Implementing a Threat Intelligence Program

Three considerations to ensure success

A February 2024 study on threat intelligence by CyberRisk Alliance explored the challenges and needs organisations are facing when trying to build threat intelligence programs. This study caught my eye as I’ve been speaking recently on the topic and am passionate about ensuring organisations can maximize value from their investments in threat intel and dark web monitoring.   

The study found that “fifty-five percent of respondents said there are plans to build a threat intelligence program in the next 12 months” in their organizations. This statistic is encouraging, but effectively implementing a threat intel program requires a fair amount of resource investment and isn’t as easy as simply purchasing a tool or beginning to collect data. 

I like to consider the threat landscape from a foundational aspect and its application in cybersecurity processes. I think of three areas that must be addressed to leverage threat intel most successfully: customization, integration, and human augmentation. These three reflect the challenges within the sector but also present opportunities for threat intel utilisation to make a tremendous contribution to the security program as a whole.

The need for customisation in threat intel programs

First, just getting started using threat intel to inform proactive and reactive security is a great thing, but you will quickly end up with a mountain of data to process. How do you determine what of that data is actually meaningful to your environment? How do you prioritise what to act on first? Simply put, generic threat intel programs fall short. They do not provide nuanced insights required by organisations with particular risk profiles. 

However the data is collected, what is needed is the ability to tailor the intel to the specific needs, sector, and landscape of each org. For example the healthcare and financial sectors face very different threats. This approach enhances the relevance and actionability of the intel gathered making it much more effective. I would argue that the conversation on threat intel should shift toward how organizations can achieve customization, considering the primary constraints such as budget, expertise, and architecture. 

Dependent on budget, actioning this could be as simple as creating customised dashboards to specifically trained AI models on particular threats. Also, this simply can be the threats you focus on, the right intel feeds, and leveraging the tool that gives you the freedom. 

Integration challenges and opportunities in threat intel programs

I would also argue that threat intel is only as good as its integration into the broader cybersecurity and IT management ecosystem of an organisation. I am not referring only to the API but also to the human aspects of the program. Does the individual or team responsible for threat intel have a seat at the table when major architectural changes are proposed? Do they have a way to inform key executives? Often threat intel programs are treated like an add-on to a security program and the intel is confined to a specific person, team, or even tools. 

The challenge of having the threat intel function siloed is that it fails to influence other security practices, and therefore loses a great amount of potential impact. Opportunities for significant improvement in the value of a threat intel program lie in adopting frameworks and tech that facilitate this integration, ensuring that threat intel feeds directly into decision-making processes, from strategic to operational. 

Achieving integration could be as straightforward as building a cross-functional team that includes the threat analyst and also IT staff, and business leaders — ensuring insights are shared across departments and are influencing all decision levels.

Using a framework, such as MITRE, is another simple way to help with the integration process. Frameworks can provide a common lanuage to help inform the action that needs to be taken or make it clear how the threats relate to the controls already in place.

The importance of humans augmenting threat intel 

When starting or growing a threat intelligence program, identifying how to leverage artificial intelligence (AI) and machine learning (ML) should definitely be a part of the strategy. These are still very much underutilised, and we have a long way to go in seeing their full potential for scaling data processing. 

With that said, we must also ensure that the human role is not neglected. Automated systems are there to process large datasets efficiently, but humans bring the intuition, validation, and ability to connect threats into a narrative that truly adds value to the organization. The necessity of the human role in interpreting and acting on threat intel in the most strategic way cannot be overstated. 

Considerations in building a threat intel program need to balance tools and technology and human expertise, exploring how each complements the other. A platform can consume large datasets and combine data sources and also help with prioritizing and tracking, but expert human insight is still necessary to validate and analyse.

Taking into account these strategic considerations in building a threat intelligence program is certainly not easy, especially when just getting executive buy-in or appropriate resources is already a challenge. However, strategically initiating a program that accounts for organizational context, integration into the larger security program, and balancing technical and human resources will produce results that can help build momentum and, most importantly, much stronger security. 

Learn how PlexTrac can help with data aggregation, contextual scoring, and prioritisation to maximise all of your offensive security efforts, including adding a threat intelligence layer. See PlexTrac Priorities or request a personalised platform demo.

David RushtonPlexTrac Cyber WizardDavid Rushton is a distinguished professional with a rich background in education, which he has seamlessly combined with his passion for cybersecurity. With over five years of dedicated experience in proactive cybersecurity, David has honed his expertise in attack surface management, vulnerability intelligence, threat intelligence, vulnerability management, and penetration testing. Currently thriving as a sales engineer, he is committed to solving customer issues by leveraging his in-depth knowledge and experience. He is adept at identifying the current state of cybersecurity affairs, pinpointing issues, and devising strategic measures to mature proactive security programs. His wealth of experience encompasses consulting roles in both the public sector and private industry, where he has consistently demonstrated his ability to navigate complex cybersecurity landscapes and deliver results that exceed expectations.