EclecticIQ

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

An Innovative Model for Assessing Current and Desired CTI Maturity

Though there are broadly adopted capability maturity models for other areas of IT (e.g., CMMI, COBIT, NHS Infrastructure Maturity Model), a widely accepted CTI capability maturity model has not yet emerged. Some excellent work is ongoing at the TUDelft Cyber Threat Intelligence Lab [1] and within ENISA [2,3], but no de facto model exists.

The EclecticIQ CTI Capability Maturity Model (C2M2) for organizational intelligence is inspired by the great work of Robert M. Clark (author of "Intelligence Analysis: A Target-Centric Approach"), CPNI/CERT- UK's publications on threat intelligence, and the iSIGHT Partners Threat Intelligence Maturity Model.

Like other capability maturity models (e.g., CMMI), the C2M2 establishes a five-level (stage) assessment scale that measures your maturity across eight distinct CTI capabilities.

Overall, the model covers three broad areas (See Figure 1):

3-broad-areas-to-measure-cti-maturity

Figure 1 - Three broad areas to measure CTI maturity 


  • Alignment with business and threat reality: Measures how well your investments in threat intelligence reflect business needs, resource constraints, and the threat landscape.

  • Ability to understand cyber threats: Measures how well your analytic capabilities allow your threat intelligence teams to understand cyber threats in the context of stakeholder needs. Essential functions include qualifying technical indicators and strategically tracking critical cyber threats facing similar organizations and industries.

  • Ability to control/take action on cyber threats: Measures the capability of your organization to handle, act on, and contain threats. Key functions include collecting relevant technical indicators, instrumenting detection and prevention systems, and engaging business stakeholders in how the changing threat landscape drives appropriate investment and business decisions.

Five stages of CTI maturity


Table 1 lists the five stages of maturity for each of the eight capabilities making up the C2M2. Each stage builds on the previous one. With this approach, you gain the big picture (e.g., going from threat ignorance to full awareness) and learn how to move incrementally from one stage to the next (e.g., shifting from non-existent to basic awareness by tracking publicly discussed threats). 

 

Capabilities  Stage 1  Stage 2 Stage 3 Stage 4 Stage 5
Stakeholder Management Little to no awareness of what threat intelligence is and what business capability is responsible for it Threat intelligence sometimes makes it to stakeholders, but is rarely considered and acted upon. Threat intelligence is regularly sent to stakeholders and consistently considered and acted upon. Threat intelligence is consumed as a standard input and regularly used in decision making around cyber-related issues. Threat intelligence is consumed as a standard input, with advice actively sought on significant decisions.
Requirements Management No requirements, or requirements not based on stakeholder input General understanding of stakeholder needs through informal or irregular touchpoints Regular and established touchpoints to understand stakeholder needs Regular and established touchpoints to understand stakeholder needs, with ad hoc feedback on received intelligence Regular and established touchpoints to understand stakeholder needs, with regular, ongoing feedback on received intelligence
Awareness No awareness of threats Some awareness of commonly (and publicly) discussed threats Some awareness of threats, including trends in threat actor capabilities and motivations Deeper insight into trends affecting common threats, and a good understanding of actor capabilities, motivations, and persistence Awareness of most relevant threats, including uncommon and targeted threats, and recognition of actor capabilities, motivations, and persistence
Source Management/collection None or ad hoc Irregular decision making on source acquisition; mostly open sources or sources of unknown reputation Regular decision making on source acquisition and realignment; a wider range of mostly reputable sources Established procedures to acquire, evaluate, and realignment sources; many reputable, well-known sources with a regular collection of unique analysis capabilities Established procures to acquire, evaluate, and realignment sources; a large set of reputable sources, including well-known and niche sources, offering a consistent supply of unique collection or analysis capabilities
Analysis and Production No analysis or intelligence from sources is dissemination or integrated directly Intelligence received is enriched and qualified using automatic or manual methods. IOC Management: technical indicators and observable components are nurtured with quality control. TTP Management: threshold criteria dictate when intelligence warrants ad hoc, case-based, and collaborative research to improve TTP-based understanding of specific threats. Threat Management: threats are proactively and strategically managed from a central register; continuous research is performed proactively to understand known threats.
Sharing No sharing Sharing with individuals at similar organizations Sharing through semi-regular meetings with individuals and semi-sensitive groups Ad hoc sharing via institutional relationships or within sensitive, trusted groups Regular sharing via institutional relationships or within sensitive, trusted groups
Dissemination Intelligence is disseminated directly from sources Disseminated intelligence has ample context and confidence statements to understand the relevance to the receiving stakeholder Disseminated intelligence targets the specific stakeholder Intelligence is created collaboratively with stakeholders to validate and test key hypotheses; conclusions are sent directly to the relevant stakeholders. Stakeholders have complete control over the timing, delivery method, and subject matter of intelligence reports and receive targeted intelligence on relevant topics when necessary.
Integration No integration of intelligence from sources into security controls and workflow systems Irregular integration of Intelligence indicators into security controls and workflow controls Regular integration of Intelligence indicators into security controls and workflow controls Intelligence indicator integration into security and workflow controls with information about context, priority, and specific courses of action Intelligence indicator integration into security and workflow controls with information about context, priority, and specific courses of action, as well as clear and easy-to-understand drill-down into analytics and intelligence of the surrounding context

Table 1 - CTI maturity levels

Yes, we’ve just presented a ton of information. We realize that mapping eight capabilities across three practice pillars and five maturity stages sounds like a lot of moving points. However, as discussed in our next blog, turning this information into something actionable is surprisingly straightforward.

References

[1] https://ctim.eu/ 

[2] https://www.enisa.europa.eu/news/enisa-news/csirts-maturity-moving-to-the-next-level 

[3] https://www.enisa.europa.eu/events/2018-cti-eu-event/cti-eu-2018-presentations/cti-eu-cti-capability-maturity-model.pdf 

White Paper - The Path to Pre-emptive CTI Operations

Do you find these blogposts insightful? Download our white paper for convenient access to all five blogposts that are part of this blog series in one cohesive document that is easy to take with or share with your stakeholders.

Using the Maturity Model: Know What you are Measuring!

Using the Maturity Model: Know What you are Measuring!

By adding effectiveness metrics, you can answer some of your most challenging questions.

© 2014 – 2023 EclecticIQ B.V.
EclecticIQ. Intelligence, Automation, Collaboration.
Get demo