If you watch the security industry closely, you’ll find every vendor (some established, some new) trying to pitch the newest widget or service for threat intelligence.
Like with all security related disciplines related to cyber, this isn’t a problem or initiative you can purchase your way out of. It’s a cyclic process that has 5 or 6 distinct phases each relying on the other as input and output. As shown below, you can’t buy this (unless it’s completely outsourced, event then I have questions):
It’s important to understand that threat intelligence itself has 4 separate disciplines depending on what your strategy aligns to.
- Tactical : TTPs, info on actors and attacks
- Technical : raw technical data usually received through feeds
- Operational : data on specific attacks that are targeting an organization
- Strategic : high level information including financial impact, briefings, and/or trends
A mature strategy consist of threat objectives, where each discipline and/or technique (with or without technology) is used as inputs and ultimately outputs. I’ve included a couple of items below that outline more details on a creating a holistic strategy for threat intelligence.