A Twitter thread by Mark Arena.

Key points from my “Lessons from the world's leading cyber threat intelligence (CTI) programs” talk at @gcfriyadh in Riyadh. Video will be shared soon. Talking points aren’t ideal for Twitter but I’ll give it a go [1/24] #ThreatIntel #CyberThreats

A CTI program is all about reducing risk for an orgs. Risk = probability x impact. CTI about understanding the internal and external factors that impact probability + impact of risks so decisions can be made that reduce risk [2/24]

CTI by definition is threat focused. A threat is a person/group with a motivation, intent and a way of working (TTPs). Malware isn’t a threat, the person using it is. Therefore a CTI program tracks threats being people/groups over time [3/24]

Intel is the output of a process that has been around many years called the intel cycle. US govt defines the intel cycle as the process of developing raw information into finished intelligence for policymakers to use in decision making and action [4/24]

Intel cycle is initiated with a planning + direction phase. First identify who intel customers/stakeholders are then what their intel needs/reqs are which are then prioritized [5/24]

One of the biggest mistakes that I see with a CTI program is that the primary customer of an intel program is the SOC when in reality the #1 customer of any CTI program should be decision makers/executives, specifically the CISO [6/24]

SOCs are common intel customers of a CTI program but in almost all orgs shouldn’t be the #1 stakeholder. A no. of orgs think they are building a CTI program but are building a better SOC/detection team, good cause but sec leaders won’t see benefit for the $investment [7/24]

I see too often that the CTI program focuses almost all effort in supporting SOC and sec leaders becomes disillusioned by $ spend and the low value they see Also difficult to find a single intel pro who is good at supporting both CISOs + SOCs (different skill reqs) [8/24]

US govt = most well resourced intel program. President is #1 intel customer. Presidents given daily briefings (President’s Daily Brief) and each President processes info differently. Pres. Trump receives presentation style briefings, Pres Obama received written form [9/24]

No right and wrong way to receive intel briefings and different people consume info differently so a CTI program will need to adjust based on how their stakeholders best consume info [10/24]

CTI teams also frequently provide products that include info that isn’t good news to hear. I see instances where intel is filtered up through security leadership to CISO and is censored on the way. Very important for CISOs to be close to their intel teams [11/24]

As one Forrrester analyst said that CISO career path doesnt prepare CISOs to work with intel but despite that, CISOs need to get closer to their intel teams to build trust + transfer knowledge needed better align their intel teams to their needs https://go.forrester.com/blogs/sans-cti-summit-recap-its-all-about-the-process/ … [12/24]

Whilst CISOs are #1 customer for CTI teams other typical intel customers/stakeholders are: SOC, IR, Vuln Management, Fraud, Insider Threat, Investigations, Risk, Corp Security, M&A, 3rd Party Risk [13/24]

Once we’ve identified the stakeholders for a CTI program, time to identify and document + prioritize each of the intel reqs. Often we see orgs solely focused on reactive investigations of internal capital/assets whether it be IP, 3rd parties, etc. Brand monitoring != CTI [14/24]

Based on an orgs intel reqs, collection will then occur. Typical collection sources: int. systems, incidents, open sources (news, social, Pastebin), closed sources (criminal forums, online HUMINT, *shameless plug*: Intel 471 ), technical (VT, passive DNS) [15/24]

Lots of sources of info + data available. Get ahold of your internal sources (telemetry, incidents) before signing up with any external intel vendors. No external intel vendor covers all (despite what they may say). 30 day free trials for intel vendors common [16/24]

Processing is next phase of intel cycle. This is where orgs brings multiple sources of info+data into central place. Threat Intel Platforms (TIPs) help you here [17/24]

Analysis is next. Intel team looks at data+info to assess credibility + applicability to your org versus your intel reqs. Need to assess what is likely to have occurred and what might occur in the future. Need to use words of estimative probability https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sherman-kent-and-the-board-of-national-estimates-collected-essays/6words.html … [18/24]

One of biggest challenges I see in CTI teams is inability to do analysis + critical thinking. See copying and pasting of vendor intel reports and just reporting facts like a newspaper reporter. Important to include predictions with what is likely to happen in future [19/24]

Other orgs seek to outsource their analytical function which is a path to generic analysis and intel that isn’t relevant to your org. Need to encourage CTI teams to be bold and make future predictions whilst understanding that they won’t be right all the time [20/24]

Final stage of intel cycle is dissemination. Involves diss. of intel products to based on intel reqs and how they consume intel. All intelligence products shouldn’t be disseminated to everyone all the time (disseminate based on intel reqs) [21/24]

Different intel customers digest intel differently. SOC team will digest intelligence very differently to an exec team. Need different delivery formats [22/24]

After intel is disseminated, feedback is very important. Feedback to intel teams is still very poor across most orgs. Intel customers need to communicate with their intel teams any outstanding questions, how intel was used, what intel needs met, what was useful/not useful [23/24]

All in all, aligning an intel program with the intel cycle will broker a shift from being reactive to proactive. We’ve also publicly released an intelligence program checklist at https://intel471.com/threatintelprogramchecklist.pdf … [24/24]