Six Considerations for Building a Cyber Threat Intelligence Program

by | Sep 21, 2020 | Blog, Outside Intel

When evaluating cyber threat intelligence programs for enterprise, organizations should consider six critical topics before spending on data.

It’s natural for an organization to start from one of two places: where they have already been beaten badly enough they need to prioritize threat intelligence (the story-telling approach) or to define the threats targeting their organization and thus go for a more data-driven approach.

Regardless, it’s important to take methodologies from both sides before thinking about large-scale investments in broader intelligence feeds that can just overwhelm with noise.

Prioritizing The Spend in Threat Intelligence

Threat intelligence feeds and many tools can create opportunity cost and pain if not integrated or thought through in an intelligent manner. Organizations also need to make decisions between building internally, buying externally, or some combination of both.

Considerations include:

  • Centralizing intelligence through an open source platform or through a vendor
  • Getting control of data through applications that push to a SIEM or manage APIs through a Threat Intelligence Platform (TIP), SOAR, or Message Box
  • Reporting leadership needs from outside experts regarding incidents, TTPs, and actors
  • Spending money on insourcing or outsourcing malware analysis and enrichment capabilities that are maybe out-of-band to help insulate or provide source validation for a SOC’s inline tools.
  • Evaluating if rulesets over IOCs are more important; or perhaps considering what IOCs they want to deploy
  • Does the organization have an advanced persistent threat (APT) or crimeware problem? Companies that use credit cards versus companies that fit into the supply chain are going to have very different actors to research.

Drilling down further, many organizations start with ransomware because it is pervasive across all enterprises and is used by the full spectrum of threat actors from nation states to unsophisticated criminals.

To address this threat, a security team may have to:

  • Consider writing IPS rules to protect the network
  • Reduce risk to IOT devices or protocols like RDP and how they access the network
  • Review proximate threats in the email gateway and determine if it’s being delivered directly in a file or a URL or is a proximate threat delivered through a botnet that will need to be blocked at the firewall (Trickbot and Ryuk).
  • Develop and review redundancy backups
  • Ensure firewalls between interconnect environments and policies on the endpoint with EDR technology are covered

Check out threat researcher Jamie Kane’s analysis on this topic below.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks