Dissecting threat intelligence lifecycle problems

In my last CSO article, I looked at a few challenges related to enterprise threat intelligence programs. Security pros pointed to issues like dealing with too many manual processes, sorting through noisy threat intelligence feeds, establishing clear ROI benefits, and managing threat intelligence programs that are little more than an academic exercise for the cyber-threat intelligence (CTI) team.

6 phases of an effective threat intelligence program

Given these pervasive challenges, it’s logical to ask: What does a strong threat intelligence program look like? While different organizations may answer this question with their own unique perspective, one common trait is that successful CTI programs follow an established threat intelligence lifecycle across six phases. (Note: Some threat intelligence lifecycle models are composed of five phases as they combine items 5 and 6 below):

1. Planning and direction: At the start of a CTI program, threat analysts meet with executives, line-of-business managers, CISOs, and security teams to define priority intelligence requirements (PIRs). Militaries define PIRs as, “an intelligence requirement associated with a decision that will critically affect the overall success of the command’s mission.” From a cybersecurity perspective, a PIR could be aligned with protecting critical business systems from adversaries targeting similar systems across an industry or region.
2. Collection: Based on PIR priorities, threat analysts determine the intelligence they need and how to obtain it. They then proceed with data collection accordingly.
3. Processing: Once the data is collected it needs to be collated, organized, de-duplicated, and checked for data integrity. Effectively, this is the data management phase that translates threat data into human and machine-readable threat intelligence based on risk, urgency, and priority.
4. Analysis: This is where threat analysts earn their pay. The goal here is to comb through threat intelligence data, looking at adversary chatter, behavior, and the tactics, techniques, and procedures (TTPs) they are using for cyber-attacks. Analysis efforts should be lock-step with high priority PIRs.
5. Dissemination: After analyzing CTI based on PIRs, threat analysts compose and distribute reports tailored to the needs of individual consumers across the business, IT, security, and other areas. These reports should be used as inputs for business (M&A, third-party risk management, etc.) and technology (security investments, controls, user entitlements, etc.) decisions.
6. Feedback: Future threat analysts’ activities should be driven by feedback from CTI consumers. Were reports accurate and timely or did they miss the mark? How could they be upgraded? The goal here is continuous improvement.

Following a CTI lifecycle is a best practice, and many companies adhere to this model. According to recent ESG research, 72% of enterprise organizations (those with 1,000 employees or more) have a formal CTI lifecycle model, 24% follow an informal CTI lifecycle model, and 4% don’t have a CTI lifecycle model but plan on creating one over the next 12 to 18 months.

Roadblocks to threat intelligence best practices

There is good and bad news here. The good news is that most firms recognize CTI best practices by following a threat intelligence lifecycle. The bad news is that many organizations struggle in one or many of the lifecycle phases described above. ESG asked 364 enterprise security professionals which of the six phases was most problematic at their organization. The data reveals:

• Twenty-one percent struggle in the analysis phase. It’s likely organizations don’t have the right data, are overwhelmed with too much data, or don’t have the right analytics skills.
• Eighteen percent struggle in the feedback phase. In this case, threat intelligence consumers are getting useless reports, or they don’t care enough to work with the CTI team on making the process more effective.
• Seventeen percent struggle in the collection phase. Typically, this means that threat analysts don’t know what to collect or adopt a ‘more is better’ strategy and are buried by intelligence volume. It may also indicate that they don’t have clear PIRs from intelligence consumers, so they are winging it a bit.
• Sixteen percent struggle in the production phase. This is likely a technology problem. My guess is that these organizations don’t have the right tools to collect, organize, and manage CTI at scale.
• Fifteen percent struggle in the planning phase. Clearly, these firms don’t have the right working relationship between CTI analysts and consumers, thus they never establish the right PIRs to begin with. These programs are doomed from the start.
• Twelve percent struggle in the dissemination phase. CTI consumers want timely and accurate reports for analysis and decision making. If the CTI team can’t create and distribute them succinctly, they won’t be very valuable.

Enterprise CISOs may be proud of the fact that they’ve invested in CTI lifecycles, but they shouldn’t rest on their laurels. A successful program must be optimized and well-coordinated across all six phases based on upfront PIRs and a continuous feedback loop. CTI lifecycles are a prime example of the saying, “The whole is greater than the sum of its parts.” To optimize CTI program benefits, CISOs must assess CTI lifecycles in detail to uncover and fix process bottlenecks through ALL six phases.