As discussed in our previous blog, the PoG (see Figure 1) illustrates a progression from responsive to pre-emptive CTI operations. To illustrate how an organization might position itself on the pyramid, the SANS Institute found that "Many respondents [to the 2022 CTI survey] this year are newer CTI organizations who are just developing their capabilities." [1] Indeed, SANS found that these organizations had minimal development of intelligence requirements, reactive integration of CTI into their security controls, and a focus on collecting and passing on IOCs. This level of capability places the organization in the bottom tier of the pyramid.
Figure 1 - Metrics for CTI maturity (click the image to zoom in)
As SANS stated, "CTI and IR coordination is a critical part of an overall cybersecurity program, but it takes some time to build both the processes and trust that facilitate robust collaboration." [2] In other words, it takes time to move up the pyramid and shift from supporting operational CTI stakeholders (e.g., SOC team) to more-tactical stakeholders (e.g., incident management and threat hunting).
How does a spider climb a pyramid?
An issue that affects most organizations that EclecticIQ works with is variation in capability scores. For example, you may have a superstar threat analysis, sourcing, and sharing operation (i.e., Stage 4), yet your stakeholder management and integration capabilities are sorely lacking (i.e., Stage 2). Despite your fantastic CTI team performance, the inability to align your threat analysis to the needs of your business means, overall, you are still at the bottom tier of the pyramid.
For this reason, we recommend that you move up the pyramid by improving all capabilities simultaneously. We acknowledge that this is difficult, but your CTI operation is only as good as its weakest capability.
6 recommendations to guide your journey
Based on our work with some of the most heavily targeted organizations in the world, EclecticIQ recommends 6 steps to leverage the PoG:
-
Get started now! Building out your CTI practice requires a balance between implementing threat intelligence management before engaging stakeholders and engaging all stakeholders before starting to process threat data.
-
PIRs continually change. As you mature, the best option is to continually update your intelligence requirements based on feedback as you advance your CTI capabilities. For more detail on this approach, please see our white paper, "Building a CTI Practice."
-
Manage your climb. We recommend raising maturity yearly by at most two stages on the five-stage scale for each capability. To ensure you gain sufficient experience to operate effectively at each improved level, allow time to measure results, and then realign and plan accordingly.
-
Report, report, report. Reporting and feedback between the CTI team and its stakeholders occur at all levels of the PoG. It's insufficient to focus on reporting to your CISO, risk management team, and executives only. Your CTI team must engage in feedback loops with all operational, tactical, and strategic stakeholders.
-
Add effectiveness metrics. You must focus on effectiveness metrics in addition to performance metrics. Yet, it is critical to keep the work's complexity distinct from the metric's complexity. For example, producing an actionable report with the right content, context, and confidence at the right time for your executives is difficult. An effectiveness metric that tracks the number of these actionable reports and the distribution across your stakeholder base is easy to implement.
-
Power your move up the PoG. Threat intelligence platform (TIP) technologies help you solve common implementation and improvement challenges regarding CTI capabilities. TIPs provide an easy way of bootstrapping core workflows and processes as part of a successful threat management practice. Please review our TIP Buyer's Guide for more information on adopting a TIP to support your CTI maturity progression and accelerate your climb to the top of the pyramid.
Completing your internal CTI maturity assessment and following these six steps will put your organization on the path from responsive to pre-emptive CTI operations.
Reference
[1,2] SANS 2022 CTI Survey
