When looking to build a CTI program a few useful tips to start off with is understanding the Cyber Threat Intelligence lifecycle to establish a procedure for the program to follow along with the ability for feedback to always improve the CTI program being built. Once you’re comfortable with the CTI lifecycle, understanding how threat intelligence is categorized and shared is crucial to being successful. Many teams misunderstand that CTI should consist solely of IoCs. However IoCs without context are unhelpful to the operationalization of intelligence gathered. The contextual intelligence gathered alongside IoCs should allow an analyst to determine what threats the organization should prioritize. Remember IoCs are short lived, but threat behavior and motivations are longer lasting.
I would also encourage looking into understanding models based on CTI. The model I prefer is the Diamond Model for threat intelligence as it correlates the CTI data found and allows a good all around understanding of threats an organization may face. Using the MITRE ATT&CK and Cyber Kill Chain to correlate intelligence to better prepare organizations in responding to threats found. These models can be used in evaluating the organization’s security stack for gaps, leading threat hunts, and helping in incident response. Threat Intelligence Platforms can help enhance the ability to cross-evaluate threat founds in the threat landscape against the organization’s environment and see if any indicators of attack are found.
Now to the real question “how do I get started?”. To check off the areas you are asking about in intelligence gathering, you will need to find platforms that fulfill the goals you have set. It is important to have a goal then shop, rather than shop without goals. You want tools and platforms that provide value to an organization. Likely this will lead to purchasing a threat intelligence provider that will collect, aggregate, and distribute threat intelligence and insights into the threat landscape. These services will provide the intelligence on areas listed on OSINT, TECHINT, SOCMINT, HUMINT, and dark web. It is also a good idea to have a news aggregator or feed based on cybersecurity to see what is trending in the threat landscape. One area that is crucial in threat intelligence is monitoring for novel attack vectors and zero-day vulnerabilities. These provide value by enhancing the organization's ability to detect and respond to active threats. After setting up the necessary platforms to fill in your intelligence requirements and building out the CTI lifecycle then automating parts of the collection and distribution will exponentially increase the efficiency of the CTI program being built.
I also have a blog coming out Thursday on CTI which I will come back and link here. If you have any questions or concerns please reach out!
Information Security Analyst - Threat and Vulnerability Management
Other References to understand CTI and CTI programs:
Gartner Research on How to use Threat Intelligence:
Understanding MITRE ATT&CK: https://www.mitre.org/sites/default/files/2021-11/prs-19-01075-28-mitre-attack-design-and-philosophy...
SANS webcast on Threat Actors Names and Tracking Threats:
Books I have used to understand CTI:
The Cyber Intelligence Handbook: An Authoritative Guide for the C-Suite, IT Staff, and Intelligence ... by David Cooney
Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intell... by Kyle Wilhoit and Joseph Opacki
Intelligence-Driven Incident Response: Outwitting the Adversary by Scott Roberts and Rebekah Brown
The Threat Intelligence Handbook: A Practical Guide for Security Teams to Unlocking the Power of Int... by Chris Pace