TIPs to Measure your CTI ProgramRamiro Céspedes
Nowadays, organizations are exposed to a high volume of security related information. Unfortunately, most of these organizations have little to no capabilities of using this information in a proactive manner, i.e. using information to try to change or anticipate an outcome. In other words, using information to produce intelligence products. It is safe to say that few of these organizations have a clear understanding of what Cyber Threat Intelligence (CTI) is and what it is not.
How can you measure something if you have not clearly defined it before? Here is the first TIP to measure your CTI program.
How to define CTI
It may sound obvious, but you would be amazed to know how many organizations do not have a clear understanding of what CTI is. CTI is defined as data that is collected, processed, analyzed, and disseminated. Its final product, actionable information, should serve to understand a threat actor’s motives, behaviors and targets and therefore to allow the organization to move from a reactive security approach to a proactive one. In other words, CTI should help an organization to understand their Threat Landscape and address those threats accordingly. Intelligence helps decision making by leading to specific actions to anticipate outcomes.
Understanding the current CTI adoption landscape
Now that we have defined what CTI is we need to take a look at the current landscape in terms of CTI adoption.
According to the 2022 SANS CTI Survey, 58% of the organizations said to be only consumers of published threat intelligence and contextual threat alerts. In the same report, when asked about the inhibitors of implementing CTI in the top 5 we find:
- Interoperability issues / Lack of automation
- Lack of time to implement new processes
- Lack of technical capabilities to integrate CTI tools into our environment
On the one hand, organizations are consuming more and more CTI but on the other hand they are facing hard challenges when they want to leverage those CTI products. You may ask, what’s the point of consuming intelligence if you can’t do anything with it. How can we address these technical challenges? Stick with me and we will find it out.
Now here is your second TIP to measure your CTI program.
Assess if your organization has the knowledge and skills to implement and leverage CTI
CTI has its foundations in traditional intelligence analysis, so it won’t come as a surprise to you that the public sector, mostly law enforcement and military, are the pioneers in CTI. In the private sector, it’s safe to say that the Financial Services Industry (FSI) has been doing CTI for the longest time; in many cases driven by compliance to standards and regulations.
In this point, it is also important to understand what is driving the necessity to implement a CTI program and what is driving the increase in CTI interest or consumption? With the adoption of ‘cyber’ many other sectors are starting to become interested in CTI and starting to use it. They are asking questions such as:
- What’s the purpose?
- How can I use it?
- What’s the ROI?
Unfortunately, reality is that an important driver is cyber attacks. Recently, we have seen attacks and data breaches with major impact not only on businesses but also peoples’ lives. This makes organizations aware of threats and often serve as an opportunity to review their security strategy or preparedness. Organizations are starting to realize that they need some more than just detection and response, they need to anticipate. For this, when implemented properly, CTI can help tremendously. So how can you leverage CTI?
Here’s your third TIP:
Use a Threat Intelligence Platform (TIP)
As we have already seen, many organizations trying to leverage CTI products are facing technical challenges in order to do so. A TIP, like ThreatQ, can help in many different ways and for different use cases (SOC, fraud, spear-phishing, etc).
To begin, the TIP will allow you to collect, process and disseminate all the technical intelligence into your infrastructure for proactive defense. A TIP’s multi-directional integrations and connectors will enable your organization to focus on real and relevant intelligence production rather than dealing with technical complexities. This will also allow you to measure ROI of your CTI program by looking at things such as:
- How much Intel you collect and how much is disseminated to your infrastructure
- How many sightings or blocks do you get from the disseminated Intel
- Are you reducing the number of alerts and false positives by disseminating only relevant intelligence to your organization
Once you have addressed the technical challenges, you can start working on intelligence products that can be used to support strategic decisions. From a CISO perspective, besides understanding what is going on, he might want to know what he should be planning on, which are the areas he should be concentrating on, i.e. trying to anticipate what might occur next.
Moreover, using a TIP will also allow you to define and track intelligence requirements and their completion and hence providing another metric to measure the ROI and success of your CTI program.
As we have seen, there are multiple ways in which CTI can help your organization, from technical intelligence to operational and strategic intelligence. Therefore, there are multiple ways of measuring the ROI in your CTI program.
An important approach as to how to implement and measure the program is first defining what CTI is and how it addresses your organization’s security needs supported by senior management. Moreover, keep in mind that If your organization does not have the skills and resources to implement your own CTI program you can also rely on MSSPs and Threat Intelligence vendors. Understanding your threat landscape, for which you can also rely on MSSPs or CTI vendors, is key since not every intelligence product produced by third-parties is relevant to your organization.
Defining metrics, whether it is ‘blocks from disseminated technical intelligence’, ‘intelligence requirements completion’, ‘employee time saved thanks to automation capabilities’, etc., will allow you to measure the ROI and efficiency of your program.
If you are already consuming CTI, you can measure by asking yourself some questions:
- What is driving the consumption?
- Who is the consumer in my organization?
- What are we achieving by consuming and disseminating this Intelligence?
CTI is not just disseminating technical information for proactive blocking or scanning assets for new vulnerabilities, but also about producing information that will help the organization to anticipate threats. In order to achieve this, CTI analysts need to be addressing those intelligence requirements and not spending their time in dealing with technical challenges. A TIP like ThreatQ will allow your analysts to focus on what they have been hired for, producing intelligence that can help anticipate threats.
A Threat Intelligence Platform, correctly deployed and being used to address knowledge gaps will act as a cost reduction tool by automating tasks that take time from your analysts. It will reduce the probability of threat being materialized and hence reducing the economical impact of a threat. The TIP will certainly help you to improve your detection and response strategies by making informed decisions supported by relevant intelligence.
Finally, if you think of intelligence as information to address knowledge gaps that can allow your organization to take action in the right direction, then the organization and senior management need to put a value on having that knowledge gap filled in with the intelligence it receives. Ideally, the cost of addressing the knowledge gap will be lower than the value it brings to the organization.