CTI Program Development: Easing the Process for Optimal Results

Many organizations – no matter their size – have Cyber Threat Intelligence (CTI) programs and processes that are too chaotic, discordant, and undeveloped. A critical step in maturing a CTI function is addressing broken processes and replacing them with sound solutions. CTI program development can be challenging without skillful guidance, and even more so if fundamental concepts are not diligently adhered to at the onset of change.

To deliver maximum business value, it is best practice to break down the CTI program into its component parts and establish requirements grounded in the business’s strategic and tactical needs. This approach not only makes the process easier, but also resonates with those individuals tasked with execution.

Mandiant helps organizations tackle this with the Analyst Tradecraft Workshop (ATW), which illustrates how all components of a fully functioning CTI program should fit together, build upon one another, and ultimately add business value back into the organization.

Simply enough, we call our workshop methodology the ‘5 Ws’ – yes, just like you learned in grade school: who, what, when, where and why. It’s easy to remember, relatable, and repeatable, making the sometimes overwhelming task of CTI program creation, development and sustainment seem manageable.

The following descriptions tackle each ‘W’ across the process:

  • Who? The first agenda item for any program creation is determining who will be served by the program, and what their specific needs are/will be. Key stakeholders should be identified, and then interviewed for their expectations to be catalogued. From a security program perspective, the CTI team must determine which stakeholders play a role in and/or are affected by cyber security, what their functional cyber information needs are, and what specific items (i.e., data, systems, reputation, etc.) they feel requires protection.
  • What? The second agenda item speaks to what potential threats exist that could impact your newly identified stakeholders’ needs. Intelligence needs should be reviewed based on geography, business sector, technology, and other factors to determine where potential threats intersect with stakeholders’ areas of concern.
  • When? The third agenda item calls for requirements to be developed that provide the CTI team with clear collection, analysis, and dissemination of program goals. These requirements are the bedrock foundation of any high functioning intelligence effort, and should be prioritized against each stakeholder’s intelligence needs. Prioritization should be based on internally determined criticality ratings and CTI team resourcing.
  • Where? The fourth agenda item is defined as the understanding and management of your where the intelligence inputs live. Inputs are not only external from third parties, blogs, open source, data streams, information sharing groups, etc., but also internally traced through logs, netflow, SIEM monitoring, and more. Understanding the CTI team’s external intelligence sources and the organization’s internal network monitoring ecosystem is critical to success. Later, the fidelity and quality of these intelligence inputs should be rated to identify any gaps that require remediation to deliver on the intelligence requirements that are developed.
  • Why? The central aim of any intelligence program is to inform cyber risk management, and to provide decision advantage to those that require it. To deliver on these two central tenants, the fifth agenda item surrounds an effective intelligence dissemination strategy to be developed so that analyzed intelligence can be shared with appropriate stakeholders, providing support for making both tactical and strategic decisions. Cyber intelligence exists to help guide business leaders and operators when risks occur and/or are spotted on the horizon, and should provide timely and actionable insights on both the likelihood and impact of each risk.

The ‘5 Ws’ methodology has been used to great effect with numerous organizations around the globe. It is digestible to both seasoned Cyber Threat Intelligence professionals and relative newcomers in the field. It replaces the mystery of intelligence with a simple set of ideas that have been proven to work across government and commercial settings. Most importantly, it is relatively easy to manage and possesses repeatable action – benefits that task-saturated threat intelligence teams require to stay on track. “Work smarter, not harder,” is a message that always resonates in resource constrained environments.

Visit our Cyber Threat Intelligence Services homepage for more information on our Analyst Tradecraft Workshop and how Mandiant can help your organization improve its threat intelligence capabilities.