There is substantial room for improvement in the use of cyber threat intelligence (CTI), according to the results of the 2019 SANS Cyber Threat Intelligence Survey. CTI is a resource for network defense / defence at a majority of survey respondents’ organizations, with 72 percent either consuming or producing it. Only 8 percent reported having no plans to begin using intelligence. Top use cases include security operations; detecting threats and attacks; blocking threats; and security awareness. A diversification in use cases for CTI, along with a better understanding of how it’s used to benefit an organization’s security posture, means that CTI is being more widely utilized by both large and small organizations.
Although more are using CTI, organizations are not defining requirements for the CTI programs in any organized manner. Just 30 percent have documented their requirements, while 37 percent have ad hoc requirements, leaving 33 percent without defined requirements for their efforts.
“Arguably the most important part of the CTI process is identifying and defining good requirements to guide the entire intelligence life cycle and make the collection, analysis, processing and dissemination of intelligence much more focused,” adds Robert M. Lee, SANS analyst and threat intelligence expert. “Requirements enable organizations to properly operationalize intelligence work. That makes it all the more alarming, that so few have invested the time in defining their focus.”
Once the focus of a CTI program is determined in its requirements, it is important to process collected data to put the efforts to use. Some of these processes include deduplication of data; enrichment of data using public, commercial or internal data; reverse engineering of malware; and data standardization. Most respondents report that such processing is either a manual or semi-automated process, although 8–19 percent of respondents report fully automated processes for some of these tasks.
Survey authors Lee and Brown agree that, “For teams to focus on the increasing use cases, organizations will first have to find ways to automate or streamline aspects such as collecting and processing data, which often take up the majority of an analyst’s time.”