Cyber Threat Intelligence

This section outlines the components that have been identified for the CTI dimension as well as the levels within the components. These components and levels form the basis for assessing how threat informed an organization’s CTI program is.

Depth of Threat Intelligence

What level of information (roughly relative to the Pyramid of Pain) is being used to track adversaries?

  1. Ephemeral IOCs: hashes, IPs, domains: data sources an adversary can change easily

  2. Tools used by adversaries which can be swapped or modified by an adversary to evade detection

  3. Techniques and Tactics used by adversaries which are harder to change

  4. Low-variance adversary behaviors and associated observables which are very difficult to change

Breadth of Threat Intelligence

Relative to the depth component, roughly how many ATT&CK techniques are understood at that level of depth?

  1. IOCs

  2. Some techniques

  3. Techniques targeted to your industry, region, or infrastructure

  4. Prioritized targeted techniques

Relevance of Threat Intelligence

How much does the threat information relate to your organization?

  1. Generic or freely available reporting

  2. Industry-specific reporting (perhaps subscription)

  3. Reports are created by in-house CTI team

  4. Customized briefings from external groups

Utilization of Threat Intelligence

How well does your organization make use of the threat information?

  1. Occasionally read

  2. Regularly ingested for analysis

  3. Contextualized for internal stakeholders outside of security team

  4. Analyzed automatically

Dissemination of Threat Reporting

What threat information is passed along within an organization?

  1. Tactical reporting with highly perishable information (IOCs)

  2. Tactical reporting focused on adversary behavior (TTPs)

  3. Operational-level reporting of pertinent campaigns

  4. Strategic-level reporting of business risk