Cyber Threat Intelligence (CTI) is often criticised as behaving more like data than intelligence. When applied to cyber-risk management, that allegation isn’t wrong, but it’s ignoring the bigger picture.
Let’s first take a step back. CTI and cyber-risk management have emerged as two separate disciplines. Both have a common end goal, but they use different angles to keep decision-makers informed of a company’s risk exposure. So, they’re ‘in a relationship’, but…it’s complicated.
Drawing Lines Between CTI and Cyber-Risk Management
Cyber-risk is a component of operational risk that focuses on the likelihood and impact of a cyber incident. It’s analysed to improve decisions about policies, safeguards, and controls. These protect the CIA triad (confidentiality, integrity, availability) of the information flowing among organisational assets – and the assets themselves.
An organisation’s CTI team has a slightly different aim: making relevant current and emerging threats visible. The intelligence is supported by various evidence – context, attack mechanisms, indicators linked to a threat actor – which is then analysed for relevance. The curated intelligence is shared with stakeholders who decide how to protect the organisation.
In sum, CTI teams help determine who would most likely attack the organisation and how. The cyber-risk managers decide what controls and procedures to implement for the organisation’s protection.
Bridging the Disciplines for Better Protection
At first glance, it makes sense that CTI could ‘up the ante’ of cyber-risk management. But, in such a collaboration, will CTI act as data or intelligence?
In the eye of the traditional CTI analyst, it’s still intelligence; there’s not a chance in a million years that a raw CTI feed would be provided directly to the cyber-risk management team. That data must be synthesised to make sense and be useful, and the latter group lacks the skills and ability to do that.
One key outcome of synthesising raw CTI data is to learn a threat actor’s tactics, techniques, and procedures (TTPs). For cyber-risk–oriented readers who aren’t aware of TTPs: They collectively refer to the specific methods and strategies threat actors use to infiltrate and compromise an organisation’s software, hardware, computer systems, and networks. A TTP might target software on the operating system of a device, or cloud software, or even the organisation’s email network via a phishing campaign.
When a CTI analyst determines the set of TTPs that could be executed on an organisation’s assets, they translate them into a framework that is understandable to the cyber-risk management team. That team then establishes which assets are in a risky position, in terms of being exploited in a cyber-attack. Then, typically, the current means of protection are evaluated, and decisions made about any new additions needed to protect the assets. To perform the above steps, a framework such as NIST’s Risk Management Framework and cybersecurity framework would help.
With the risk assessment completed, cyber-risk managers can revise risk metrics to help future assessments of any newly implemented controls and policies.
Beyond the Data: CTI Completes the Big Picture
Ultimately, both teams need to work together to map TTPs to controls and policies that need revision or implementation. The specific work of each team is too technically advanced for an individual to master both. But the area of potential overlap is clear: CTI can indeed bolster cyber-risk management, by mapping TTPs through a risk-management framework.
So, our cyber-risk–minded colleagues can go on calling CTI ‘data’ if they like. Because it’s the analysts who understand the technicalities required to determine a threat actor’s modus operandi from a raw CTI feed.