How to Maximize the Return From Your Threat Intelligence Reporting

Posted: 20th September 2020
How to Maximize the Return From Your Threat Intelligence Reporting

Key Takeaways

  • Reporting is always limited by the quality of your intelligence. Make sure you’re providing genuine value, not just filling pages.
  • If you want to maximize the value of your threat intelligence, you need to share it as widely within your organization as possible. You never know who might find it useful.
  • Ask every team what they need and in what format. Each team will have different needs, and your reports must be presented in a form that can be processed into their standard workflow.
  • The only way to improve your threat intelligence reporting is to ask for feedback on every one and adjust accordingly.

When most people think about threat intelligence, it calls to mind images of automatic threat intelligence feeds , analysts hard at work, and emergency security briefings.

What it doesn’t bring to mind are reports.

And that’s unfortunate, because the true value of threat intelligence is entirely dependent on how successfully it is communicated to the people in a position to act on it.

Threat intelligence reporting is often rushed, with little thought going into content, format, and audience. If you’d like to buck that particular trend, these are the steps you’ll need to take.

Be Intelligent

First off — and this should go without saying — the value of your reporting will always be limited by the quality of your threat intelligence.

If you’re producing outstanding, insightful threat intelligence and reporting on it in a timely fashion, most of the battle is already won. If, on the other hand, you’re working with little more than raw data and it’s taking you weeks to produce reports, there’s not a template in the world that will save you.

Producing real threat intelligence is a complex task, requiring dedicated and skilled analysts, so this is not a process that can be rushed.

But it runs deeper than that.

The whole purpose of threat intelligence is to inform action, and that simply can’t happen unless both the content and format of the reports are of a high standard. If your reporting is simply an afterthought, there’s a good chance the intelligence produced won’t be precisely what was needed.

Instead, you should start your threat intelligence process by determining which reports will be produced and for whom, so that when new intelligence is produced it can be acted on immediately.

Why Share Threat Intelligence at All?

When you get right down to it, producing threat intelligence is an expensive and difficult process. It requires dedicated analysts, most likely a paid-for platform, and lots of time spent producing complicated reports.

Naturally, then, you’ll want to make the most of it. But the thing you have to remember is, you can’t do everything yourself.

To maximize the value to your organization, you need to share the intelligence you produce as widely as possible.

Quite apart from anything else, there’s a good chance you don’t even realize how threat intelligence could benefit the different areas of your organization. You probably don’t know everything each team does, so how could you possibly know what would benefit them unless you ask?

Sharing threat intelligence within your organization will help spread awareness of security issues among non-technical audiences. Even better, it can greatly improve your ability to implement proactive and cohesive security and defense mechanisms, making use of the collective knowledge and experience of your various technical teams.

And what’s not to like about that?

Ask Around

The precise audience for threat intelligence varies within each organization, but there are a few no-brainers.

Red teams, for instance, are high on the list of potential clientele, at the very least for intelligence relating to the latest vulnerabilities or threat actor tactics, techniques, and procedures (TTPs).

Equally, if you discover that attacks targeting a certain software suite have increased dramatically in recent months, your vulnerability management team would like to know.

Your security operations center (SOC) and incident response teams are also bound to benefit from intelligence on the latest threats and TTPs, not to mention any analysis of recent attacks on similar organizations.

And if we’re aiming for the greatest possible benefit to the organization, key leaders and board members have more ability to influence operations than anyone.

But those are obvious examples.

Even your help desk can benefit from threat intelligence, particularly if it helps them to identify and escalate potential breaches early instead of simply processing them with all the other logged calls.

The point is that you don’t know who needs threat intelligence, so you need to ask. Make an open offer to all areas of your organization that, if they need threat intelligence for any reason, they can have it.

You’ll want to retain control of exactly how and when reporting occurs, rather than granting access to the source — you’re the experts after all — but the true goal is to maximize the benefit to your organization and that means getting the intelligence to the people who need it.

Formatting: More Than a Formality

Once again, let’s set our sights firmly on the prize. The value of threat intelligence is in understanding threats to your organization and taking the operational actions necessary to combat them.

The content of your reports is one side of this, but it isn’t the whole story. Like it or not, the format of your reports is also important.

All of your hard work will be completely wasted if, for any reason, your audiences can’t understand or can’t act on the reports you send them. With that in mind, here are some of the points you’ll need to consider when producing threat intelligence reports.

Each audience is different.

There is a huge difference, not least in technical understanding, between your executive board and your red team. Clearly the content of the reports you send to these audiences will differ, but that isn’t enough.

Non-technical audiences, particularly senior managers, need headline facts and figures to make decisions. Sure, they’ll probably need further explanation in some cases, but they’ll almost never need (or want) the technical stuff. An easily understood single page report or in-person presentation will be far better received than five pages of detail.

Operational teams, on the other hand, are likely to need far less explanation, and may well like to see source data combined with your analysis.

Ultimately, you’ll need to ask each audience exactly what they need and in what format.

Setting up a bespoke reporting structure might seem like a big job now, but in the long run it will be far more impactful.

Reports must be processed into existing workflows.

This is a point that’s almost always ignored, but which makes a tremendous difference to the value each audience gains from your reporting. Most teams have their own operational procedures, and if they’re going to make the most of your threat intelligence, it will need to fit into that structure.

Help desks, for instance, will usually process outstanding tasks into a workflow application of some sort, and it will make their lives much easier if your reports are in a format that makes this process simple. Equally, each organization’s executive board functions slightly differently, and it pays to find out how, when, and by whom your reports will be read.

Don’t forget, these are the people who set your budgets.

More isn’t always better.

Information overload is a real concern when it comes to threat intelligence. If you lay too much at one audience’s feet all in one go, reading and actioning your report can easily become overwhelming.

Instead, work with each audience to develop a priority system, and always highlight the most important intelligence first. You can always provide less urgent intelligence in a separate report, but don’t risk overwhelming your audience with detail, particularly if they’re non-technical.

The Feedback Loop

Once you’ve developed bespoke reports for each audience, you might feel that your work is done.

Sadly, that isn’t the case.

For a start, it’s highly unlikely that you’ve done everything perfectly the first time around. There are bound to be requests for changes to the content and format of future reports, and even if you did get everything right, first-time reporting needs are constantly evolving. You’ll need to be flexible and proactive to stay on top of things.

You’ll also need to know which aspects of the previous report have been actioned. After all, you can hardly claim to be providing threat intelligence if you no longer know what is and isn’t relevant to your organization.

To achieve this, you’ll need to set up a reliable feedback loop with each audience. Your vulnerability management team, for instance, will need to tell you which vulnerabilities have been addressed and which are outstanding. Equally, your red team will need to tell you which threats have been investigated, and which haven’t.

Over time this feedback loop will enable you to tailor each report precisely to the needs of its audience. Not only that, it will provide you with an invaluable knowledge of the types of intelligence each team values, enabling you to do an even better job in the future.

Keep It Simple

After reading all of this, you may be feeling daunted by the prospect of developing a powerful threat intelligence reporting process.

In reality, though, simple is best.

It is important to give each team exactly what they need in the format they need it, and it is important to get regular feedback and improve over time.

But that doesn’t mean it has to be complicated.

If you’re able to implement the steps laid out above, you’ll quickly find that threat intelligence reporting can be a simple and powerful process, and that the results speak for themselves. Done right, threat intelligence reporting and dissemination enable a far more proactive and joined-up approach to security, that will dramatically reduce your organization’s risk profile.