Cyber Threat Intelligence

This section outlines the key components that have been identified for the CTI dimension as well as maturity levels within the components. These components and levels form the basis for assessing how threat-informed an organization’s CTI program is. This assessment can be conducted using the MITRE INFORM Web Tool.

  1. Depth of Threat Intelligence: This component discusses the depth of your CTI relative to the Pyramid of Pain. More depth corresponds to a higher level on the Pyramid and consequently more robust intelligence. For example, IOCs like IP blocklists tend to be highly dynamic while certain adversary behaviors are more invariant and useful long-term.

  2. Relevance of Threat Intelligence: This component is about how tailored your CTI is to your organization. For example, your industry may have specific intelligence requirements or be prone to certain threats. Note that it is possible that some open-source threat reports are highly relevant to your organization.

  3. Operational Integration of Threat Intelligence: This component is about how widely integrated your CTI is across your organization. Is it limited to certain individuals and teams or does it influence company-wide workflows?

  4. Incorporation of Threat Intelligence: This component assesses how frequently CTI is incorporated into organizational workflows. Organizations should aim to have a regular cadence of CTI integration.

  5. Recency of Threat Intelligence: This component assesses how recently your organization’s CTI was produced.

  6. Speed of CTI Dissemination: This component assesses how quickly your organization processes and disseminates CTI.

  7. CTI-Driven Decision Making: This component assesses how quickly CTI is incorporated into business decisions.

Depth of Threat Intelligence

What level of information (roughly relative to the Pyramid of Pain) is being used to track adversaries?

  • Ephemeral IOCs: hashes, IPs, domains: data sources an adversary can change easily

  • Tools used by adversaries which can be swapped or modified to evade detection

  • Techniques and Tactics used by adversaries, which are harder to change

  • Low-variance adversary behaviors and observables, which are very difficult to change

Relevance of Threat Intelligence

How much does the threat information relate to your organization?

  • Generic reports or freely available reporting

  • Industry-specific reporting

  • In-house or organizationally-specific reporting

Operational Integration of Threat Reporting

To what extent is threat reporting incorporated across your organization?

  • Reviewed by individuals or siloed teams

  • Integrated across different security teams

  • Contextualized and made actionable across organization

Incorporation of CTI

How frequently are you bringing threat intelligence into your organization’s workflows?

  • Never

  • Intermittently

  • Monthly

  • Weekly

  • Daily

Recency of CTI

How recent is the threat intelligence in the reports you use?

  • Unsure

  • Within the past year

  • Within the past month

  • Within the past week

Speed of CTI Dissemination

How quickly is new threat intelligence - either internally created or externally sourced - processed and disseminated within your organization?

  • Not disseminated

  • Within a month

  • Within a week

  • Within a day

CTI Driven Decision Making

To what extent is CTI incorporated into decision making?

  • CTI is not considered

  • CTI is considered, but not a driving factor

  • CTI is strongly weighted for cybersecurity decisions

  • CTI is strongly weighted for cybersecurity and business decisions