The landscape of cyber threat intelligence (CTI) programs is constantly evolving, presenting organizations with both challenges and opportunities. As cyber threats become more sophisticated and pervasive, the need for robust CTI programs has never been more critical for safeguarding organizational assets. This article delves into the complexities and essential aspects of establishing and operating effective CTI programs, as highlighted during the Cyber Rhino Threat Week. The Cyber Rhino Threat Week, held from December 9 to December 13, 2024, aimed to share threat intelligence insights and best practices among customers, partners, and the industry ecosystem. The event featured a keynote session that set the stage for the week, focusing on the intricacies that organizations need to address when creating and maintaining an efficient CTI program.
The Unique Nature of CTI Programs
A significant theme discussed by the panel during the event was the unique nature of CTI programs in different organizations. Although there might be a general understanding of the purpose of a CTI program and the role of the CTI team, these can vary greatly from one organization to another. This variation arises due to differing priorities, organizational structures, processes, and desired outcomes. Despite these differences, the panelists concurred that CTI has now become a higher priority, regarded as essential rather than optional. A CTI program provides the necessary information to guide the entire cybersecurity process, from strategic to tactical implementation, making it a vital component of the overall security program.
Establishing an effective CTI program involves defining desired outcomes upfront and understanding what the organization aims to achieve with the program. Organizations must decide whether they need a highly technical/tactical capability or something more strategic in nature. Furthermore, identifying the types of cyber threats that need to be addressed based on the organization’s maturity and the industry it operates in is crucial for the success of a CTI program. There is no one-size-fits-all approach, and each organization’s CTI program should be tailored to its specific needs.
Continuous Evolution of CTI Programs
The panel also emphasized the need for CTI programs and teams to continuously evolve to keep pace with changing threat landscapes. Over the past five years, cybersecurity threats have significantly broadened to include ransomware, disinformation, deepfakes, and geopolitical threats. Consequently, the roles and responsibilities of CTI teams must also evolve to address these emerging threats. This evolution may vary depending on the Chief Information Security Officer’s (CISO) perspective within each organization. Larger enterprises often have the resources to fully staff a CTI program, while smaller to mid-sized companies might need to outsource these functions to Managed Security Service Providers (MSSPs) or Managed Service Providers (MSPs).
Another notable change is the involvement of various stakeholders in CTI programs, which traditionally used to be heavily technical and cybersecurity-focused. Today, executive board stakeholders are also engaged in these programs, concerned about business issues such as third-party risk, geopolitical tensions, and supply chain risk. This shift necessitates changes in the program’s organizational structure to accommodate these broader concerns, ensuring the CTI program aligns with overall business objectives and risk management strategies.
Mission-Oriented CTI Initiatives
An essential element of any CTI initiative is that it should be mission-oriented, requiring those involved to define their priority intelligence requirements (PIRs). It is equally crucial to ensure the ability to operationalize threat intelligence in real-time before attempting to expand the program. CTI occupies a unique position as it is inherently cross-functional, necessitating interaction with various constituents within the organization. The question of which department the CTI program should report to often arises, potentially causing tensions between groups such as Security Operations Center (SOC) incident responders, SOC analysts, and CTI teams.
These issues typically revolve around ownership of responsibilities and decision-making authority regarding tool procurement and implementation, potentially creating siloed mentalities that can hinder the effectiveness of the CTI program. To address these challenges, intelligence should be integrated into every part of the security operation, from alerting to triage, investigation, and threat hunting. Leaders who adopt this comprehensive perspective will make significant progress in their CTI programs, improving coordination and collaboration across teams.
Integration and Collaboration
Data-sharing and collaboration are pivotal for the success of CTI programs. The primary functions of a CTI team include situational awareness, internal data-sharing, and creating operational efficiencies to enable faster threat detection and prioritization of patching. Dissemination and sharing of information within the organization and with the extended partner ecosystem are crucial aspects of CTI programs. During the Cyber Rhino Threat Week, the panel discussed the need for standards in CTI to facilitate effective dissemination and sharing, emphasizing the importance of situational awareness and proactive threat management.
To mitigate potential issues caused by siloed mentalities, collaborative goal-setting across teams, accompanied by ongoing communication of key goals, helps reduce operational siloes and transforms them into mere reporting structures rather than hindrances. By fostering a collaborative environment, organizations can ensure that their CTI programs are more effective and cohesive, leading to improved threat detection and response capabilities across the entire organization.
Proactive Threat Management
The panel highlighted the necessity for Cyber Threat Intelligence (CTI) programs and teams to continuously adapt to the evolving threat landscape. Over the last five years, cybersecurity threats have expanded to cover ransomware, disinformation, deepfakes, and geopolitical risks. As a result, CTI teams must adjust their roles and responsibilities to address these new challenges. This evolution can differ based on the Chief Information Security Officer’s (CISO) view within each organization. Larger enterprises often have the capacity to fully staff CTI programs, whereas smaller and mid-sized companies might need to outsource to Managed Security Service Providers (MSSPs) or Managed Service Providers (MSPs).
Furthermore, CTI programs, which were traditionally technical and cybersecurity-centric, now engage a broader range of stakeholders. Today, executive board members are also involved, focusing on business issues like third-party risk, geopolitical tensions, and supply chain vulnerabilities. This shift requires changes in the program’s organizational structure to address these wider concerns, ensuring the CTI program aligns with the company’s overall business goals and risk management strategies.
