The 2021 SANS Cyber Threat Intelligence (CTI) Survey reported that 77% of organisations found that CTI improved their detection and response capabilities. However, Security Alliance have discovered that most organisations who use CTI are only implementing around 10-20% of all the possible use cases. This results in:
• Lack of leadership buy-in and support for CTI
• High vendor and product churn
• Poor return on investment in CTI for organisations
In order to really recognise value from your CTI products and services - whether it’s a TIP, an intelligence portal, an analyst, or an IOC feed into your SOC - it’s essential to map CTI against as many use cases as possible.
Truly comprehensive CTI use case mapping needs to consider operational and strategic security as well as tactical and technical implementation.
The most common CTI use case we see by far is plugging an Indicator of Compromise (IOC) feed into a SIEM and/or SOAR. Whilst this can certainly act as a great starting point for a SOC’s monitoring and detection, it’s only really scraping the surface of tactical CTI use cases. Furthermore, many SOCs aren’t even using IOCs to their full potential. Other potential use cases you should consider implementing include:
• Threat Hunting – Searching your whole network for IOCs proactively
• Security Control Optimisation – Using threat scoring and tailored recommendations to help prioritise alerts and enrich security incidents
• Incident Response support – Leveraging intelligence feeds, portals or analysts to explore related IOCs, incidents, malware or threat actors
Truly actionable operational intelligence is harder to get hold of than tactical intelligence. It also often takes more effort to do something with that intelligence. However, the operational use cases are where we can clearly see CTI and security teams becoming more proactive. Operational use cases may be new, standalone use cases, or they may just be a progression of a tactical use case. Exact implementation will vary depending on the type of product and service you are consuming, but should include:
• Threat Hunting - Using MITRE ATT&CK mapping to hunt for threats according to tactics and techniques, not just IOCs
• Incident Response support – Mapping incidents against relevant scenarios to track and interdict threats
• Red Teaming – Building highly realistic scenarios based on real-world operations that are relevant to you and your industry
Actionable strategic intelligence is even harder to get hold of. Strategic intelligence can often be perceived as academic, with little consideration by the author for how the (often lengthy) report will be used by the end user. Strategic intelligence needs to be highly tailored to your organisation and should consider what it will actually be used for. If done right, strategic intelligence can help to prioritise security and IT spending. Examples include:
• C-suite/Executive/Board briefings – Providing weekly, monthly or quarterly reports summarising key trends, incidents and threats to the organisation to support strategic decision makers
• Risk Management support – Conducting threat modelling focused on critical business applications and linked to the latest intelligence
• IT & Security Strategy input – Ensuring your organisation is investing in the right tools and skills to remain ahead of the latest emerging threats
In order to achieve a more complete mapping of CTI use cases, it’s necessary to pay particular attention to both the “Planning & Direction” and “Dissemination” stages of the intelligence cycle. Some have even suggested adding an additional step to the CTI framework, such as “Action”, to ensure that all intelligence is operationally focused.
During the planning and direction stage, a significant amount of time should be spent creating an Intelligence Collection Plan (ICP). This document dictates how, where and why you and your intelligence providers collect intelligence. This should be a live document which constantly evolves with broad stakeholder input. If your ICP is well written and regularly updated, the only intelligence you collect, process and analyse should be intelligence that is being used for a specific use case that supports your business.
The Distribution or Dissemination phase of the intelligence cycle is perhaps the area which is most often overlooked. As well as considering all possible use cases, it is important to identify and support all possible end users of intelligence. From SOC analyst, to CEO. Furthermore, dissemination is neither linear, nor one way. Each type of intelligence may be able to be mapped against more than one use case and the feedback loop should be continuous. A high-level example using one subset of tactical intelligence is shown below.
The most mature CTI teams we speak to almost always have a robust set of CTI Standard Operating Procedures (SOPs) and a bespoke CTI framework. These are often built around the standard intelligence cycle, but with customisation to suit each organisation. Having these will hold your CTI team, security team and intelligence suppliers to account. A CTI playbook can help formalise each of the use cases discussed above and ensure continuity across the team.
• Using CTI effectively is one of the best ways to move towards a more proactive security posture.
• Quantifying the ROI of CTI is very challenging. Focus on maximising the number of use cases and the consistency with which they are implemented to achieve maximum ROI.
• If you have limited resources, focus on the use cases with the highest ROI. These will vary according to your specific business requirements and threats to your company and industry.
• Focus on the end-user of the intelligence. If you can’t identify the end-user or use case, is there any value in that intelligence to your business?