CTI Lessons Learned: Identifying the Need

When Do You Know There is a Problem?

Throughout the years, Mandiant has helped many organizations establish and improve on their Cyber Threat Intelligence (CTI) capability. During our initial conversations with clients, we often identify several key indicators that help us to determine if a client needs assistance with creating or building their CTI program.

The following are some recurring trends and concerns we have noted from those conversations:

  • The organization has no existing CTI capability in place. Alternatively, some capabilities exist, but they aren’t aligned to business needs and organizational threat exposure. Ultimately, the organization may be consuming threat data, but has limited ability to act on it.
  • There is no integration (or consideration) of adversary motivation, capability or intent within greater risk management or analysis processes. By extension, the organization has significant problems anticipating, identifying or prioritizing threats tactically and/or strategically.
  • There are no proactive capabilities to tactically monitor for, detect, and respond to threats.
  • Teams struggle to contextualize and communicate cyber threat activity impacting their networks across security and business operations.
  • Security resources are not aligned to the most pertinent threats, and organizations are often unable to determine the impact of cyber threats.

Today, organizations are moving towards Cyber Threat Intelligence for several reasons – the need to expend resources more efficiently, to enable communications with non-technical (business) audiences, to help explain the value of security operations as a whole, and to clarify cyber risk the organization faces. Whatever the reason, CTI is a boon as it ultimately informs efficient management of cyber risk.

When You’ve Made the Decision to Become Intelligence-led

Mandiant’s introductory Cyber Threat Intelligence Services (CTIS) offering is Threat Intelligence Foundations (TIF), which focuses on basic building blocks for developing, maturing and implementing cyber threat intelligence practices and capabilities. It focuses on three primary objectives:

  • Informing the organization of the most relevant and impactful cyber threats relative to sector, organization type, and technology/operational profile.
  • Identifying how stakeholders within the organization can consume and apply CTI within security and business operations.
  • Providing a baseline for developing and implementing pragmatic threat intelligence practices, communications and technical use cases.

When organizations understand who their stakeholders are, and how they want to consume and apply cyber threat intelligence throughout the business, the capabilities and overarching program can be built accordingly. Based on relevant threats and stakeholder needs, customers can form high fidelity intelligence requirements that drive programmatic development and maturity.

Organizations that build this foundational framework have been able to immediately focus their efforts to consume intelligence and apply it to key areas of their security program. These near-term wins allow the program to grow, and the value of that intelligence will be seen across security operations and the broader business.

Cyber threat intelligence programs often need to crawl before they walk, and certainly before they run. These essential building blocks position the organization to build a requirements-driven set of CTI practices, capabilities, or an entire program.

Visit our Cyber Threat Intelligence Services homepage for more information on how Mandiant can help your organization improve its threat intelligence capabilities.