How to build a best-practice Cyber Threat Intelligence program
John Barth
Global Service Lead, Mandiant Intelligence Program Development
Get original CISO insights in your inbox
The latest on security from Google Cloud's Office of the CISO, twice a month.
SubscribeCyber threats pose a constant and evolving challenge. While cyber threat intelligence (CTI) can help organizations proactively identify and defend against cyberattacks, many organizations struggle to operationalize CTI and translate it into actionable security outcomes.
CTI transforms raw data into strategic knowledge. It can help organizations shift from reactive defense to a proactive stance, empowering them to anticipate attacks, understand adversary motivations, and tailor security defenses to specific threats.
A significant majority of security and IT leaders are concerned about cyberattacks slipping through their defenses: 82% believe that their organization might be missing cyberattacks, according to a Forrester study published in July on behalf of Google Cloud. Similarly, 72% said their organization is “mostly reactive” when it comes to cybersecurity threats.
A well-implemented CTI program can help operationalize intelligence and generate actionable insights into the threat landscape, allowing organizations to proactively identify, understand, and mitigate risks before significant damage occurs. It can help drive proactive security operations including detection engineering, improved security controls, and threat hunting, and also improve reactive security efforts by reducing incident response times, minimizing financial losses, and improving operational resilience.
While AI and automation are key tools to enhance detection and analysis capabilities, they are only part of the equation. The technology’s effectiveness is dependent on the people and processes that guide it.
Like any successful business endeavor, an effective CTI program hinges on the harmonious integration of three foundational elements: people, process, and technology.
The three elements of CTI success
1. The human element
Skilled and dedicated people are central to every successful CTI program. Analysts, researchers, and communicators have a deep understanding of cyber adversaries, attack methodologies, and the organization's unique risk profile. They also have the business skills to operationalize and contextualize intelligence across the organization.
- Expertise: CTI professionals require diverse skills and capabilities, including research and investigative skills, business acumen, technical literacy, and cyber threat proficiency.
- Collaboration: Effective CTI teams foster strong collaboration, both internally with other security functions (such as incident response, security operations, and risk management,) and externally with industry peers and intelligence communities.
- Communication: The ability to translate complex technical information into clear, concise, and actionable intelligence for various stakeholders, from security engineers to executive leadership, is paramount.
Without knowledgeable and experienced people to analyze requirements, interpret data, and fine-tune automations, even the most advanced technologies or sophisticated processes are ineffective.
2. The operational framework
Robust processes provide the structure for a CTI program to operate efficiently and consistently. They define how intelligence is collected, analyzed, enriched, consumed, and acted on.
- Intelligence mission: Executive leadership should champion and clearly define a mission for the CTI capability, detailing its purpose, authorities, and key customers.
- Intelligence lifecycle: A defined intelligence lifecycle, from planning and collection to processing, analysis, and dissemination, ensures a systematic approach to CTI operations.
- Workflow automation: Processes should incorporate automation where possible to streamline repetitive tasks and free up intelligence analysts for in-depth analysis.
- Feedback loops: Continuous feedback loops are crucial for refining intelligence requirements, improving collection strategies, and enhancing intelligence quality.
- Integration: CTI processes must integrate seamlessly with other security operations, feeding into incident response playbooks, vulnerability management, and security awareness programs.
Just as a manufacturing plant needs a defined production line, a CTI program needs structured processes to consistently deliver value.
3. The enabling tools
Technology serves as the essential enabler, supporting the people and processes of a CTI program. There are a wide array of IT solutions designed to collect, store, analyze, and disseminate threat intelligence.
- Threat intelligence platforms (TIPs): These platforms aggregate, normalize, and enrich threat data from various sources, providing a centralized repository for intelligence.
- Artificial intelligence (AI): AI can enhance threat detection, automate analysis of large datasets, identify anomalies, and help predict potential attack vectors, significantly augmenting human capabilities across the intelligence lifecycle, and helping to reduce toil and increase human efficiency.
- Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR): CTI teams should access and use these internal tools to provide detailed, real-time context on key threats the organization is facing.
- Open-source Intelligence (OSINT) tools: Technologies that facilitate the collection of publicly available information to identify emerging threats and adversary tactics.
- Malware analysis tools: Solutions for sandbox analysis of malicious code.
Technology is a means to an end. Sophisticated tools will fall short without the right people and processes to use them effectively. Without the right people and processes, CTI teams will see low return on investment (ROI) in tools, and organizational leaders will see low ROI in CTI teams.
The equation for CTI success
The most successful CTI programs employ all three of the CTI Program foundational elements. People use technology with defined processes, which are designed and optimized by people, often with the aid of technology. Technology empowers people to execute processes more efficiently. No single element is more important than another; a weakness in one will impact the entire program's effectiveness.
By thoughtfully investing in and harmonizing its people, processes, and technology, organizations can build a CTI program that not only identifies cyber threats but delivers actionable security recommendations and fosters an intelligence-led, proactive security culture.
This principle extends beyond CTI. Whether building a sales team, developing a new product, or optimizing customer service, the alignment of skilled individuals, defined workflows, and appropriate tools are critical to success.
By thoughtfully investing in and harmonizing its people, processes, and technology, organizations can build a CTI program that not only identifies cyber threats but delivers actionable security recommendations and fosters an intelligence-led, proactive security culture. This investment and culture change can help those reactive organizations become more proactive.
How to get started
Building any security function is a long-term endeavor. You can get started on your CTI operationalization journey with the following introductory steps:
- Speak to the people you protect: Communicate with your key stakeholders (including the security operations center, incident response team, and vulnerability management team) to understand their pain points.
- Understand your threat landscape: Research across the internet to see what cyberattacks and threats organizations like yours are facing.
- Learn about CTI: Many resources are available to build skills in cyber threat intelligence analysis, like MITRE. If you are in the US, you can access free CTI training at CISA Learning.
- Assemble a workgroup: Find people in your organization who are interested in CTI and share resources and discuss the latest threats on the cyber threat landscape.
How Mandiant can help
Our Mandiant Intelligence Program Development (IPD) expert advisory service is designed to help organizations build best-in-class CTI capabilities. We work to analyze your specific CTI use cases and leverage Mandiant’s proven capability framework to determine the people, processes, and technologies you need to operationalize CTI effectively.
Mandiant Academy offers training courses for security professionals, including many focused on how to best consume and apply threat intelligence to improve tactical defenses and overall security posture. These offerings can help you build a cohesive program where skilled people use the right technology with well-defined processes, aligning your entire CTI function to your unique business risks and goals.
Augmented by advanced AI, Google Threat Intelligence provides unparalleled visibility into threats, enabling us to deliver detailed and timely threat intelligence to security teams around the world. It combines Mandiant frontline expertise, the global reach of the VirusTotal community, and the breadth of visibility only Google can deliver.
This vast visibility into the latest threats enables CTI teams to be more proactive by understanding adversaries’ playbooks, including their tactics, techniques, and procedures (TTPs) and IOCs.
To understand how we can help you achieve your CTI goals, schedule a free consultation with Mandiant today.
