Cyber Rhino Threat Week (which took place from 9^th to 13^th December 2024) aims to inform, sharing threat intelligence insights and best practices with our customers, partners and industry ecosystem. This keynote session certainly set the stage for the week, exploring the complexities that organisations must consider when establishing and operating an effective Cyber Threat Intelligence (CTI) program. The panel discussion examined how diverse organisational structures, responsibilities, priorities, and desired outcomes influence the role and integration of CTI.

Shimon Modi, Vice President of Cyber Product at Dataminr, a Platinum sponsor of ThreatQuotient’s online event, was one of the panelists in this session along with Sebastien Bombal, Technical Director, National Directorate of Customs Intelligence and Rick McElroy, Founder and CEO of NeXasure. The panel was hosted by Gigi Schumm, Chief Revenue Officer at ThreatQuotient. Here Gigi and Shimon capture some of the highlights from this discussion.

Why are no two CTI programs alike?

The panel explored that – while we might think we all have a common understanding of the purpose of a cyber threat intelligence (CTI) program and the role the CTI team plays within an organisation – the reality is that this can differ enormously from one organisation to another. This is because no two companies have the same priorities, organisational structure, processes and desired outcomes when it comes to CTI. However, everyone agreed that CTI has become more of a priority and is now viewed as a ‘must have’ rather than a ‘nice to have’.

A CTI program provides all the information required to guide the entire cybersecurity process from strategic to tactical implementation and is a crucial component of the overall security program. It is therefore critically important to take time upfront to consider the desired outcomes and what the organisation is expecting to achieve from such a program. The panel urged companies to establish up front whether they are looking for a very technical/tactical capability or something more strategic and what types of cyber threats they are looking to combat. This will of course depend on the maturity of the business and the type of industry it is in.

CTI programs and teams must continuously evolve

As we all know, cybersecurity threats have evolved and are much broader today than they were five years ago, encompassing anything from ransomware to disinformation to deepfakes to geopolitical threats. Consequently, the role and responsibility of the CTI team must evolve all the time, especially as responsibilities of the CTI program and team can differ from one CISO to the next.

While larger enterprises tend to have budgets and headcount to resource and staff a CTI program, it is harder for smaller to mid-sized companies to resource with an in-house team and many of these organisations outsource, whether that’s through an MSP or MSSP. As such it is important that any program reflects the threats and vulnerabilities of the environment it is being applied to.

What has also changed is the organisational structure of programs, which now have different kinds of stakeholders who care about threat intelligence. The traditional view of these programs was very technically - and cybersecurity infrastructure-driven; today there are executive board stakeholders involved in most CTI programs. They care about business issues such as third-party risk, geopolitical tensions, supply chain risk, and that means the organisational structure of the program must evolve to reflect this.

But ultimately any initiative must be mission-oriented and those involved must define their priority intelligence requirements (PIRs). Additionally, they need to ensure they can operationalise in real time before looking to expand the program.

CTI is cross-functional

CTI sits in a unique position in that it is cross-functional, so it must interact with a lot of constituents around the organisation. The question of who the CTI program should report to often comes up. This can cause tension between groups such as the SOC incident responders, SOC analysts and CTI teams. These issues are generally around who owns what responsibilities and who decides what tools to procure and implement and so on, which can create siloed thinking.

Ultimately, intelligence should be part of every process in the security operation – from alerting to triage to investigation to threat hunting. Leaders who look and think about it from that perspective will make a lot of progress in their CTI program. This is where collaborative goal setting is important across all these teams, continuously communicating what these key goals are. This minimises the siloes, which ultimately become more reporting structures as opposed to operational hindrances.

Sharing and collaboration

The group discussed the primary functions of the CTI team and most agreed that this was about situational awareness, data-sharing within the organisation and the extended partner ecosystem and creating operational efficiencies so that teams can detect threats faster and prioritise patching accordingly. All agreed that the dissemination of information and sharing is essential in CTI. The conversation also touched on standards, reflecting that – in order to be able to disseminate and share – standards in CTI must be in place.

One big change we’ve seen in the last few years, which is now driving operational efficiencies and how teams operationalise threat intelligence across the organisation, is how the threat intelligence lifecycle has gone from being applied to reactive situations to a more proactive ‘shift left’ approach. Teams are keen to move ahead of the threat and understand the important role that threat intelligence plays in enabling this thinking and delivering that situational awareness. In fact, teams are now thinking about efficiency and enriching their situation awareness outcomes which will ultimately benefit the organisation’s risk posture and enable it to better combat threats. There were many other areas that the group examined like emerging technologies to take us to new levels of efficiency; to watch the full debate and hear the recommendations from our panelists, please go to: https://www.threatq.com/cyber-rhino-threat-week/