Attributes of a mature cyber-threat intelligence program

Earlier this year, ESG published a research report focused on how enterprise organizations use threat intelligence as part of their overall cybersecurity strategy. The research project included a survey of 380 cybersecurity professionals working at enterprise organizations (i.e., more than 1,000 employees).

Survey respondents were asked questions about their organization’s cyber-threat intelligence (CTI) program – how it was staffed, what types of skills were most important, its challenges and strategies, spending plans, etc. I’ve written three previous blogs detailing the research. The first one gave an overview of enterprise threat intelligence programs. The second examined challenges with the threat intelligence lifecycle, and the third looked at the intersection between CTI and digital risk protection (DRP).

With enterprise CTI programs, I’d say that there’s an 80/20 rule in play. More specifically, 80% of organizations have basic threat intelligence programs while 20% are more advanced. Even within the 20%, few organizations have a well-designed threat intelligence lifecycle, established processes and metrics, and consistently follow best practices.

Why? Most organizations think of threat intelligence as indicators of compromise (IoCs) like known malicious files, IP addresses, and web domains used for reference and alert enrichment. Fewer have automated IoC discovery into blocking rules, while even fewer align their threat intelligence programs with the MITRE ATT&CK framework so they can track adversary tactics, techniques, and procedures (TTPs) to create detection rules, build a threat-informed defense, or validate their security controls. When it comes to CTI programs, the best-of-the-best population is extremely small, dominated by financial services, big tech, national militaries, and intelligence agencies.

Most-cited mature cyber threat intelligence attributes

With the state of enterprise threat intelligence programs in mind, survey respondents were asked to identify the attributes of a mature CTI program. Here are their top responses and my analysis:

• Thirty-one percent of security professionals believe that a mature CTI program must include information dissemination with reports customized for consumption by specific individuals and groups. Threat intelligence dissemination is one of the phases of a threat intelligence lifecycle, so I tend to agree with this assertion. The key here is that threat intelligence must be timely, relevant, and customized to the needs of business, technology, and security professionals. Finally, it’s important that threat intelligence consumers provide feedback to the CTI team. Are the reports useful? What else is needed? This feedback drives continuous CTI program improvement.
• Twenty-eight percent of security professionals believe that a mature CTI program must include a high volume of data sources. Not necessarily. It’s true that mature CTI programs do collect, process, and analyze large volumes of threat data, but more threat intelligence isn’t always ideal. In fact, the research reveals that many organizations are quickly buried by threat intelligence volume and struggle to find the useful needles in the haystack. A mature CTI program collects, processes, and analyzes the right data – not necessarily the most data.
• Twenty-seven percent of security professionals believe that a mature CTI program must include integration with other security technologies. I agree with a caveat. Threat intelligence programs can have tactical, operational, and strategic uses. Examples include enriching alerts (tactical), helping an organization create a threat-informed defense (operational), or aligning cyber risks with business initiatives (strategic). I would put CTI integration with other security technologies at the intersection of the tactical and operational divide. Necessary? Yes. An indication of maturity? Not really.
• Twenty-three percent of security professionals believe that a mature CTI program must include the ability to continuously test security controls against new threats and adversaries. Now we’re talking. A mature CTI program will be tightly coupled with penetration testing and red teaming, testing security defenses against adversary TTPs used in modern targeted attacks. When this process is continuous and well managed, it is certainly a sign of maturity.
• Twenty-three percent of security professionals believe that a mature CTI program must include well-defined goals, objectives, and metrics in pursuit of continuous program improvement. Totally agree here, too. The first phase of a threat intelligence lifecycle is planning and direction. During this phase, business, technology, and security managers work with the CTI analyst team to define priority intelligence requirements (PIRs) that align with business and mission objectives. As part of the planning process and PIRs, the CTI program team must define metrics for success, constantly measure their performance, and report these metrics to their managers. Lacking upfront planning and metrics, CTI programs quickly turn into academic exercises with little value to the organization.
• Twenty-one percent of security professionals believe that a mature CTI program must include automated processes for blocking newly discovered IoCs. This is a tactical requirement like the one above about CTI integration with security controls. Mature CTI programs can do this, but doing this doesn’t make your CTI program mature.

Don’t get me wrong – all the data points above should be part of a CTI program. That said, this research reinforces that most organizations don’t have a mature CTI program and many security professionals don’t really know what a mature CTI program looks like. Since a strong CTI program can certainly bolster security defenses when done correctly, many organizations would benefit most by finding managed service providers to help them bridge this gap rather than muddling through on their own.