The uses and benefits of CTI

I think it can wholeheartedly be stated anywhere within this industry that CTI is important to everyone as it provides contextual information that allows for strategic decision-making. This context allows it to be used by almost any level of analyst or researcher throughout any organization. Its use is not limited to some elite subset of intelligence analysts who claims to know every move of a TAG. Key judgments can be formed from contextual intelligence at any level of employment; from a Security Operations Center (SOC) analyst implementing a firewall policy change after receiving intelligence that a URL is serving a web shell that is known to be associated with several TAGs or even a C-level executive making informed strategic decisions to improve the security posture of their organization.

However, to utilize threat intelligence, several key factors need to exist for it to be useful. First, it needs to be timely in the sense that the delivery of information is provided to a key decision-maker before a key event so that a judgment can be formed around its context. Second, the intelligence must be actionable, that is, the intelligence provided should allow for that key judgment to be realized and a decision made that allows the individual or organization to make a decision based on its delivery. Third, intelligence should be relevant. By actionable, we're referring to the ability to take any action based on the intelligence itself. Finally, intelligence must be delivered in a format that has the lowest barrier to entry for consumption by an organization. This means that any individual or organization that wishes to benefit the most from the existence of CTI must incorporate it into their processes and procedures or even develop security automations around it.

The context of the threat provided by the intelligence is where its value truly lies, as it assists any individual or organization with prioritization, which is one of the most important benefits of threat intelligence. No matter what security role you play in an organization, your role will benefit from the context that threat intelligence provides, as this will allow you to prioritize your key decision-making around the data your organization is consuming.

For example, let's consider this paradigm. Organizations that are only now beginning to look at implementing some form of threat intelligence program into their security organization often start by identifying free data feeds or online services that contain some form of security information, usually in the form of a threat data indicator or IOC. While this is a great start in the collection of data and information that could be used to create threat intelligence, without the context surrounding this information and the appropriate indoctrination by people, processes, and technologies, this approach usually leads to just more information and the encumberment of your human workforce.

With all of this extra information, the burden is just added to your analyst to decide what to review and prioritize and what to ignore. This approach can lead to operational misses, such as incidents that could have been prevented if the appropriate prioritization were placed on the information you were receiving from your threat data feed. CTI can assist in providing context around this information that you receive and give you key insights into the TAG's TTPs. This will assist in informing your decision-making and help you prioritize your actions based on the contextual intelligence provided.

Now that you're aware of the uses and benefits of CTI, let's explore how to get CTI.