Full Report
Those who have worked in our industry for a certain amount of time will be acutely aware that executives often encounter information security media articles and flag them to their teams. This is something myself and my peers at other organizations also face. So I decided to write about it, expand my thoughts, offer some tips from my experience and research to hopefully provide a practical solution for a common problem.This usually prompts inquiries to the Cyber Threat Intelligence (CTI) Team who have to do their best to provide timely and accurate answers, reassuring their executive stakeholders everything is OK or being handled. This often leads to shepherding various Cybersecurity Teams to acquire these answers. Getting to the stage whereby timely and accurate responses can always be provided can be a bit of a mountain to climb, especially for newly created CTI Teams.An Ideal 7-STEP Solution While inevitable, these interactions can be optimized to enhance organizational resilience and foster a proactive security culture. Here’s how CTI Teams can effectively navigate and leverage executive inquiries through collaboration with other Cybersecurity Teams:STEP 1: Acceptance and Pre-emptionAcknowledge that executives will encounter cybersecurity media articles and embrace it as an opportunity to enhance organizational preparedness. Proactively anticipate inquiries by establishing clear Priority Intelligence Requirements (PIRs) and General Intelligence Requirements (GIRs) with executives and CTI alignment.STEP 2: Building Trust and RelationshipsIt will be self-evident early on in the journey to building a CTI Team, that it must earn trust from the executive stakeholders by fostering good, quality relationships. Executives often seek succinct answers, such as whether the organisation is impacted by emerging threats. Building rapport and trust enables CTI to provide concise yet insightful responses.STEP 3: Establishing Internal NetworksWhere collaboration comes in most will be through the development a network of internal subject matter experts or SMEs, which you can call the "fusion center" or "council of experts" to efficiently address inquiries and collaborate on mitigating potential threats. CTI Teams must leverage these connections to gather expert insights and validate findings, enhancing the credibility of their assessments and responses.Figure 1: The Proactive CTI Fusion Center (aka Council of Experts)This is important as it will hopefully help prevent an undesirable trust-eroding situation whereby another Cybersecurity or IT Team contradicts the CTI Team's assessments because they simply were not asked about it.STEP 4: Contextualizing ThreatsOne ideal approach is to have the resources to craft daily "flash alerts" that provide timely updates on the latest significant security developments. These should also ideally be accompanied by relevant context tailored to the organization's defence posture.Additionally, Weekly Roundups can offer comprehensive summaries, ensuring executives stay informed without being overwhelmed by constant updates.STEP 5: Facilitating Executive AwarenessIt is important to note that executives are likely to possess insights into organisational vulnerabilities and risks not readily apparent to the CTI Team, likely due to their experience, which is usually what got them to the executive positions.In return, experienced CTI Teams can also assist in educating executives to ask informed questions and understand the implications of emerging threats on the business landscape.STEP 6: Business Understanding and MonitoringCTI should prioritise understanding the organisation's business objectives and technology stack to effectively assess and address potential threats. Leveraging threat intelligence platforms, CTI can monitor for keyword mentions and proactively identify emerging risks.STEP 7: Confidence in AssessmentsWhile not immediately obvious, CTI Teams should emphasise to their stakeholders that every one of their assessments is based on currently available information to them and they should ideally be accompanied by a confidence level. Transparent communication regarding the assessment's level of certainty enables executives to make informed decisions based on the vulnerabilities, threats, and associated risks.ConclusionIf the 7-STEP solution above is implemented successfully, your processes around performing proactive CTI duties should look something like the following diagram:Figure 2: The Proactive CTI Briefing ProcessOverall, fostering collaboration between executives and the CTI team is essential for proactive threat management and organisational resilience. By establishing trust, providing contextualised insights, and facilitating executive awareness, CTI can effectively navigate executive inquiries and strengthen the organisation's security posture in an ever-evolving threat landscape.Further ReadingIf you're interesting in learning more about CTI processes as a practitioner, myself and my colleagues from the Curated Intel community put together a GitHub repository of dozens of key resources related to CTI Fundamentals.Additional CTI program books that I recommend reading that are related to this topic include the Visual Threat Intelligence: An Illustrated Guide For Threat Researchers by Thomas Roccia, the Intel471 Cyber Underground General Intelligence Requirements Handbook (CU-GIRH) by Michael DeBolt, and The Intelligence Handbook: A Roadmap for Building an Intelligence-Led Security Program by Christopher Ahlberg.AcknowledgmentsThanks to those on my table at the mid-March 2024 Unconference Event run by Intel471 in London. The discussions we had on this topic were great and helped me write this blog. Shout out to @DE7AULTsec, @dragan_security, and the others.
Analysis Summary
# Best Practices: Strengthening Proactive Cyber Threat Intelligence (CTI) Through Collaboration
## Overview
These practices focus on optimizing how Cyber Threat Intelligence (CTI) teams interact with executive stakeholders and internal security teams. The goal is to move from reactive response to proactive preparedness by leveraging established internal networks and communication strategies to handle executive inquiries efficiently and accurately.
## Key Recommendations
### Immediate Actions
1. **Acknowledge and Embrace Executive Inquiries:** Accept that executives will review and flag security media articles; view these moments as opportunities to prove organizational preparedness rather than burdens.
2. **Establish Initial Trust:** Begin building rapport with executive stakeholders immediately to foster an environment where they seek concise, trusted answers from the CTI team regarding threat impact.
3. **Begin Identifying SMEs:** Start the process of cataloging internal subject matter experts (SMEs) across IT and Cybersecurity for potential inclusion in an internal "fusion center" or expert council.
### Short-term Improvements (1-3 months)
1. **Define Intelligence Requirements:** Work with executives to formally establish clear **Priority Intelligence Requirements (PIRs)** and **General Intelligence Requirements (GIRs)** to align CTI work directly with executive concerns.
2. **Develop a Fusion Center/Council of Experts:** Formalize the network of internal SMEs (the "fusion center") responsible for validating CTI findings and collaborating on threat mitigation assessments.
3. **Implement Contextualized Reporting:** Create and consistently deliver **daily "flash alerts"** on significant security developments, ensuring these reports include context tailored to the organization's specific defense posture.
4. **Launch Weekly Roundups:** Institute **Weekly Roundups** to provide comprehensive summaries of security developments, keeping executives informed without causing notification fatigue.
### Long-term Strategy (3+ months)
1. **Deepen Business Understanding:** Dedicate resources to thoroughly understand the organization's core business objectives and the critical technology stack to accurately contextualize threat relevance.
2. **Integrate Executive Feedback Loop:** Establish a bidirectional educational process: CTI educates executives on threat impact, and executives share organizational vulnerability insights not visible to the technical team.
3. **Mandate Confidence Scoring:** Ensure **all CTI assessments** presented to stakeholders explicitly include the level of confidence based on currently available information to enable truly informed decision-making.
4. **Proactive Monitoring Integration:** Leverage threat intelligence platforms to actively monitor for internal keyword mentions related to emerging threats, enabling proactive identification of risks before they become direct inquiries.
## Implementation Guidance
### For Small Organizations
- **Focus on Core Network:** Immediately identify 3-5 key SMEs in IT/Security who must be involved in any threat assessment collaboration (initial fusion center).
- **Prioritize PIRs:** Keep the list of initial PIRs short (3-5 high-impact items) dictated by executive concerns to focus limited CTI resources effectively.
### For Medium Organizations
- **Formalize the Council:** Officially charter the "Council of Experts" (Fusion Center), documenting roles and expected response times for cross-team validation checks.
- **Platform Utilization:** Ensure threat intelligence platforms are configured to monitor keywords relevant to the organization’s primary technology stack and business domain.
### For Large Enterprises
- **Scalable Collaboration Model:** Implement formal Standard Operating Procedures (SOPs) for rapid consultation and assessment validation involving multiple distributed security teams via the fusion center model.
- **Governance for Reporting:** Establish clear governance around the format and frequency of daily flash alerts vs. weekly roundups to manage the communication flow across complex organizational levels.
- **Documented Confidence Levels:** Integrate confidence level reporting into the standard assessment template used enterprise-wide for CTI deliverables.
## Configuration Examples
*No specific technical configurations were provided in the text; the focus is on process and collaboration.*
## Compliance Alignment
The practices described align conceptually with frameworks emphasizing communication, risk management, and information sharing:
- **NIST CSF (Identify/Respond Functions):** Establishing PIRs and GIRs aligns with understanding the organization's risk context and developing response capabilities. Developing expert networks aids in response validation.
- **ISO 27001 (A.16 Information Security Incident Management):** Prompt and accurate communication regarding threats and assessments (including confidence levels) is crucial for effective incident management planning.
## Common Pitfalls to Avoid
- **Allowing Contradictions:** Failing to loop in relevant cybersecurity teams during the assessment process, leading to situations where another team contradicts CTI findings due to lack of prior consultation.
- **Overwhelming Executives:** Supplying too much raw data or constant updates without context, eroding executive trust and potentially leading them to ignore future credible warnings.
- **Assuming Knowledge Parity:** Failing to educate executives on threat implications or failing to solicit their unique business risk insights.
- **Ambiguous Assessments:** Providing threat assessments without clearly stating the level of certainty or the basis of the information being used.
## Resources
- **Internal Subject Matter Experts (SMEs):** Crucial resource for validation and specialized knowledge.
- **Threat Intelligence Platforms:** Necessary tool for monitoring keywords and technology-specific threats.
- **Executive Stakeholders:** Key resource for defining business context and risk tolerance.