Though there are broadly adopted capability maturity models for other areas of IT (e.g., CMMI, COBIT, NHS Infrastructure Maturity Model), a widely accepted CTI capability maturity model has not yet emerged. Some excellent work is ongoing at the TUDelft Cyber Threat Intelligence Lab [1] and within ENISA [2,3], but no de facto model exists.
The EclecticIQ CTI Capability Maturity Model (C2M2) for organizational intelligence is inspired by the great work of Robert M. Clark (author of "Intelligence Analysis: A Target-Centric Approach"), CPNI/CERT- UK's publications on threat intelligence, and the iSIGHT Partners Threat Intelligence Maturity Model.
Like other capability maturity models (e.g., CMMI), the C2M2 establishes a five-level (stage) assessment scale that measures your maturity across eight distinct CTI capabilities.
Overall, the model covers three broad areas (See Figure 1):
Figure 1 - Three broad areas to measure CTI maturity
-
Alignment with business and threat reality: Measures how well your investments in threat intelligence reflect business needs, resource constraints, and the threat landscape.
-
Ability to understand cyber threats: Measures how well your analytic capabilities allow your threat intelligence teams to understand cyber threats in the context of stakeholder needs. Essential functions include qualifying technical indicators and strategically tracking critical cyber threats facing similar organizations and industries.
-
Ability to control/take action on cyber threats: Measures the capability of your organization to handle, act on, and contain threats. Key functions include collecting relevant technical indicators, instrumenting detection and prevention systems, and engaging business stakeholders in how the changing threat landscape drives appropriate investment and business decisions.
Five stages of CTI maturity
Table 1 lists the five stages of maturity for each of the eight capabilities making up the C2M2. Each stage builds on the previous one. With this approach, you gain the big picture (e.g., going from threat ignorance to full awareness) and learn how to move incrementally from one stage to the next (e.g., shifting from non-existent to basic awareness by tracking publicly discussed threats).
Capabilities | Stage 1 | Stage 2 | Stage 3 | Stage 4 | Stage 5 |
Stakeholder Management | Little to no awareness of what threat intelligence is and what business capability is responsible for it | Threat intelligence sometimes makes it to stakeholders, but is rarely considered and acted upon. | Threat intelligence is regularly sent to stakeholders and consistently considered and acted upon. | Threat intelligence is consumed as a standard input and regularly used in decision making around cyber-related issues. | Threat intelligence is consumed as a standard input, with advice actively sought on significant decisions. |
Requirements Management | No requirements, or requirements not based on stakeholder input | General understanding of stakeholder needs through informal or irregular touchpoints | Regular and established touchpoints to understand stakeholder needs | Regular and established touchpoints to understand stakeholder needs, with ad hoc feedback on received intelligence | Regular and established touchpoints to understand stakeholder needs, with regular, ongoing feedback on received intelligence |
Awareness | No awareness of threats | Some awareness of commonly (and publicly) discussed threats | Some awareness of threats, including trends in threat actor capabilities and motivations | Deeper insight into trends affecting common threats, and a good understanding of actor capabilities, motivations, and persistence | Awareness of most relevant threats, including uncommon and targeted threats, and recognition of actor capabilities, motivations, and persistence |
Source Management/collection | None or ad hoc | Irregular decision making on source acquisition; mostly open sources or sources of unknown reputation | Regular decision making on source acquisition and realignment; a wider range of mostly reputable sources | Established procedures to acquire, evaluate, and realignment sources; many reputable, well-known sources with a regular collection of unique analysis capabilities | Established procures to acquire, evaluate, and realignment sources; a large set of reputable sources, including well-known and niche sources, offering a consistent supply of unique collection or analysis capabilities |
Analysis and Production | No analysis or intelligence from sources is dissemination or integrated directly | Intelligence received is enriched and qualified using automatic or manual methods. | IOC Management: technical indicators and observable components are nurtured with quality control. | TTP Management: threshold criteria dictate when intelligence warrants ad hoc, case-based, and collaborative research to improve TTP-based understanding of specific threats. | Threat Management: threats are proactively and strategically managed from a central register; continuous research is performed proactively to understand known threats. |
Sharing | No sharing | Sharing with individuals at similar organizations | Sharing through semi-regular meetings with individuals and semi-sensitive groups | Ad hoc sharing via institutional relationships or within sensitive, trusted groups | Regular sharing via institutional relationships or within sensitive, trusted groups |
Dissemination | Intelligence is disseminated directly from sources | Disseminated intelligence has ample context and confidence statements to understand the relevance to the receiving stakeholder | Disseminated intelligence targets the specific stakeholder | Intelligence is created collaboratively with stakeholders to validate and test key hypotheses; conclusions are sent directly to the relevant stakeholders. | Stakeholders have complete control over the timing, delivery method, and subject matter of intelligence reports and receive targeted intelligence on relevant topics when necessary. |
Integration | No integration of intelligence from sources into security controls and workflow systems | Irregular integration of Intelligence indicators into security controls and workflow controls | Regular integration of Intelligence indicators into security controls and workflow controls | Intelligence indicator integration into security and workflow controls with information about context, priority, and specific courses of action | Intelligence indicator integration into security and workflow controls with information about context, priority, and specific courses of action, as well as clear and easy-to-understand drill-down into analytics and intelligence of the surrounding context |
Table 1 - CTI maturity levels
Yes, we’ve just presented a ton of information. We realize that mapping eight capabilities across three practice pillars and five maturity stages sounds like a lot of moving points. However, as discussed in our next blog, turning this information into something actionable is surprisingly straightforward.
References
[1] https://ctim.eu/
[2] https://www.enisa.europa.eu/news/enisa-news/csirts-maturity-moving-to-the-next-level