Connect with us

Hi, what are you looking for?


Management & Strategy

What’s Your Threat Intelligence Strategy?

In my previous SecurityWeek article, we looked at what type of cyber threat intelligence analyst makes sense for your business. Analyst expertise can span a wide range of business, technical and security-related areas and the outputs that analysts provide can vary greatly based on business need.

In my previous SecurityWeek article, we looked at what type of cyber threat intelligence analyst makes sense for your business. Analyst expertise can span a wide range of business, technical and security-related areas and the outputs that analysts provide can vary greatly based on business need.

Aaron Bay, chief analyst at SurfWatch Labs, summed it up: “Being a threat analyst often requires being a chameleon or wearing many hats. You need to be able to understand the technical side of security, navigate among the various hacker and cybercrime forums on the dark web, understand business risk, and then distill all of that information into valuable intelligence that can be easily understood by business executives.”

Analysts vs. Defenders

One key distinction needs to be made when talking about threat intelligence analysts. They should not be confused with defenders working in the Security Operations Center (SOC).  Personnel within the SOC are consumers of tactical intelligence, using that intel to improve their primary goal of network defense. SOC defenders are not intelligence analysts. They are not focused on the intelligence lifecycle including collection, analysis and delivery.

Threat Intelligence Plan

Intelligence analysts serve multiple purposes and different constituents. One analyst or team of analysts must focus on operations, reporting up to the CISO, translating tactical up to more operational level. Another analyst or team must focus on strategy, correlating cyber risks with the impact to business. The delivery for this group of analysts is to senior leaders, the CEO, and the board.

Depending on the type of analysis you want and where your analysts are focused, the first thing you really need to do when it comes to your intelligence operation is to determine your priorities around intelligence.

Establishing Your Threat Intelligence Strategy

Advertisement. Scroll to continue reading.

I am a practical guy. I like to take best practices, pluck out the good stuff, leave the fluff and theory, and place more effort into making things happen. What is rarely, if ever, touched on is discussion around an organization’s overall threat intelligence strategy. For short let’s just call it “The Plan”.

Whenever I am working with a new customer it is one of the first areas I target. I ask them who the intelligence is for/who will use it, if they have a collection plan, and if they have collection gaps within that plan that they are looking at us to fill… i.e. what finished intelligence product are you looking to produce? Unfortunately, a majority of the time there is no plan, no rhyme or reason – they just want more “insight”.

“The Plan” should have two main components, a collection plan and a management plan.

1. The Collection Plan – This is where “The What” is defined, based on the needs of the decision makers. As mentioned in the past, there are typically three categories of CTI – Tactical, Operational, and Strategic. Each CTI category would have different criteria around collection needs as they have different decision makers consuming the finished intelligence. Items in the Collection Plan should include:

• Requirements:

– Who are the decision makers (anyone who decides a course of action for their area of responsibility)?

– Have decision makers’ intent been defined?

– What concerns do they have and where is there a lack of insight?

• Priorities/Inventory of Needs:

– Which requirements carry the most weight?

– Which higher-level requirements are dependent on lower level data collection?

• Sources:

– What are your threat intelligence data sources? Internal? External? OSINT? Dark Web?

– What is the quality of the data? How accurate/reliable is it?

– How relevant is the threat intel data to the decision makers?

2. The Management Plan – Threat intelligence is a continuous lifecycle that requires people, process and technology working together in order for it to run. Intelligence is not just a feed or a tool on its own. Intelligence also is not a project. It is a capability that needs to be run like a program and requires resource management just like any other capability. The Management Plan focuses on “The How” and should consist of:

• Assets/Resources  

– People – Are they “Defenders” or “Analysts”?

– Tools – Raw data vs. evaluated intelligence, collaboration space, knowledge bases, etc.

– Requests/Tasks

– The process for which decision makers task or make intelligence requests to a functional intelligence team

– Deterrents/Obstacles:

– Is there a capability gap?

– Do you lack visibility into a certain area?

– Feedback Loop:

• Are requirements being satisfied?

• Are finished intelligence products timely, accurate and relevant?

• Are finished intelligence products critical to the decision making efforts?

The bottom line here is this: “The Plan” should help you define why you are doing what you are doing from an intelligence perspective. You should not be consuming sources of information unless they are supporting a collection requirement and you should not be spending effort on data collection unless there is a requirement from a decision maker.

To sum it all up, threat intelligence is all about reducing uncertainty – moving unknown unknowns up the chain to known knowns. This covers a wide span and as such the intelligence function works at different levels, with different goals and continues to evolve.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.