How Do You Measure The Success Of A Cyber Threat Intelligence Program?

Steven Usher, Senior Security Analyst, Brookcourt Solutions offers his insights on a challenging topic

Cyber threat intelligence can be found in numerous ways. One of the most popular ways to gather intelligence is via feeds, both open source and commercial feeds. These feeds can be fed into various tools to be searched and produce actionable data that can be added to Block and Watch Lists.

Ingest

Most companies who can make use of this ‘raw’ intelligence and be able to act on the results usually have a mature approach to cyber security – typically including a SOC (Security Operation Centre), IR (Incident Response) and at the very least a job role that will exclusively deal with cyber threat intelligence. 

Feeds are not the only way cyber threat intelligence can be used, some of the most common alternative uses for cyber threat intelligence include the production of reports for a customer by a company that specialises in the topic, monitoring of specific datapoints for mentions online and monitoring publicly known data breaches for company information. Services of this nature are more common with smaller companies that do not have the staff or internal knowledge to carry out the monitoring and analysis of cyber threat intelligence. However, this is not to say larger companies do not also use these services to augment the intelligence generated internally.  

Quantify 

How do you measure the success of a cyber threat intelligence program? This is not an easy question to answer, simply due to the nature of what cyber threat intelligence is. There are naturally the obvious examples of success, such as finding data that is linked to or belongs to a company online or finding information relating to an attack planned on the company – effectively, anything that would show an obvious and direct benefit of cyber threat intelligence to the company. However, incidents of this nature make a small minority of the uses and successes of cyber threat intelligence.  

The general value in cyber threat intelligence is knowing what is going on in the business world and in many cases your industry, this allows for preventative measures to be taken, as well as the ability to better prepare for potential incidents in the future. The MITRE ATTACK framework is a brilliant example of intelligence that can be used to better prepare and test a company’s readiness. 

Improve and Expand 

There is always room for improvement when it comes to this type of work, there are alternative data sources, different tools and, new approaches that should at the very least be considered when collecting and interpreting the data and information that is available. As the methods of attack evolve, change, and die out, being replaced with completely new tactics and techniques, so should the views, processes and runbooks that are used to combat them.  

Cyber threat intelligence is often a part of threat intelligence as a whole and it should be considered that some of the services that are offered to businesses can be used for more than simply cyber threat intelligence. Some of the other uses are geographic intelligence, intelligence relating to real world products and activities related to those products and intelligence that is more focused on the high-level individuals within the company.  

Steven Usher,

Senior Security Analyst,

Brookcourt Solutions