Security Experts:

Connect with us

Hi, what are you looking for?


Security Infrastructure

Crafting Your Cyber Threat Intelligence Driven Playbook

Threat Intelligence Playbook

Threat Intelligence Playbook

The concept around cyber threat intelligence is that it should be used to drive better security decisions and as a result better outcomes.

Intel provides insights so that decision-makers are well-informed of their risk, relevant impending threats, the potential impact and the best course of action to take to ensure the best cyber defense. There are many different approaches to threat intelligence, from the type (strategic, operational, tactical/technical) to the delivery (feed, software, full-service solution) to the processes and people involved to create and consume the intel.

 My last several articles categorized and drilled down into the different areas of threat intelligence, and now I want to shift into more of an outcome-oriented discussion. I say outcome as opposed to action because actions are just work… the real value of good threat intelligence is seen when you can change an outcome for the better. A good way to operationalize your intel is to go through different real-life scenarios and put together playbooks that document out how you will manage security challenges based on the intel provided.

Let’s start with an easy example and discuss a security challenge you want to defend against such as phishing. Intel can show you what the top malware variants are as well as the most common payload delivery mechanisms associated with them. Most phishing attacks typically have used spear-phishing techniques that deliver a payload that exploits document macros in order to gain unauthorized access or deploy a ransomware variant. Therefore your playbook should reflect (beyond blocking the emails) efforts that halt the ability for the payload to be delivered which therefore means stop the macro from executing. 

The desired outcome is to remove the opportunity that you present for these threats to take advantage of – without opportunity there is no threat. In this example, typically there is a required “User Interaction Point” in the form of the user enabling a macro in order for the payload to be delivered – by removing the user interaction point you can mitigate the threat. Keeping with this example, your playbook should call a play to halt payload delivery by removing the user’s ability to initiate a macro.  

When I use this “macro” example in discussions or presentations the first thing I ask people is when was the last time they used a macro? Except for a handful of CFOs that I’ve met over the years, the common answer is very rarely if ever. To be honest in the 20 years I have been working in the technology field I have yet to ever use a macro in any shape or form. The point of all this is to highlight that the user impact to removing the ability to kick off a macro is small. 

So how do you go about halting payload delivery by disabling a tool that is barely used by your user population? Easy – you push a GPO that has been around for a while. You can refer to this post: For users that have a need to use macro’s, generate a digital signature for that user base and digitally sign them so they are trusted.   

If you understand what these threats are exploiting, and know your environment, you should be able to map out the most effective countermeasures. Each organization should look at countermeasures in terms of what is relevant to them. The level of effort and cost to implement as well as the threat impact potential may be different per organization. Mapping this out though can help you prioritize the countermeasures to deploy. In this scenario the play called had a high level of impact to the threat, a low impact to the user, and a low cost to deploy.

Additionally, your playbook should go beyond countermeasures to proactively prevent bad things from happening… it should also include incident and breach response process because ultimately you cannot prevent every threat. Having intel play a role in your IR/BR process can help speed the response, improve the effectiveness of that response and also loop back into your countermeasures to help prevent future attacks. Run through the different scenarios and options to consider so that it is well-thought out, agreed upon and reacted to as quickly and effectively as possible.

With sound cyber threat intelligence informing these plays in your book, you have practical methodologies to both proactively mitigate and more quickly and effectively respond to specific threats.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Threat Intelligence

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...