Cyber Threat Intelligence Program
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP

Cyber threat intelligence provides visibility into the threat landscape. Threat intelligence should feed implementation of security monitoring (looking forward) and threat hunting (looking backward). Take action against new adversarial tactics to protect assets such as payments, sensitive data and intellectual property.

I. Threat Intelligence Data Sources

Subscribe to cybersecurity advisories and integrate threat intelligence feeds into SIEM security log monitoring at a minimum.
  • Mailing Lists - US-CERT
    - Alerts: Timely information about current security issues, vulnerabilities, and exploits
    - Analysis Reports: In-depth analysis on new or evolving cyber threats
    - Bulletins: Weekly summaries of new vulnerabilities. Patch information is provided when available
    - Tips: Advice about common security issues for the general public
    - Current Activity: Up-to-date information about high-impact types of security activity affecting the community at large
  • Known Exploited Vulnerabilities Catalog - CISA
    - Reducing Significant Risk
    - Catalog
    - Subscribe to Email Updates
  • Vendor Cybersecurity Advisories (e.g. Microsoft)
  • InfraGard (Only available to US citizens)
  • Information Sharing and Analysis Centers (ISACs)
  • Create a Google E-mail Alert (e.g. Compromised OR breached OR hacked)
Consider establishing an e-mail distribution group so each team member receives alerts and advisories. Configure an Outlook rule to save inbound messages to a folder.

II. Intake Process

Receiving advisories is only the first step. Each team member may think someone else is addressing an advisory or alert. Therefore, it is necessary to have an intake process to ensure each message is addressed. Here are options:
  • When an advisory is received, assign a team member to process it
  • Have a periodic meeting to analyze threat intelligence
  • Enter each advisory into a log to ensure it is processed
Determine if the SIEM receives quality cyber threat intelligence feeds. Ask a member of the SOC to screen share which feeds are integrated into the SIEM.

III. Processing an Advisory

Critically evaluate each advisory, considering whether it makes sense to:
  • Implement a hardening security configuration as a preventive control
  • Create a new security monitoring alert
  • Create an analysis report when it is difficult to create an alert with low false positives/negatives
  • Conduct threat hunting activity
Create a help desk ticket to track each new task or work effort to closure. Assign ticket categories to ensure employees and the team receive credit for their work. It's also good to have data when requesting additional headcount and to defend the value-add of the program.

IV. Take action!

Risk exists when controls are not deployed. Stack rank security issues in order of risk priority. Be aggressive when it comes to closing them out. Measure performance of the cyber threat intelligence program with quality assurance and metrics.

If you need cybersecurity program or assessment support, feel free to give me a call.

Click here for more professional development tips