Effectively Applying Threat Intelligence: Trends From the 2019 SANS CTI Survey

Posted: 2nd April 2019

Key Takeaways

  • Threat intelligence is most effective when it’s specific to your risk profile.

  • Automation and machine learning need to be used more often to reduce errors and enable security organizations to better allocate resources.

  • Defining both requirements and key performance indicators (KPIs) up front will make it easier to track progress and show value to the organization.

The 2019 SANS CTI Survey has been released, focused on how and why cyber threat intelligence is being used, how it’s helping defenders, what data sources are being leveraged, and how data is converted into usable intelligence.

This year’s survey received 585 responses across a diverse range of industries. The largest portion of respondents came from cybersecurity service providers (16 percent), banking and finance (15 percent), government (14 percent), and technology (11 percent).

Perhaps one of the most important findings of the survey is that the threat intelligence community is growing and diversifying, which will yield new insights into different types of threats and their behaviors. For this reason, identifying and analyzing intrusions to uncover threats is even more important for understanding security needs in various industries, as well as informing decision-makers about what adversary-based risks matter to their organization.

Further, the survey also uncovered a number of common challenges experienced by organizations who are focused on effectively operationalizing threat intelligence. Read on to learn about frequent threat intelligence struggles across industries, and how they can be combated.

6 Challenges to Effectively Applying Threat Intelligence

1. Operationalizing narrative-based intelligence reports is time-consuming for cyber threat intelligence analysts.

The majority of organizations are using threat intelligence, often in the form of finalized reports, and incorporating them into defensive mechanisms. However, operationalizing narrative-based intelligence reports is no easy feat, especially in the absence of automation; it’s a task that can take up a significant amount of analysts’ time.


Threat intelligence teams need to avoid underestimating the amount of staffing and time required to truly get the most out of this type of reporting. Investing in the necessary resources will increase effectiveness and efficiency.

2. Threat intelligence is less useful when it’s generalized.

Survey respondents reported that general threat intelligence is useful, but not as useful as industry-specific intelligence, brand-specific intelligence, and even intelligence relevant to company executives.


Tracking and defending against widespread, non-targeted threats is important. However, the real value of threat intelligence lies in the capability to provide awareness of, and mitigation for, organization-specific threats. Keep in mind that there are a myriad of options available for collaborating and sharing, such as private-sector and industry-focused groups or government-sponsored groups. It’s fairly easy to identify a sharing partnership that will be of benefit to your organization.

3. Manual processes and human analysis are relied upon too heavily.

39.4 percent of participants report dissatisfaction with automation of threat intelligence data, while 34.6 percent are dissatisfied with machine learning capabilities. This suggests that most organizations are relying on human analysis and manual processes for the more useful components of cyber threat intelligence.


Greater levels of automation and machine learning capabilities would enable organizations to better allocate resources. Plus, analysts would have more time to focus on actually analyzing and disseminating intelligence, rather than on collecting and processing data. Overall satisfaction with threat intelligence can be improved by focusing on extending automation capabilities and improving integration of quality information.

It’s important to note that even with higher quality and more timely data, threat intelligence has to be integrated into the systems that defenders use to leverage it. Beyond offering general awareness of threats, threat intelligence also has to be managed, processed, and integrated into prevention, detection, and response systems.

4. There’s uncertainty in properly measuring the value of cyber threat intelligence.

When asked whether threat intelligence has improved security and response, 81 percent of respondents answered positively, 17 percent said they didn’t know, and only two percent reported that threat intelligence isn’t helpful.

Security isn’t always easy to measure objectively, yet finding a way to measure value on some level, even if it’s subjective, helps contribute to organizational culture around security.


Security teams who are unclear of threat intelligence’s exact value to the organization should set a goal to develop a set of clear requirements to measure value over the coming year.

For example, measuring the average resolution time of security incidents when threat intelligence analysts are involved in order to provide richer context for security operations and incident response teams is a great start.

Another tip is to build a threat model based on industry-specific active threats to determine what types of threat behaviors have been observed using a framework (such as MITRE ATT&CK). This allows the prioritization of threats across architecture, security operations, and response functions.

5. Organizations aren’t identifying and defining good requirements.

Only 30 percent of organizations are documenting cyber threat intelligence requirements. 26 percent said they planned to define them, but 37 percent said the requirements were ad hoc, and 7 percent reported that they had no plans to formalize requirements.


It’s strongly recommended that organizations document requirements for threat intelligence teams to establish a clear focus. Short-notice requirements will still arise, and it’s acceptable to treat them as a priority when they do.

Keep in mind that defining good intelligence requirements requires input from a diverse range of people within an organization. Effective cyber threat intelligence should be able to support a broad array of functions that deal with risk across the organization.

6. Determining where intelligence collection is taking place is difficult.

Another critical component of cyber threat intelligence is determining where you have intelligence collection. Most organizations struggle to understand collection, both internally and externally. External collection can be easier to document, such as sources of feeds and reports or malware repositories and tools, but it can also be difficult to determine what internal collection exists and whether it’s consistent across the organization. For instance, an organization may get host-based logs from systems, but they may not be sure where gaps in collection exist across all hosts.

When asked, “What type of information do you consider to be part of your intelligence gathering?” respondents answered:

  • 66 percent open source or public threat intelligence feeds

  • 64 percent security vendors

  • 63 percent community or industry groups

  • 63 percent external sources such as media and news

  • 62 percent security data, such as alerts gathered from the IDS, firewall, endpoints, and other security systems


The most effective method for ensuring collection sources are fully understood and correctly used is developing a collection management framework (CMF). A CMF details internal and external data sources, what they contain, and how they’re being used. It also reduces silos between teams and helps identify high-value sources and gaps in collection that have to be addressed for comprehensive coverage.

Threat Intelligence: A Continually Growing Practice Area

Threat intelligence has changed significantly in recent years. The results of this year’s survey showcase a security practice area that continues to evolve in positively impactful ways. Use cases, collection sources, and output continue to diversify.

With increasing effectiveness, threat intelligence is being used to determine where to emphasize security efforts, track adversary trends and detect activity, and ensure networks are better secured. Improvement efforts will continue, but threat intelligence has undergone quite the evolution to date.

For more insight into trends in threat intelligence and prescriptions for best security practices, download your complimentary copy of the 2019 SANS CTI Survey today.