success and some common obstacles you may face along the way.  Leveraging Threat Intelligence Sources

Threat intelligence is only as valuable as the sources it comes from. A strong Cyber Threat Intelligence (CTI) program effectively leverages diverse sources of information to provide comprehensive, actionable insights. This section explores the key considerations when evaluating intelligence sources and integrating them into your program.

Open Source vs. Commercial Threat Feeds

Threat intelligence feeds are critical for keeping your CTI program up to date with the latest Indicators of Compromise (IoCs) and emerging threats. Choosing between open-source and commercial feeds depends on your organisation’s needs and resources.

Open-Source Intelligence (OSINT)

1. Strengths:

   • Free or low-cost, making it accessible to organisations with limited budgets.

   • Highly diverse, covering public forums, blogs, code repositories, and social media.

   • Encourages community collaboration and transparency.

2. Limitations:

   • Requires significant effort to filter and validate data.

   • May lack the depth and contextual analysis provided by commercial feeds.

   • Coverage can be inconsistent or incomplete.

3. Examples:

   • AlienVault OTX, AbuseIPDB, CERT reports, and GitHub repositories.

   
   

Commercial Threat Feeds

1. Strengths:

   • Professionally curated, with a focus on accuracy and relevance.

   • Often include advanced analytics, threat actor profiling, and enriched IoCs.

   • Provide timely updates tailored to specific industries or geographies.

2. Limitations:

   • Higher cost, which may be prohibitive for smaller organisations.

   • Reliance on vendor updates can introduce a single point of dependency.

3. Examples:

   • FireEye Threat Intelligence, Recorded Future, Palo Alto Unit 42.

   
   

Engaging with the CTI Community

Collaboration is a cornerstone of effective CTI. By participating in threat-sharing communities, organisations can access collective knowledge and improve their overall security posture.

ISACs (Information Sharing and Analysis Centres)

1. ISACs are industry-specific organisations that facilitate the sharing of threat intelligence among members.

2. Benefits include access to curated intelligence, collaborative tools, and real-time alerts.

3. Examples: Financial Services ISAC (FS-ISAC), Healthcare ISAC (H-ISAC), and Energy ISAC (E-ISAC).

   
   

Forums and Public Communities

1. Platforms like threat-sharing forums, Reddit, or specialised security communities (e.g., Malwarebytes Forums) are excellent for gathering OSINT.

2. Caution: Verify the credibility of shared information to avoid acting on false or incomplete intelligence.

   
   

Participating in Threat Intel Exchange Programs

1. Partner with peer organisations or vendors to share intelligence and strengthen collective defences.

   
   

Responsible Information Sharing Practices

While collaboration is vital, it must be balanced with ethical and legal considerations to avoid compromising sensitive information.

• Ensure Anonymity: Use anonymised sharing platforms when discussing specific incidents or vulnerabilities.

• Adhere to Legal and Regulatory Guidelines: Understand local laws governing data sharing, particularly in regulated industries.

• Follow TLP (Traffic Light Protocol): Use TLP to classify shared information and control its distribution (e.g., TLP:AMBER for restricted sharing).

Measuring Success

Measuring the effectiveness of a Cyber Threat Intelligence (CTI) program is crucial for ensuring it delivers value and aligns with organisational goals. Success metrics not only help fine-tune your CTI efforts but also demonstrate their impact to stakeholders and justify continued investment.

Defining Metrics

Key performance indicators (KPIs) provide a clear framework for evaluating the success of your CTI program. These metrics should focus on outcomes that align with your program’s objectives.

Operational Metrics

1. Time to Detect (TTD): How quickly does your program identify emerging threats or active incidents?

2. Time to Respond (TTR): The speed at which your team acts on intelligence to mitigate risks.

3. Threat Detection Coverage: The percentage of relevant threats identified and monitored.

   
   

Effectiveness Metrics

1. Incident Reduction: A measurable decline in successful attacks due to proactive intelligence.

2. Accuracy of Intelligence: The percentage of alerts or IoCs that lead to actionable insights versus false positives.

3. Threat Attribution Success: The ability to link threats to specific actors or campaigns.

   
   

Strategic Metrics

1. Alignment with Business Goals: How well does the program address organisational priorities (e.g., securing critical assets or complying with regulations)?

2. Stakeholder Satisfaction: Feedback from executives, SOC teams, or other stakeholders on the quality and relevance of intelligence reports.

3. Cost Efficiency: Demonstrating value by comparing CTI program costs to the potential financial impact of prevented incidents.

   
   

Demonstrating Value

To maintain support for your CTI program, it’s essential to communicate its benefits effectively to both technical and non-technical stakeholders.

Tailored Reporting

1. For Executives and Decision-Makers: Provide high-level insights on trends, risks, and ROI. Use clear, concise visuals and avoid unnecessary technical jargon.

2. For Technical Teams: Share detailed reports on IoCs, TTPs, and actionable recommendations that directly support their work.

   
   

Quantifying Impact

• Showcase the program’s achievements with specific metrics, such as:

  • Number of incidents prevented based on intelligence.

  • Value of assets protected due to early detection.

  • Reduction in incident response times.

  
  

Storytelling with Case Studies

• Highlight real-world examples where the CTI program delivered tangible value. For instance, detail how timely intelligence helped prevent a phishing campaign targeting your organisation.

Regular Reviews and Updates

• Schedule periodic reviews to assess the program’s performance, adjust KPIs, and address feedback from stakeholders.

Continuous Improvement

Measuring success isn’t a one-time task. As your CTI program matures, regularly revisit metrics to ensure they remain relevant and aligned with evolving goals. Additionally, use findings from measurement efforts to identify areas for improvement, such as better integration with other security tools or refining intelligence dissemination processes.

Common Challenges and How to Overcome Them

Building and maintaining a successful Cyber Threat Intelligence (CTI) program comes with its own set of challenges. Understanding these obstacles and developing strategies to address them is crucial for ensuring the program’s effectiveness and sustainability.

Challenge 1: Limited Resources

For many organisations, limited budgets and staff can hinder the implementation of a robust CTI program.

How to Overcome It:

• Prioritise High-Impact Activities: Focus on addressing the most critical threats to your organisation. Use Priority Intelligence Requirements (PIRs) to guide efforts.

• Leverage Free and Open-Source Tools: Start with OSINT tools, free threat feeds, and community resources to build a foundational program without significant investment.

• Collaborate with Partners: Join industry-specific Information Sharing and Analysis Centres (ISACs) or threat-sharing forums to access intelligence at a low cost.

Challenge 2: Information Overload

With the vast amount of threat data available, teams can become overwhelmed by irrelevant or low-quality information.

How to Overcome It:

• Automate Data Filtering: Use Threat Intelligence Platforms (TIPs) or SIEM systems to aggregate and prioritise data automatically.

• Focus on Actionable Intelligence: Filter out low-priority alerts and focus on threats directly aligned with your PIRs.

• Establish Clear Processes: Implement workflows for evaluating, enriching, and validating incoming data to avoid wasted effort on irrelevant information.

Challenge 3: Integration Challenges

CTI programs often struggle to integrate intelligence into existing security workflows, tools, and processes.

How to Overcome It:

• Leverage API Integrations: Use APIs to seamlessly integrate threat feeds with SIEM, SOAR, and EDR platforms.

• Standardise Formats: Adopt common standards, such as STIX/TAXII, to ensure compatibility between tools and data sources.

• Train Security Teams: Provide training on how to use CTI tools and incorporate intelligence into day-to-day operations.

Challenge 4: Keeping Intelligence Timely and Relevant

Threats evolve rapidly, and outdated or irrelevant intelligence can lead to missed opportunities or wasted effort.

How to Overcome It:

• Use Real-Time Feeds: Invest in sources that provide frequent updates on emerging threats.

• Review and Update PIRs Regularly: Align intelligence efforts with current organisational priorities and evolving threats.

• Foster Collaboration: Share insights and gather feedback from incident response teams and other stakeholders to ensure intelligence remains useful and up to date.

Challenge 5: Demonstrating Value to Stakeholders

Stakeholders may struggle to see the tangible benefits of a CTI program, especially in its early stages.

How to Overcome It:

• Communicate Results Clearly: Share regular updates on metrics like incident reduction, cost savings, and time to detection.

• Highlight Success Stories: Showcase real-world examples of how intelligence helped mitigate specific threats.

• Engage Stakeholders Early: Involve key decision-makers in setting goals and reviewing results to build buy-in and support.

Challenge 6: Talent Shortages

Finding skilled CTI professionals can be a challenge, especially for smaller organisations.

How to Overcome It:

• Invest in Training: Upskill existing staff through certifications (e.g., GCTI, CTIA) and on-the-job training.

• Use Outsourcing Strategically: Engage third-party providers or Managed Security Service Providers (MSSPs) for specialised tasks like malware analysis or threat actor profiling.

• Foster Collaboration: Build partnerships with universities and industry groups to access talent pipelines.

  
  

Now the hard work begins

CTI is not a "set and forget" initiative. It evolves with the threat landscape and adapts to the unique challenges faced by your organisation. Start small, focusing on high-impact activities, and scale as your capabilities mature. Engage with the CTI community, leverage open-source and commercial resources wisely, and invest in training to build a skilled, collaborative team.

Building a Cyber Threat Intelligence (CTI) program is a transformative journey that can significantly enhance an organisation's security posture. While the process requires investment in time, resources, and expertise, the benefits far outweigh the challenges. A well-executed CTI program provides actionable insights, allowing organisations to proactively identify, understand, and mitigate threats.

Do you need assistance with your CTI program?  Reach out to Spartans Security