Threat Intelligence Strategy Mistakes You Can’t Afford to Make (Part 3)

June 11, 2019 • The Recorded Future Team

A strong threat intelligence program is a tremendous asset. It can help you identify your most pressing threats, effectively prioritize resource use, and take a more proactive approach to the security of your organization.

Unfortunately, many fledgling threat intelligence programs fail to realize their full potential.

We already looked into this in two previous blog posts: the first covering common threat intelligence misconceptions, and the second highlighting why it’s a mistake to rely on manual processes when producing threat intelligence. Here, we’ll cover some of the most common mistakes we see in the planning and strategizing that goes into threat intelligence programs and explain what you can do to avoid them.

Mistake 1: Not Having a Plan

“Doing threat intelligence” doesn’t mean the same thing for every organization. Depending on your industry, geographic location, and the specific structure of your organization, what you need from threat intelligence could differ wildly from the needs of even your direct competitors.

Often, when an organization first implements threat intelligence, they’ll have a vague idea about identifying anything and everything that could be of interest. This isn’t enough.

Threat intelligence is a vast field, and it’s not realistic to expect to be able to do everything. Trying to do it all is a quick way to overwhelm your analysts and limit your chances of achieving anything measurable.

Solution

Having a plan is essential to the success of your threat intelligence program. To get started, identify the top priorities for your organization, and define a mission and set of processes for your threat intelligence program that lines up with those priorities.

For example, a healthcare organization’s top priority is likely to be maintaining the security and availability of patient healthcare records. In that case, a sensible mission for their threat intelligence function might be to identify the most likely threats (and specific attack vectors) that could threaten the security or integrity of those records.

Mistake 2: Having Too Narrow a Focus

On the flip side, many organizations fall into the trap of thinking threat intelligence is just about one thing, like identifying new vulnerabilities or brand monitoring.

In reality, threat intelligence has applications for every security function, and restricting your program to a single function can dramatically limit the value of outputs.

Solution

Don’t limit your program to a single function, unless that is genuinely all you can manage at this time. Take the time to understand what threat intelligence can potentially do for your organization. Once you have a list of possibilities, cut away the superfluous and identify a clear set of priorities for your program.

Finally, once you know what your program needs to achieve, develop a mission and set of processes designed to help you reach those goals.

Mistake 3: Not Identifying and Serving All Internal Audiences

Even when an organization recognizes the myriad of use cases for threat intelligence, there is a tendency for the outputs of a threat intelligence program to stay firmly within the boundary of a specific security function. While security operations teams are an obvious candidate for threat intelligence outputs, functions such as vulnerability management and even security leadership are often not considered as potential audiences for threat intelligence.

Solution

Fundamentally, there are three types of threat intelligence (strategic, operational, and tactical) and each has its own set of potential audiences. When building your threat intelligence function, conduct a thorough exercise to identify likely audiences for intelligence outputs in all areas of your organization.

Communication is essential here. If you aren’t sure if a team would benefit from threat intelligence, open a dialogue with them to find out.

Finally, remember that in order to be useful, threat intelligence outputs must be produced in a format that is usable by the intended audience. For example, while security operations personnel can often work with contextualized data points, an executive board will require concise, non-technical reports to inform their decision making process.

Avoid Mistakes With Our Book

Whether you’re just starting out and aren’t sure where to start with developing your threat intelligence program or want to learn more about how to expand your already existing one, our “Threat Intelligence Handbook” is a great resource. It covers the different applications of threat intelligence in more detail and looks at how to develop an effective threat intelligence strategy.