How to mature your organisation’s threat intelligence capabilities

Prevalent. Pervasive. Persistent. These three Ps increasingly describe the macro trends for many types of cyber threats, challenging many SecOps teams to evolve and mature their practices, as well as take a broader approach to risk management. As the cyber threat landscape evolves and expands through other domains, having an internal, multifaceted intelligence capability is key.

Organisations are challenged, not just by the malicious threat actors themselves but also by regulators and shareholders, to address an increasing number of emerging threats as technology and operational demands evolve. Implementing threat intelligence leading practices can help an organisation better understand the threat landscape in the context of its unique considerations and concerns, such as the company’s operating footprint, strategy for growth, specialised intellectual property, and sensitive datasets and customers. The landscape can further shift based on other considerations, such as threat actors targeting the company’s sector or industry, as well as their potential motivation for targeting the company specifically (e.g., for extortion using stolen data, or for the theft of sensitive research and development).

Threat intelligence can then help determine which threats need to be prioritised within the organisation and how, such as by assessing potential impact as well as how proximate the threats are to the organisation. For example, has the same or similar threat actor compromised the organisation’s environment in the past, or has the threat actor compromised a specific technology that is used by the organisation? A threat intelligence function can then develop and implement tailored intelligence requirements to cast these priorities to other elements of the organisation, such as threat detection and vulnerability management. These actions demonstrate an organisation is using threat intelligence to inform its security operations to focus on the most pressing threats for risk management.

Having multiple intelligence sources, perspectives, and backgrounds on threats is essential to building the collective expertise within a threat intelligence function, especially when considering how much the spectrum of threat actors, capabilities, and targeting operations has grown in recent years. While many threat actors continue to use techniques and tooling that have been effective for years, we are seeing more threat actors conducting operations through capabilities that are shared, sold by commercial quartermasters, or even “leased,” such as affiliates working with the operators of Ransomware-as-a-Service programmes. Ransomware threat actors, and cyber criminals more broadly, have for a long time been opportunistic in their operations; however, as cyber threats grow more pervasive and sophisticated, we are observing financially motivated threat actors refining their approach to victimisation to maximise their illicit proceeds. Further, threat actors from all motivations are increasingly demonstrating their dynamic nature and abilities to quickly exploit opportunities.

Threat actors of espionage, sabotage, and hacktivism motivations continue to conduct tailored operations against victim organisations for a number of reasons, such as for intelligence collection, intellectual property theft, and downstream and upstream targeting against sensitive entities, such as client bases, supply chains, and sensitive operations or projects. Threat intelligence, and specifically threat landscape reports, consider these factors and provide additional information about these prioritised threats, such as common or overlapping tools, techniques, and procedures (TTPs) to build security controls around. Threat landscape reports can also assist with intelligence-led penetration testing and controls testing.

Visualising threat intelligence in your organisation

Threat intelligence can take various forms in your organisation, depending on a range of variables such as requirements, resources, and adjacent teams and structures. Threat intelligence functions can also evolve over time within your organisation as its capabilities and remit shift.

Regardless of how and where threat intelligence may sit within your organisation, its remit will also be determined by the needs of your organisation and may involve the following:

• Technical analysis, such as infrastructure, malware, initial access, vulnerability exploitation, deep and dark web (DDW), and open source intelligence (OSINT).

• Strategic analysis and management, such as geopolitical and technological issues, anticipatory intelligence and forecasting, intelligence requirements, stakeholder analysis, and collection posture.

Explore some of the high level forms threat intelligence can take in an organisation, and note that some threat intelligence functions may resemble a combination of these.

Numerous stakeholders within an organisation benefit from threat intelligence, especially when clear processes and workflows exist to support consistent communication and follow-up actions. For example, having a process to query the company’s threat intelligence function for context around a specific issue will assist the organisation as it navigates an evolving threat landscape or specific situation. By developing cross-functional workflows and teams, an organisation is encouraging proactive communication, triage, action, and feedback concerning cyber threats and other related issues across teams, such as SecOps, incident response, risk management, etc. Threat intelligence may highlight a critical vulnerability which is being actively exploited by threat actors, and these workflows will support the organisation’s identification, escalation, and remediation efforts. These activities demonstrate an organisation is using threat intelligence to quickly identify, respond to, analyse, and develop additional mitigations against relevant cyber threats, and that these processes are supported by multiple elements of the organisation.

Internal data, such as information collected from systems monitoring the organisation’s environment (e.g., SIEM, EDR, DNS, netflow etc.), is critical to contextualising threat intelligence, supporting the organisation’s SecOps, and building strategic intelligence capabilities to inform other aspects of the organisation, such as future business operations. Intelligence from internal systems, such as events, user behaviours, and scheduled and unscheduled activities can inform the baseline of expected activities, as well as generally when those activities should occur and from which systems and users. By determining the baseline, organisations can then use threat intelligence, threat hunting, threat detection, auditing, and other processes to identify and evaluate anomalous activity. As these processes mature, organisations can establish playbooks and threat management libraries to document, iterate, and conduct proactive exercises to bring multiple elements of the organisation together to work through realistic threat scenarios and responses. These activities demonstrate an organisation maintains robust programmes and capabilities for detecting and responding to threat activity within its systems.

Developing a threat intelligence function staffed with analysts who have robust expertise in the company’s internal systems and operations can benefit adjacent teams within the organisation as well, such as penetration testing and threat hunting. The threat intelligence function more broadly should be heavily integrated and connected with other internal stakeholder teams to assist in routine and tactical conversations about various security activities. This integration should also extend to more strategic discussions about the broader threat landscape and how that may impact the organisation’s decisions, such as future business, operating locations, third party risk concerns, etc.

Once proficient in internal data and systems, threat intelligence can integrate external intelligence and use it for contextualising the organisation’s environment - conveying the most relevant elements and sparking discussions about potential issues and impact. Threat intelligence seeks information and clarity not only on technical security issues, such as threat actors and actively exploited vulnerabilities, but also geopolitical, technological, and other cross-disciplinary issues that can and do impact the threat landscape and threat actor motivations. As the threat landscape evolves, trends emerge, and rapid shifts are detected within industry, threat intelligence is key to an organisation navigating these developments and prioritising which intelligence needs to be integrated for awareness, actioned in the near term, considered in longer term initiatives or discussions, or otherwise disregarded. These activities demonstrate an organisation is using threat intelligence to stay current on evolving threat developments and trends, as well as potential issues on the horizon due to emerging technology, geopolitical tensions, and other factors.

Information overload is challenging organisations’ SecOps and broader operations and risk management practices, and through threat intelligence expertise paired with threat management strategy and prioritisation, elements within an organisation can work within a common framework to not only prioritise the most important information, but also proactively seek high fidelity threat intelligence from numerous sources, such as open source, industry exchanges, and commercial sources and partners. A collection management framework can be tactically applied, such as to alert tuning; operationally applied, such as addressing ad hoc needs through external partnerships (e.g., industry and government) for information related to a specific incident; and strategically applied, such as recurring briefings on strategic topics to executive leadership or across the organisation’s enterprise intelligence programme.

As threat and risk management processes evolve, organisations can continuously improve their programmes by drawing upon lessons learned, from internal and external incidents and perspectives, and integrating threat intelligence. By intentionally flowing threat intelligence expertise and lessons learned into stakeholder operations, organisations can continuously evaluate how:

• The dynamic between security enhancements and threat actor responses is shifting, such as threat actor responses to multi-factor authentication implementation within organisations;

• Threat actors targeted and/or compromised their environments in the past, and what lessons can be learned and issues can be addressed to mitigate future attempts;

• Threat actor social engineering is evolving, such as spoofing and targeting IT staff within organisations;

• Internal security processes and training need to be updated based on the latest trends and methods threat actors use to target organisations and compromise networks; and,

• Technical or strategic issues are impacting other organisations in certain sectors, industries, or geographies, and which may then impact their own needs.

These activities not only demonstrate an organisation is applying lessons learned from past incidents and threat intelligence to bolster its cyber security defence strategies, but they also promote intelligence cycle practices for continuous improvement across the organisation.

Alongside our intelligence production operations, PwC Threat Intelligence specialises in maturing intelligence programmes and functions for enterprise adoption, often as part of broader security transformation programmes. Our threat intelligence maturity methodology supports our clients in building and maturing their intelligence programmes so they are integrated across a spectrum of business operations while remaining defender-focused. Our differentiator is integrating this approach with our long history of consulting expertise, global acumen in regulatory standards and frameworks, and working closely with clients globally across many sectors and industries. We offer a dynamic approach that builds on extensive experience across our team in network defence, cyber threat intelligence, and cross-disciplinary and diverse intelligence tradecraft for the public and private sectors.