Cyber threat intelligence, the process of gathering information about potential threat actors and their methods, is an important tool that businesses can use to better defend themselves against cyberattacks. The idea is that understanding who potential attackers are, what motivates them, and how they operate, means that organizations can make more informed decisions about how best to defend themselves. They can choose to reinforce the attack surfaces that are most likely to be targeted, place extra safeguards around data that’s most desirable to threat actors, and generally direct their finite cybersecurity resources in an efficient way.
I won’t dwell too much on the fundamentals of cyber threat intelligence (CTI) given we covered off the basics last year. Instead, today I want to take a closer look at how a business can go about integrating CTI into its processes, whether that’s by developing the expertise internally, or outsourcing some or all of it to a managed provider.
Contents
Cyber Threat Intelligence: A Primer
In broad terms, CTI is the process of collecting, analyzing, and disseminating information about threat actors. This can include their motivations and intents, capabilities, tactics, techniques, and procedures (otherwise known as TTPs) and known indicators of compromise within your business’ context. It typically comes in a few different styles such as strategic, operational, and tactical, meaning numerous security teams across an organization can benefit from it. These range from vulnerability management teams, application security teams, SOC/Incident teams, and IT analysts, right through to C-level management.
Suffice it to say that CTI has quickly grown to become an essential part of most businesses’ cybersecurity toolkit, allowing them to be far more intentional and targeted in how they defend critical resources from attackers. The question then becomes how best to integrate a CTI program into your organization; how much to handle in-house and what (if anything) to outsource.
The In-House Approach
The organization with the deepest understanding of a business’s needs is almost always the business itself. So, it’s unlikely to come as much of a surprise that the majority of companies already have some kind of in-house CTI capability. According to one 2022 study from Vulcan Cyber and Gartner Pulse, around 74 percent of organizations had a “team dedicated specifically to do threat intelligence.” Since then, we’ve seen yet more importance placed on the process with the introduction of the updated ISO/IEC 27001 Framework (ISO/IEC 27001:2022 – control 5.7 – Threat Intelligence), which counts CTI as one of its 11 new controls.
But not all CTI is made equal. The same 2022 study suggested that 78 percent of businesses used commercial threat intelligence feeds as their main sources of threat intelligence. This is a solid starting point, but to be truly effective, CTI needs more context than simple threat intelligence feeds can provide.
There’s also the size and maturity of CTI teams to consider. According to a 2023 report from Retail & Hospitality ISAC, on average businesses only allocate one or two full-time equivalents (FTEs) to Threat Intelligence. That’s less than the three to five FTEs typically dedicated to Governance, Risk and Compliance (GRC), Identity and Access Management (IAM), security operations (SecOps) and incident response (IR), and tools, and integrations.
This can create challenges for maintaining an effective in-house CTI program. Skilled employees can be hard to find, a business might not have enough dedicated personnel or tools, and the resulting intelligence might not be predictive enough. That’s where a managed security service provider (MSSP) or outsourced CTI can be a great help.
Outsourcing Your Threat Intelligence Program
Just from looking at the challenges above, it will start to become clear what you could gain from partnering with an MSSP or managed CTI service provider. A capable cybersecurity provider will be staffed with teams that have a deep knowledge of CTI best practices and have access to industry-leading tools that can help turn a purely reactive approach into a proactive one.
For starters, an MSSP will boast not only a team of cyber threat intelligence specialists, but will also usually employ a range of other cybersecurity specialists. This can not only help a company to free up their internal human resources but can also offer access to expertise that wouldn’t have otherwise been on the table. This might include incident response teams, threat hunting teams, and vulnerability teams. Additionally, an MSSP will already have knowledge of different technology platforms and tools, removing the need for your organization to train your own employees on how to use a new platform. That can make outsourcing a more cost-effective option than staffing up to manage an in-house CTI program.
Eight Things to Consider When Choosing a CTI Partner
Of course, benefiting from this outsourcing relies upon you picking the right managed CTI provider in the first place. The following eight considerations can provide a good starting point:
- Make sure that both sides have a clear understanding and definition of what they mean by “cyber threat intelligence.” CTI can encompass a variety of services from brand monitoring through to threat hunting and incident response, so it’s important to be on the same page.
- Ask any potential service provider what threat intelligence platform and other technologies they use.
- How will the resulting intelligence be disseminated?
- What format will it be delivered in? This is an important consideration if you want to ingest its outputs into other tools.
- How often can you expect intelligence deliverables?
- What are the skill sets of the provider’s analysts? Be sure to consider softer skills such as knowledge of geopolitics or languages in addition to technical skills if required.
- Where are the analysts based?
- Does your potential provider specialize in any specific industry verticals or geographical regions?
An important thing to bear in mind is that CTI is both a product (consisting of daily alerts, regular reports, c-suite presentations) as well as a process. That means that from time to time both products and processes may need to be reviewed and, where necessary, updated to reflect the current state of affairs. It is important to sit down and ask the questions: are we still receiving the deliverables we agreed upon? Do we need to review the intelligence requirements we defined? Has our threat landscape changed and, if so, how does this translate in our collection efforts?
Kudelski Security’s Approach
Kudelski Security has a dedicated Cyber Threat Intelligence team that provides insights to our partners. When starting the cyber threat intelligence journey, we emphasize two phases of the so-called intelligence cycle: the initial planning and direction phase and the oft-overlooked feedback phase.
In the first, a Kudelski Security analyst will sit down with the client to get a good understanding of the requirements any cyber threat intelligence program needs to fulfill. This is the start of the intelligence collection process, which will lead to the analysis phase and feed into the dissemination of the intelligence. If knowledge is having the right answers and intelligence is asking the right questions, we want our cyber threat intelligence program to offer both.
However the feedback phase is just as, if not more, important. Here we’ll work with our clients to improve the service we’re offering over time. Only by both understanding what we get right as well as what we need to adjust can we provide threat intelligence that is timely, relevant and accurate. This feedback loop makes our CTI service a partnership that can continually grow and improve over time.
Hybrid Benefits
Although this article has largely discussed outsourcing CTI versus keeping it in-house as a binary decision, the most successful approaches are inevitably going to involve a mix of the two. It can make sense to outsource the “heavy lifting” (the sifting through and validation of initial alerts) but maintain an in-house team, for example, so the organization knows how best to distribute the resulting intelligence internally. This way your in-house team is not overloaded with alerts and doesn’t have to be trained on additional technology platform, but also benefits from a reliable source of trustworthy intelligence.
Growing Together
Outsourcing a cyber threat intelligence program can have big benefits. It can be more cost-effective, offer access to a wider range of expertise, and deliver a large security team that’s already familiar with industry tools and best practices. But it’s not a silver bullet. Any program needs to be set up with the right expectations by teams that know the right questions to ask, and how to achieve the necessary buy-in from key stakeholders. You also need an appropriate budget, and to commit enough employees. Ultimately, cyber threat intelligence needs to reach the right teams, in the right form, and at the right time if it’s to live up to its potential.
CTI is a process as much as it is a product, which means the provider and client need to invest time in learning and understanding each other’s needs. Open and honest communication is essential for a mutually beneficial partnership, especially if a business is taking a hybrid approach where its CTI capabilities are split between in-house and external teams.
At Kudelski Security, we view our managed cyber threat intelligence offering as a partnership that ultimately helps our clients become more resilient to cyberattacks. For more information, read about our Threat Navigator tool, or get in touch for a consultation.