Home / Blogs

Six Approaches to Creating an Enterprise Cyber Intelligence Program

According to the Verisign 2014 Cyber Threats and Trends Report, cyber intelligence has matured from an industry buzzword to a formal discipline, which has implications for vendors and security leaders. As few as seven years ago, cyber-threat intelligence was the purview of a small handful of practitioners, limited mostly to only the best-resourced organizations—primarily financial institutions that faced large financial losses due to cyber crime—and defense and intelligence agencies involved in computer network operations. Fast forward to today, and just about every business, large and small, is dependent on the Internet in some way for day-to-day operations, making cyber intelligence a critical component of a successful business plan. That said, there are a wide variety of ways organizations can go about creating a cyber intelligence program.

I have the unique opportunity to speak with clients and partners on this topic from a variety of different industries as a part of my support for Verisign’s Intelligence-Driven Security program. I’d like to share some pragmatic tactical and strategic approaches to sourcing and applying cyber intelligence that I have gleaned through these activities and my own experience. The following is a brief overview of six approaches, along with key considerations that can help organizations of all types create a cyber intelligence program, build and align to a desired strategy, and create frameworks that—if executed properly—can become a defensive force multiplier.

The first two approaches deal with getting back to the basics in determining your program’s desired level of maturity and strategic focus.

1. Level of Maturity: Determining the appropriate level of maturity for your cyber threat operations program is key to supporting your business objectives and organization’s risk tolerance. Understanding your organization’s level of programmatic maturity is also a requirement for defining a fluid strategy that incorporates the tactical operational phases of adversaries.

Key Considerations: One helpful way to determine how capable or mature your threat operations program needs to be is to think about your business in the context of the supply chain and the adversary’s collection requirements. Who is targeting your organization, and what information are they most interested in? Also, think about the maturity of your organization and your resulting strategy in terms of the threat’s operational phases of staging, reconnaissance, attack and exploitation. For example, if the goal is to have a highly mature Cyber Threat Operations Program and counter or detect the threat in each of its operational phases, than your organization capabilities should be composed of multiple disciplines, and your strategy should be multi-faceted to counter or detect the threat early in its operational cycle.

2. Intelligence Requirements: Based on your program maturity model and strategic elements; what are the intelligence requirements you need to fulfill to provide senior leadership and security operations with the proper level of decision support to resource and defend against these threats? I cannot stress how important this step is because these priority intelligence requirements (PIRs) provide what type of information you need to collect, where your gaps are and the talent you need in your program.

Key Considerations: Priority intelligence requirements are in essence a series of questions that allow threat intelligence personnel to focus on what is important to the operator and management. PIRs also help to ensure that resources are focused on mission-critical areas and that the organization is properly aligned to the overall strategy. These intelligence requirements manage the operator’s and management’s expectations about the capabilities of the cyber threat operations program. Finally, whenever possible, your PIRs should be operationalized, continuously providing information that is mapped to affect some type of behavior or enhance a security control; put plainly, the information you provide needs to be actionable.

3. Conducting a Gap Analysis: Establishing a fluid strategy and intelligence requirements naturally leads to conducting a gap analysis on your existing security operations capabilities, threat intelligence talent levels and collection capabilities.

Key Considerations: For example, if your strategy is primarily focused on defending against a threat’s exploitation phase through rapid detection and command-and-control (C2) mitigation, then your gap analysis needs to determine if you have a robust malware and network-monitoring capability to extract new indicators of compromise, create signatures and monitor network traffic for anomalies. If your strategy calls for actor attribution to determine strategic intent and collect tangible indicators that can be fed back into your sensor grid, then you probably need some folks that have linguistic capabilities who can understand the threat’s strategic collection requirements and conduct proactive infrastructure enumeration operations like the example I just gave.

4. Building a Team: Once you understand what your gaps are and what level of maturity your cyber threat operations capability is going to be, then you have to build a team that aligns to your strategy and can execute in answering your priority intelligence requirements. For many companies this is a build-versus-buy decision, or a hybrid approach to either fill an existing gap or complement an existing capability.

Key Considerations: Building a team is the most critical step for helping to ensure a successful program. Whatever decision is made with regard to buy versus build, it is vital to ensure that the team you source to combat these threats has passion for the mission and operates with the utmost professionalism and discretion.

5. Know What You Look Like to the Threat: This point really focuses on understanding what you look like to the various threats you’re likely to encounter from an attacker’s point of view. Traditionally, companies have used penetration testers to do this type of work, and while I think this is a very useful exercise, companies can also take an open-source “red team” approach to understand their threat exposure on the Internet. To make an informed decision about the best approach, companies should ask themselves questions like:

  • How easily can I be targeted via Web 2.0 technologies?
  • How many documents on the Internet contain company email addresses that can be leveraged for socially engineered email attacks?
  • How do my business objectives align to an adversary’s requirements, goals and objectives, and how does this translate to my internal high-value targets?
  • What is my vulnerability exposure? How many unpatched vulnerabilities do I have on my enterprise network and what is their exploitability based on the adversaries I’m likely to encounter?
  • What are the experiences of peer organizations relative to the same (or similar) threat? Using an experienced third-party red team helps with this aspect.

6. Create Business-Focused Metrics and Measure Your Effectiveness: Determine how to measure your effectiveness in defending against a threat, and create metrics that demonstrate value back to the business about items like potential cost avoidance.

Key Considerations: How good is your user awareness training? You may be able to measure this by determining how many targeted socially engineered email attacks are reported by your users. Some organizations measure the time from compromise to detection as a useful metric, while other companies measure their email intelligence operations by how well they successfully quarantine inbound attacks. However, it stands to reason that whatever metrics you decide to capture should map to your overall strategy to demonstrate success to your stakeholders.

Finally, determining the cost of a single compromise to your organization can help you demonstrate a significant and useful cost avoidance dollar figure. This is extremely difficult to do in many cases because it is not always possible to determine the inherent value of say intellectual property. However, it is possible to determine the amount of time it takes for your company to detect, respond to and recover from a compromise. For example, if the cost in labor per attack is $200k, and you are able to proactively mitigate ten attacks in a year, then the value of your threat operations program can quickly be measured in the millions of dollars.

So to sum up:

1. Determine what level of maturity your threat operations capability needs to be and create a strategy that aligns to your business objectives and the threat’s operational phases.

2. Create intelligence requirements that can be operationalized in a manner that maps to security controls and provides the required decision support to help a machine or a person do their job more effectively.

3. Conduct a gap analysis on your existing security operations capabilities, talent levels and collection capabilities.

4. Build a team that understands these threats and is passionate about the mission.

5. Investigate what you look like to the various adversaries you’re likely to encounter. Take an open-source “red team” approach to understand your threat exposure on the Internet.

6. Create solid metrics that support your strategy and demonstrate value back to the business.

Does your organization have a cyber intelligence program?

By Josh Ray, Vice President of Cybersecurity Intelligence at Verisign

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix


Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API