Six Considerations for Building a Cyber Threat Intelligence Program

When evaluating cyber threat intelligence programs for enterprise, organizations should consider six critical topics before spending on data.

It’s natural for an organization to start from one of two places: where they have already been beaten badly enough they need to prioritize threat intelligence (the story-telling approach) or to define the threats targeting their organization and thus go for a more data-driven approach. 

Regardless, it’s important to take methodologies from both sides before thinking about large-scale investments in broader intelligence feeds that can just overwhelm with noise.

Prioritizing The Spend in Threat Intelligence

Threat intelligence feeds and many tools can create opportunity cost and pain if not integrated or thought through in an intelligent manner. Organizations also need to make decisions between building internally, buying externally, or some combination of both. 

Considerations include:

• Centralizing intelligence through an open source platform or through a vendor
• Getting control of data through applications that push to a SIEM or manage APIs through a Threat Intelligence Platform (TIP), SOAR, or Message Box
• Reporting leadership needs from outside experts regarding incidents, TTPs, and actors
• Spending money on insourcing or outsourcing malware analysis and enrichment capabilities that are maybe out-of-band to help insulate or provide source validation for a SOC’s inline tools.
• Evaluating if rulesets over IOCs are more important; or perhaps considering what IOCs they want to deploy
• Does the organization have an advanced persistent threat (APT) or crimeware problem? Companies that use credit cards versus companies that fit into the supply chain are going to have very different actors to research.

Drilling down further, many organizations start with ransomware because it is pervasive across all enterprises and is used by the full spectrum of threat actors from nation states to unsophisticated criminals. 

To address this threat, a security team may have to:

• Consider writing IPS rules to protect the network
• Reduce risk to IOT devices or protocols like RDP and how they access the network
• Review proximate threats in the email gateway and determine if it’s being delivered directly in a file or a URL or is a proximate threat delivered through a botnet that will need to be blocked at the firewall (Trickbot and Ryuk). 
• Develop and review redundancy backups 
• Ensure firewalls between interconnect environments and policies on the endpoint with EDR technology are covered

Check out threat researcher Jamie Kane’s analysis on this topic below.