Establishing a Threat Intel Program: Principles for Security Leaders

Chris Horsley
Chris Horsley
Chief Technology Officer
Tash Postolovski
Tash Postolovski
Technical Marketing Manager
Establishing a Threat Intel Program: Principles for Security Leaders
February 21, 2024

One of the more frequent conversations we have with security leaders is how to establish a new threat intelligence program in their organisation.

In these conversations there are a few basic principles that we cover because they’re applicable to almost everyone.

We’re sharing these principles publicly so that more organisations can learn about our threat intel philosophy and avoid the most common mistakes that can lead to failed programs.

These principles are based on decades of experience establishing, running, and evaluating threat intel programs across dozens of Australian and New Zealand organisations including government bodies, universities, major banks, and critical infrastructure operators.

Define your stakeholders

Who are the internal and external stakeholders of your threat intel program?

This might include the SOC, the executive team, and industry peers. Anyone who’s going to interact with or consume the threat intel that you create is your stakeholder.

Your stakeholders’ use cases should determine the types of intelligence that you collect, analyse and disseminate.

Define your products

What information does your threat intel program need to produce? And in what format do your stakeholders want to consume what you’re producing? These are the “products” produced by your program.

You should also think about bucketing your threat intel into tactical and strategic products. Tactical threat intel might include automated feeds and periodic alert reporting to the SOC team, whereas your strategic products will typically be used to communicate to business stakeholders.

For example, your SOC team may want to consume threat intel in a machine-readable format that integrates well with a log analysis tool, e.g. Splunk. Intel at this level of granularity would be useless at the CISO level, where strategic threat intel (like longer-term trends) is much more useful.

While the SOC team might need a Splunk integration, the exec team might just want a monthly bullet-point summary in a Word document.

As part of standing up your threat intel program, you’ll need to plan for how these products will be created and shared within your organisation, who will manage the creation of these products, and in what format they’ll be shared.

Define what types of threat intel matter most to your organisation

Photo by Possessed Photography on Unsplash.

Relevancy is key when it comes to threat intel.

You want to build your program to prioritise threat intel related to attacks in your industry (e.g. financial institutions), attacks in your geography (e.g. Australia), and vulnerabilities in tools and software that you actually use (e.g. there’s no reason to disseminate intel on MacOS vulnerabilities if your organisation only runs Windows).

Your threat intel products should also align with reducing your most critical business risks. Otherwise, your threat intel products won’t align with the goals of your stakeholders, and you’ll struggle to gain adoption for your program.

Unclear alignment with critical business risks is one of the key reasons why threat intel programs fail.

Define your assets

Once you’ve clearly defined your stakeholder, your products, and the intel that matters most to your organisation, it becomes much easier to define the assets you’ll need to execute your program.

It’s tempting to start by thinking about which Threat Intelligence Platforms (TIPs) or threat intel feeds you should buy, particularly if you’ve secured the budget to do so.

But first, how will you consume that firehose of intel? How will you store it? Have you got the analysts to translate threat intelligence into business value?

A common cause of death for failed threat intel programs is that the organisation spent too much money on tools and feeds and not enough on analysts.

To put it another way, you can run a small, successful threat intel program with nothing more than an analyst and a spreadsheet. But you can’t run a successful threat intel program with expensive tools, feeds, and too few analysts to use them well.

Allocate a realistic budget

Commercial threat intelligence feeds can cost tens or hundreds of thousands of dollars.

A commercial TIP can cost over $100k, even up to $500k with enough analysts. Mid or senior level intel analysts will cost you at least $150k, going up to $200 - $250k to compete with what banks are paying senior analysts.

You can easily spend a million dollars to stand up an intel function including tools, feeds, and analysts.

Before you invest this money, it’s worth asking a few key questions:

  • Are we investing in all the pieces we need to make this work?
  • Are we confident our threat intel program will show results?
  • How do we measure results?
  • How do we know that the program is producing the outputs that we intended?

Allocate analysts

As we touched on earlier, having enough analyst capacity is one of the most often overlooked aspects of a threat intel program.

Without enough analyst capacity, your program will be less effective and deliver fewer results.

For example, the timeliness of your threat intel will suffer.  Let’s say there’s a new vulnerability with active exploitation affecting part of your toolchain. If it takes a week to get to it, that’s way too late. There’s got to be consistent throughput so you’re quickly identifying the most relevant intel and disseminating it to the right people within the organisation as soon as you can vet it.

Prioritise people over automated feeds and platforms.

Allocate software engineering capacity

You also want to invest in engineering talent that sits beside the threat intel team. For example, you’ll need engineering capacity to integrate your TIP into the rest of the organisation’s systems. You’ll need to write custom scripts that sit off to the side to help you automate certain things that your TIP doesn’t do. You’ll need to write services to connect to APIs, do custom searches, custom processing, and more.

To do all those things, you’ll need access to engineering capability, and you can’t let your threat intel program grind to a halt while you wait. (Providing extra security-focused engineering capacity is something we do often for clients at Cosive).

Photo by Mikhail Fesenko on Unsplash.

What if I can’t do all these things?

What if your organisation doesn’t have the time, budget, or resources to do all these things?

You could start a threat intel program very simply, but people are your starting point.

Many successful threat intel programs start out as an analyst with a spreadsheet or MISP instance spending a few hours a week following new software vulnerabilities that are out there, and then telling people about the relevant ones.

For example, they might discover CircleCI was breached, and the team uses CircleCI. They need to decide: who am I going to talk to? And what do we need to do to mitigate the impact of the breach?

Having a simple, low fidelity system in place can be an excellent way to drive out the requirements for a broader threat intel program when your organisation is eventually ready to launch a program at scale.

If you’d potentially benefit from expert help in planning and standing up a threat intel program in Australia or New Zealand, please get in touch with us.

Main photo by Dan Asaki on Unsplash.

Related posts

Browse all articles
February 21, 2024

Episode #002: Building Production-worthy Software in SecOps Teams with Chris Horsley, CTO at Cosive

Before jointly founding Cosive with Kayne Naughton and Terry MacDonald, Chris Horsley (Cosive’s CTO) spent many years working in national CSIRTs in both Australia and Japan, as well as doing freelance secure software development for operations teams. In this interview Chris talks about the challenges of building software and writing critical automation scripts in SecOps teams.

February 21, 2024

Episode #003: Securing REST API Endpoints (or How to Avoid Another Optus) with James Cooper

Unless you have been living in a cave on Mars with your eyes shut and your fingers in your ears for the past few weeks, you have probably heard something about a data breach at Australian telecommunications giant Optus.As security mistakes go, the vulnerability reported to have enabled the attack leans toward the more embarrassing side of the scale. If reports are true, Optus has effectively exposed customer data on an endpoint available to the entire internet.While it is plausible that a developer will forget to (re)secure an endpoint once they finish their development work, there are multiple practical steps you can take to catch or mitigate the problem.