Over the past years, the landscape of cyber threats has greatly evolved. To deal with the sophistication and dynamics of present day cyber attacks, many large organizations (especially those with a heavy dependency on ICT) have fundamentally revised their cyber resilience strategies. Most prominently, it has become common to complement traditional (preventive) security controls with elaborate provisions for security monitoring and incident response. Arguably, the next step in this evolution is to establish Cyber Threat Intelligence (CTI) capabilities. In essence, such capabilities serve to anticipate (imminent or emerging) cyber threats rather than awaiting an actual incident.

Collecting and handling CTI is a relatively new area of work. Correspondingly, practices and solutions in this field are largely in the pioneering stage and there is no commonly acknowledged understanding of what would constitute a “mature” CTI practice. Traditional CSIRT service descriptions such as CERT/CC’s Handbook for Computer Security Incident Response Teams (2003) do not fully capture the CTI working area and MITRE’s Ten Strategies of a World-Class Cybersecurity Operations Center (2014), whilst offering a more contemporary perspective that includes a CTI oriented “Intel and Trending” element, is fairly high level in nature.

In view of the above, TNO and (the CTI and CSIRT teams of) three major Dutch financial institutions jointly developed a CTI Capability Framework that can serve as a foundation for establishing effective CTI provisions. This framework encompasses 12 core capabilities that an organization should have in place to fully exploit the potential of CTI. These capabilities span several categories:

• CTI-01 CTI Collection
• CTI-02 Real-Time CTI Processing
• CTI-03 Periodic CTI processing
• CTI-04 CTI Dissemination
• CTI-05 CTI Infrastructure Management

Notably, some capabilities in the framework are operational in nature (e.g. “ingestion of structured CTI” under CTI-01) whereas others serve a strategic or tactical purpose (e.g. “threat landscaping” under CTI-03). CTI Dissemination is a special and sometimes overlooked category that covers such things as CTI community sharing and CTI dashboarding. For each capability, the framework includes conceptual workflows that comprise a viable mixture of automated actions and manual (expert driven) effort.

This presentation will address:

• the vision on the CTI playing field that formed the basis for the capability framework
• the overall structure of the CTI capability framework and the underlying design choices
• examples of specific capabilities with emphasis on those that might not be immediately obvious.

The presentation will also cover some of the lessons that TNO and the involved financials drew from discussing the “how” of Cyber Threat Intelligence and seeking to apply new insights in their existing CTI operations.

Take-aways for attendees will include:

• a broad overview of what a mature CTI practice entails, both in daily operations and in terms of mid and long term security planning
• triggers to revisit existing (operational) CTI provisions that are believed to be satisfactory but might in fact not suffice in the long run
• pointers for defining appropriate requirements when acquiring a cyber threat intelligence platform.