A Stakeholder-Centric Approach to

Building a Cyber Threat Intelligence

(CTI) practice

How to make threat intelligence relevant to executives, business

stakeholders, security operations and incident responders
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
Contents

Abstract ......................................................................................................................... 3

The Emergence of CTI as a Practice .................................................................. 4

The “Too Much Information” Problem ............................................................... 8

The High Cost of Manual Processes in Intelligence .....................................10

How to Establish a CTI Practice ........................................................................... 11

Cyber Threat Intelligence Relies on TIPs .........................................................14

About EclecticIQ........................................................................................................18

2
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
Abstract

Establishing a practice for Cyber Threat Intelligence (CTI) helps organizations to

excel at countering cyber threats by putting processes, people and technology at the
service of multiple stakeholders.

This paper:

• Describes how a Cyber Threat Intelligence practice meets the need for stronger
intelligence capabilities to counter cyber threats

• Explores the problem of “too much information” stemming from diverse sources of
intelligence

• Exposes the economic and operational costs of manual processes in intelligence

• Provides recommendations for establishing a Cyber Threat Intelligence best

practice

• Outlines the key features of a dedicated platform supporting a Cyber Threat

Intelligence practice

3
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
The Emergence of CTI as a Practice

Leaders in Cyber Security are well aware of the need to bolster their defenses against
cyber threats. In a Forrester Research survey of decision-makers in technology
security for major organizations, 77 percent of respondents put a high or critical
priority on establishing/improving cyber threat intelligence (CTI) capabilities.1

Yet it’s not enough for technology leaders to handle cyber defenses on their own.
In the face of a new generation of virulent cyber threats, the old approach of
maintaining a “perimeter” defense is no longer viable.

Cyber defense has historically been considered a reactive business function, tasked
with responding to discrete indicators such as outdated software patches and
attempted intrusions. This approach is no longer sufficient. Emerging cyber threats
need to be handled with a cyber intelligence practice approach, rather than through
the security operations center (SOC) or incident response (IR) teams.

INCIDENT
RESPONSE
Mainstream since 2010+
Focus on incidents and
risk escalation
Contextual response

THREAT SECURITY
MANAGEMENT OPERATIONS
Early adoption
Mainstream since 2005+
Focus on external threats
Focus internal security
No best practices yet
Detection
No tools
False positives
Threat content acquisition
Prioritizing
Workflow enablement

1) Forrester Research, “The State of the Cyberthreat Intelligence Market,” by Rick Holland, June 23, 2015

4
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
In the new threat environment, cyber defense is no longer something that can be
delegated to the IT department. Instead, business leaders have to cultivate a greater
awareness of cyber threats that exist within their own organizations, while ensuring
that they have access to resources needed to manage rapidly changing threat
exposures.

The new approach to cyber defense relies upon CTI as a separate and consultative
practice, built with processes, people and technology dedicated to continuous
improvement of cyber security within an organization. The CTI practice delivers an
adaptive approach to intelligence that provides continuous monitoring of business
processes through extensive collaboration between CTI and business units. Threat
analysts from a CTI practice, empowered with the best available cyber threat
information, work in consultation with managers to improve the security posture of a
wide range of stakeholders.

As with intelligence practices in general, a CTI practice supports organizations with

a full range of operational, tactical and strategic objectives:

Incident
Operations
LE
Relations
Legal
escalates to
Defeat (tactical)

tactical
intelligence Incident
Response
Security
Operations

Deter (operational)
THREAT operational intelligence
MANAGEMENT Fraud
Vulnerability Operations
Management
strategic
intelligence
Executive
Policy Protection
Management

Prevent (strategic)
guides guides
Risk
Management Strategic
Planning
Business
Stakeholders

Compliancy

5
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
An intelligence practice:

• Ensures the availability of strategic intelligence to inform planning of security

efforts

• Integrates operational intelligence to ensure deterrence of known threats

• Discovers new or emerging threats via “threat hunting”

• Prepares tactical intelligence to ensure that if an incident does occur, it can be

dealt with swiftly and with minimal impact

• Assesses the exposure to the organization at each step to ensure proper

governance and control

CTI goes beyond the usual challenges faced by an intelligence practice due to several
unique and unprecedented aspects associated with cyber threats:

Cyber threats are highly virulent. A cyber attack has the ability to spread across
global networks at the speed of fiber-optic Internet traffic. Moreover, given the
extent to which critical systems have been placed under digital control, the potential
exposures to cyber threats are immense and increasing by the day. This is especially
pertinent to large and complex organizations, which tend to have more points of
interaction via electronic channels and more attractive targets than smaller and
simpler organizations.

Cyber threats are constantly evolving. Attackers may have financial incentives to
steal customer data or funds; political incentives to induce changes in policy or
practice; commercial incentives to steal company information as a form of espionage;
or military incentives to cause damage to an opponent. All these threats have existed
in the past, but today cyber threats are global, simultaneous and immediate.

New actors have instant credibility as attackers. Due to the widespread proliferation
of knowledge about tools developed, campaigns initiated and attacks performed,
new attackers with new motives can attack new targets without necessarily having
sophisticated computer skills.

Defense takes highly specialized knowledge. It takes a significant investment in

knowledge and expertise to detect or prevent attacks. Furthermore, a defender
needs to have hands-on experience with business systems to mitigate damage
caused by an attack.

6
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
A CTI practice expands the functionality of a traditional intelligence practice to
encompass the unique challenges posed by the cyber threat.

7
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
The “Too Much Information” Problem

One of the main challenges threat analysts face is the overwhelming flood of
information about potential or present attacks. Due to the need to incorporate a
diverse set of repetitive data feeds, CTI analysts have to sift through data pools with
a low “signal-to-noise” ratio; that is, there’s way too much noise.

WLAN
Government GW
(DS/CERT) SIM
IPS
OSINT FW

WAF
ISACs

THREAT Email
ANALYST GW

Commercial
sources DAM

NAV
Internally Endpoint
Private B2B derived Web
Sharing GW
DLP

Commercial CTI feeds represent a major source of information, but it is often difficult
to fully assess their net intelligence value. Analysts have to assess the extent to
which each provider offers unique capabilities or access to information, and then
decide whether they have a role in consistently meeting the information needs of
stakeholders.

Information Sharing and Analysis Centers (ISACs) established in various industries

provide relevant and valuable data on cyber threat intelligence, but these types
of intelligence exchanges and sharing communities tend to err on the side of
providing more rather than less information. Participating in an ISAC can significantly
increase the intake of irrelevant data, for which manual review requires a significant
investment in human resources.

8
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
Internal processes, people and systems also yield a vast trove of potential
intelligence data. Server, connection and access logs are rich sources of data, and a
wide range of analytic techniques exist to detect and escalate warnings related to
unusual behavior. Depending on the industry, people and processes can also provide
actionable data for a CTI analyst.

Most organizations struggle to identify the most relevant information contained

within the aggregated collection of threat data.

Without a formal, technology-driven method for determining relevancy, organizations

have to rely upon human labor to process the volumes of incoming intelligence. Best
case, the labor-focused approach has to cope with a significant workload consisting
of false positives. More likely, the end result is information overload, leaving
stakeholders exposed to cyber threats that may have been avoidable.

Different stakeholders can experience information overload in different ways.

Common situations include:

• Security Operations Centers (SOCs) receive too many warning signals associated
with threats, and are therefore unable to discern or respond to the most important
threats.

• Vulnerability Management teams find it hard to distinguish between low-impact

and high-impact IT system vulnerabilities, or encounter delays in responding to
known exploitation vectors.

• Incident Response and Operations (IR) teams have difficulty assembling an

accurate picture of the precise state of the organization at a point in time prior to,
or during, an attack.

• Business stakeholders remain largely unaware of the threat level before something
happens, or they have only a vague sense of what happened.

• IT Architects make decisions about IT infrastructure that may be costly to retrofit
with better security, relative to incorporating best practices from the start.

• Executives and decision-makers have limited understanding of the exposures

of their organizations prior to an incident, and so react mostly in response to
regulatory or reputational incentives, rather than to an extent proportional to the
actual threat.

9
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
The High Cost of Manual Processes in Intelligence

CTI analysts have a difficult and demanding job. Among other things, they have to
determine the relevancy of incoming intelligence, discover new threats, and make
associations between known threats and new threats. All of these tasks are made
worse when burdened by painstakingly slow and inefficient manual processes.

Unlike other common labor-intensive tasks, it’s usually impractical to throw more
manpower at an intelligence problem. Analysts are a scarce resource, as it’s hard to
find, evaluate and train new personnel to perform tasks associated with cyber threat
intelligence. Accordingly, CTI practices are constrained by a limited talent pool with
limited capacity and throughput.

Analysts ultimately are responsible for meeting the needs of stakeholders by fully
exploiting the value of intelligence available to the organization. Repetitive manual
work wastes time that would be better spent ensuring that the right information gets
to the right people, in the right place and at the right time.

Also, given the potential for expanding the role of analysts within a consultative
CTI practice, an overreliance of manual processes also has costs in terms of missed
opportunities for integration between intelligence and business functions.

A well-functioning CTI practice has the potential to support a diverse range of

internal business practices with powerful detection, prevention and response
functions, but such a level of integration requires a level of commitment that goes
beyond what an overwhelmed team of analysts can provide.

Analysts need to keep up with best practices in the emerging field of CTI, and then
apply that learning to situations within the organization. They need to distribute
evaluations of threat data to concerned stakeholders through secure repositories,
and ensure that organizational processes are sufficiently protected given the threat
environment.

With these possibilities at hand, the cost of manual processes in intelligence goes
far beyond the direct cost of paying for the labor. A true accounting of the costs
has to take into account the opportunity costs associated with not having a CTI
practice, and not giving analysts the best chance to support the stakeholders of an
organization.

10
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
How to Establish a CTI Practice

The organizational challenge of setting up a CTI practice requires attention to a

wide range of operational, tactical and strategic issues. Following are some key
recommendations:

Make room on the org chart. Although CTI is adjacent to and related to IT Security,
it should be considered as a distinct competency. As such, a CTI practice should
be given responsibility over its own clearly-defined processes, with appropriate
support in terms of staffing and technology. Also, CTI practices have to work with
several other existing organizational functions, including security operations, incident
operations, incident response, fraud operations and risk management. The lines of
reporting, communication and responsibility should be established well in advance.

Lock down IT capacity. While the CTI practice may not need to maintain its own IT
development team, it nevertheless needs to ensure the availability of IT resources
capable of architecting, planning and implementing standard CTI processes and
procedures, such as the acquisition of CTI feeds. Additionally, a CTI practice needs to
have ready access to a balanced, cross-functional team responsible for the roll-out of
any changes or security improvements to line-of-business systems.

Build a well-balanced core team. A CTI practice will include resources that cover the
following complementary skill sets:

• Intelligence specialties as a technical collection analyst, collection manager, threat

analyst, watch-center analyst, intelligence operator or intelligence manager

• Formal intelligence training, or similar training in critical thinking

• Project management with cross-cultural or cross-organizational experience

• Change management

• Risk management

• Practical IT Security implementation and operations, e.g. systems engineering,

security engineering

• Hands-on analyst experience in one or more key subject areas, including

vulnerabilities, malware, cyber threats, fraud, and policy analysis

Manage the right collection of CTI feeds. CTI feeds, especially the commercially
available feeds, often require considerable investments in subscriptions and
technology. Ensure that your CTI practice has the ability to measure the expected

11
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
intelligence value of new CTI feeds, in terms of value to stakeholders. Only ramp up
your CTI feed investments when you clearly understand the impact.

Bootstrap with technology platforms. New technologies have emerged to support

common challenges with implementing or improving the capabilities of a CTI
practice, and these tools can provide a fast and easy way to deploy a core set of
workflows and processes. Ensure that the workflow functionality of your technology
platform meets the full business requirements of your CTI practice.

Deliver stakeholder-focused CTI solutions. Creating business value from CTI relies
on a nuanced understanding of the information needs of the key stakeholders in
the organization. Even with the support of a CTI practice, it ultimately falls upon
the stakeholders to execute on a successful strategy of deterrence, defeat and
prevention. For a CTI practice to make a positive impact, the practice team has to
understand who the key stakeholders are, what questions they need answered, how
they prefer to consume intelligence and at what cadence.

Achieve stakeholder buy-in. For a CTI practice to succeed, stakeholders have to be

comfortable with a shared vision and a long-term plan for ongoing security. Ensure
that stakeholders have a solid understanding of how much you want to accomplish,
at what pace, in what steps and with what business constraints. Deliver upon
promises with measurable results.

Provide specific support to stakeholder groups. A CTI practice has to provide

comprehensive support for a wide range of functions within the organization, both
inside and outside of the IT function.

• Security Operations Centers (SOCs) require structured indicators and warning

signals associated with key threats delivered in structured, machine-readable
formats such as CSV, STIX or vendor-specific formats.

• Vulnerability Management teams require written intelligence on emerging, high-

impact vulnerabilities and known exploitation vectors to organizational IT systems.

• Incident Response (IR) and Operations teams require ad-hoc, bespoke intelligence
related to tools, modus operandi, associated campaigns, actor intents and
attributions, and forensic data on points of compromise.

• Business stakeholders require regular updates on key threats pertaining to

their areas of responsibility, with assessments of potential impacts on business
operations.

12
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
• IT architects require up-to-date communications on key threats to common
approaches to IT security, so as to ensure alignment between the configuration of IT
infrastructure with the reality of ongoing cyber threats.

• Executives and decision-makers require ongoing, high-level reports on exposures

and key threats faced by the organization.

13
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
Cyber Threat Intelligence Relies on TIPs

When planning technology support for a CTI practice, ensure that your Threat
Intelligence Platform (TIP) supports the following core competencies:

1 Multi-source collection and exchange

CTI feeds come in diverse and exotic flavors. Ensure compatibility, including the
ability to consume CTI feeds and participate in bi-directional conversations through
CTI exchanges and communities.

Requirements:

• Compatibility with TAXII, FTP, Email, Web APIs, proprietary APIs and other
transport mechanisms

• Compatibility with STIX, PDF, CSV, JSON, OpenIOC and other data formats

• Out-of-the-box support for available open-source data feeds

• Compatibility with CTI exchanges and communities including IBM X-Force,

Facebook ThreatExchange, RiskIQ PassiveTotal, ThreatConnect communities,
industry and government-sponsored ISACs, ISAOs, and other local communities

• Authorization based on information source

• Support for source ratings, with markings and indications of how information
should be handled (e.g. Traffic Light Protocol)

2 Consolidation and normalization

Ensure the consistency of threat information within its correct context, so that
analysts can fully benefit from the value of intelligence on behalf of stakeholders.

Requirements:

• Common reference model with a consolidated and normalized data structure

• Techniques for extracting common entities

• Natural Language Processing (NLP)

• Entity de-duplication

• Entity whitelisting/blacklisting

14
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
3 Enrichment
Internal and external data sources can enrich CTI feeds with additional information,
allowing for further determinations of threat correlation and relevancy.

Requirements:

• Simple onboarding of internal and external data sources

• Support for common data formats

4 Relevancy and triage

Ensure that CTI analysts focus on relevant threat intelligence, without wasting
resources on threats that do not impact the organization.

Requirements:

• Advanced search

• Rule-based or heuristics-based recommendation engines for CTI processing

• Automated or semi-automated triage and qualification

• Triage workflow

5 Complex analysis
Empower the analyst with visualization tools and other powerful resources for core
analysis.

Requirements:

• Advanced graph exploration

• Graph analysis

• Export functionalities

• Integration with third-party analysis software

6 Threat register
Manage structured information about threats affecting the entire organization,
actively tracking present understanding and expected exposure.

15
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
Requirements:

• Case management

• Campaign management

• Topic management

• Concern management

• Stakeholder management

7 IOC management
Validate and track Indicators of Compromise (IOCs) and warning signals associated
with key concerns. Ensure analysts have granular control of the validity of IOCs and
warning signals, and use the resulting data to improve detection, prevention and
response capabilities.

Requirements:

• Confidence ratings of indicator and warning signals

• Whitelisting of false indicators

• Dynamic generation of IOC signatures

• Support for alterations of IOCs and warning signals for integration into IT security
controls

• Automatic generation of 2nd- and 3rd-level warning signals through enrichment

8 Production and Dissemination

Produce reports incorporating internal and external sources of intelligence to support
the needs of internal stakeholders.

Requirements:

• Ability to combine structured and unstructured intelligence

• Threat reports

• Actor profile reports

• Incident information reports

16
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
• Campaign reports

• Knowledge management for information on tools, techniques and procedures

• Vulnerability intelligence and exploit targets

• Courses of action

• Indicators of compromise and warning signals

• Analyst workflow

• Dissemination of workflow to stakeholders

• Support for unstructured formats (e.g. Microsoft Word, PDF and emails)

• Support for structured formats (e.g. CSV, Microsoft Excel)

9 Integration with IT Security Controls

Ensure timely integration of intelligence with IT security controls.

Requirements:

• Integration with intrusion detection systems (IDS), identity providers (IdP),

endpoint detection and response (EDR) systems, and security information and
event management (SIEM) systems

• Granular access policies

• Audit trail for intelligence integration

• Compatibility with transport mechanisms including TAXII, FTP, email, web APIs and
other proprietary APIs

• Compatibility with data formats including STIX, CSV and proprietary formats

• Compatibility with common SIEM formats including HP ArcSight, IBM QRadar,

LogPoint and Splunk

17
 A Stakeholder-Centric approach to Building a Cyber Threat Intelligence (CTI) Practice
About EclecticIQ

EclecticIQ is an applied cyber intelligence technology provider, enabling enterprise

security programs and governments to bootstrap a threat intelligence practice.
Empowering analysts to take back control of their threat reality and mitigate
exposure accordingly.

EclecticIQ’s mission is to restore balance in the fight against cyber adversaries. Its
flagship product EclecticIQ Threat Intelligence Platform enables operationalization of
security information exchange, empowers collaborative analyst workflow and ensures
timely integration of cyber threat intelligence detection, prevention and response
capabilities.

18
EclecticIQ is a privately held company
headquartered in Amsterdam, the Netherlands,
and holds an office in London.

Awarded the 2015 EU IPACSO Cyber Security

Award and partner of the NATO NCI Agency
Security Incubator.

More information about EclecticIQ can be found

at www.eclecticiq.com

For sales enquiries or a product demo, contact us

at sales@eclecticiq.com or call +31 (0)20 737 1063.

Follow us on Twitter: @eclecticiq

EclecticIQ and the EclecticIQ logo are registered

trademarks of EclecticIQ.

This document is licensed under a Attribution-

NonCommercial-ShareAlike 4.0 International License.