Transform Your Cybersecurity Approach: The CTI Revolution Starts Here

Transform Your Cybersecurity Approach: The CTI Revolution Starts Here

This article marks the culmination of our journey to demystify Cyber Threat Intelligence (CTI) and underscore its importance. Over the past eight articles, we've explored key cybersecurity functions through a CTI lens, arguing that an intelligence-driven mindset and strategic vision are essential for every aspect of any cybersecurity program. Despite ongoing cybersecurity efforts, both large and small corporations continue to fall victim to data breaches for various reasons, highlighting the need for a paradigm shift with CTI at the helm.

In this piece, we'll lay the groundwork for positioning your CTI function to guide informed decision-making for key leaders in your organization. Designed for large global corporations with the resources to implement this proposal, this guide draws on my unique insights from the highest levels of government, big business, and countless interactions with the community. It's time to recognize CTI as a business enabler and kickstart the CTI revolution.

Introduction of Teams

The entity responsible for an intelligence-driven mindset and function is the Cyber Intelligence Solutions Group (CISG) led by an Executive SVP/Senior Managing Director who reports directly to the Chief Information Security Officer (CISO) and has the potential to interact with the CEO & Board of Directors. (Figure 1).

Figure 1

I know my organizational structure is different from AJ Nash 's call for a Chief Intelligence Officer at the helm. However, I think we’ll get there, but my perspective starts down a level to make it more palatable for businesses.  

The CISG is composed of one Senior Director, who leads three Directors responsible for the following functions:  Cyber Threat Intel Group, Collections Group, and Risk Control Group. Each Director has a senior manager leading Behavioral Analysis Team, Strategic Analysis Team, Threat Hunt, Offensive Security, Awareness and Training and Vulnerability Management Team.

Lastly, there is a CTI Operations and an internal Security Engineering team that report directly to the Senior Director. (See Figure 2)

Figure 2

Teams, Personnel, and Responsibilities

Executive VP/Senior Managing Director

The ESVP/Senior Managing Director would have daily interactions with the CISO and a case by case with the CEO/Board of Directors. These interactions would consist of Threat Briefings (Think Presidential Daily Brief) that are relevant to the organization. This person would need to have varied experience in both private and public sectors and understanding the strategic value of Intelligence and know how to communicate the value proposition within a business context.

Cyber Threat Intelligence Group (CTIG) Overview

This is your central processing hub of Intelligence for your entire organization. The overall outputs of this team directly feed and help streamline both the Collections Group and the Risk Group functions but also external teams (i.e., Legal, Risk Management, Infrastructure) as well.  As I stated previously, if you are a large global corporation, you need a minimum of 10 people performing this function.  The two teams that make up the CTIG would have roughly 5 people per team.

Behavioral Analysis Team Overview

This team, along with the Strategic Analysis Team, develops your organization’s threat model to identify the biggest threats. This will help guide operational and tactical teams to prioritize threats. Without threat modeling, you are essentially doing a lot of work with very little value.

Of note, I’ve seen too many CTI teams develop extremely complicated threat model systems with dozens of weighted variables. I get it, we are trying to limit our biases and let the data identify the biggest threats. However, the weighted variables are still too subjective and create too much complexity. The best threat models in my experience have been simple.

The team will also be responsible for leading and managing the Operationalization of the MITRE ATT&CK Framework. I recently had a conversation with a leader, and they said they have never heard of anyone operationalize this Framework. I successfully operationalized it back in 2019.

Strategic Analysis Team Overview

The Strategic Analysis Team is responsible for the global cyber threat landscape and distilling information by working with the Behavioral Analysis Team to identify the top cyber threat actors of concern. Creating and disseminating finished intelligence via Daily threat Briefing and “one-pager” style reports for CISO and the rest of the C-Suite, driving both operational and tactical decision making from the top down.

Key CTIG Responsibilities:

  1. Develop and Deploy Threat Modeling
  2. Engagement and actively collaborate with Government, Academia, Think Tanks, and Non-government intelligence entities (i.e. ISACs)
  3. Responsible for Operationalization of MITRE ATT&CK Framework
  4. Creating and disseminating strategic intelligence (Geo-political, nation-state cyber actors, cybercriminals) throughout the C-SUITE
  5. Collaborate with Enterprise Risk Management, Legal, Compliance, Overseas Operations, Mergers and Acquisition Teams

Collections Group (CG) Overview

The Collections Group gathers information on the effectiveness of your security function, proactively driven by CTIG outputs. They initiate investigations and test the organization’s people, processes, and technology.

Threat Hunt Team

They investigate suspicious network activity or proactively search based on prioritization from the CTIG. They work closely with Intelligence, Security Engineering, and the Security Operations Center to ensure the network is clean based on available data.

Offensive Security Team

This team’s responsibility centers around Penetration Testing, Red (aka Threat Emulation) and Purple Team functions. The team avoids duplication of effort and silos by integrating these functions under one umbrella. They take inputs from the CTIG to identify potential risks efficiently.

it’s about creating a trusting environment where everyone can share their best perspective.

Key CG Responsibilities:

  1. Internal and external network perimeter pentesting
  2. Static Testing /Dynamic Testing for internal and third-party software
  3. Emulate top threat actors to test people, processes, and technology
  4. Conduct Purple team exercises to test alert detections
  5. Proactively hunt for top threat actors within the network
  6. Plays a key role in operationalizing the MITRE ATT&CK Framework

Risk Control Group (RCG) Overview

This group’s responsibilities lie in identifying potential risks and creating a comprehensive mitigation strategy through training, cyber threat landscape awareness, compensating controls and addressing vulnerabilities. They rely on CTIG insights to prioritize threats and associated vulnerabilities.

Cyber Awareness & Training Team

Responsibility of building a robust cyber awareness and training programs beyond traditional phishing tests, using scenario-based virtual training aligned with the latest threat trends.

Vulnerability Management Team

This team identifies and patches vulnerabilities, develops compensating controls for unpatched systems. They use automated tools and the CTIG to prioritize the most critical vulnerabilities.

Key RCG Responsibilities:

  1. Prioritize vulnerabilities based on CTIG outputs
  2. Work with asset owners to address prioritized vulnerabilities
  3. Develop compensating controls for sensitive systems
  4. Create and deploy comprehensive cyber awareness and training programs
  5. Include training components on secure coding practices, cyber threat trends, compliance, and regulatory shifts

Additional Teams

Think of both CTI Operations and Security Engineering Teams as the infrastructure for CISG to be running smoothly day in and day out. They would report directly to the Senior Director.

CTI Operations

Responsible for administrative tasks within CISG, including creating templates, aggregating performance metrics, managing vendor communications, and handling training requirements. They ensure the smooth functioning of the CISG by relieving teams of administrative burdens.

Key Responsibilities:

  1. Handle team inquiries and Request for Information management
  2. Manage third-party security tools and renewals
  3. Compile CTIG briefs for executive management and external partners
  4. Develop branding templates for documents and presentations
  5. Manage training budgets and lead tabletop exercises
  6. Design internal training, career progression plans, and mentorship programs.

Security Engineering

This team integrates and maintains the security stack for the CISG, automating tools for offensive security teams and ensuring system functionality. They enable CISG to function seamlessly without relying on core engineering teams.

Key Responsibilities:

  1. Deploy, maintain, and tune security tools for CISG
  2. Create and maintain alert detections based on MITRE ATT&CK Framework
  3. Leverage data and AI to improve operational efficiency
  4. Utilize data/AI scientists to develop internal chatbots for quick information access

Closing thoughts

It would be naïve of me to suggest that building a cultural intelligence-driven mindset and organizational structure, as I just proposed, will happen overnight, if at all. There will be resistance for a complex of reasons stemming from entrenched processes, not being cognizant of blind spots, biases and assumptions, CTI viewed only as a function associated with threat feeds, CTI is snake oil, and many others. I know this proposal is outside of the box thinking and it’s human nature to resist change and seek comfort in the familiar.

Furthermore, I firmly understand the complexities of large bureaucratic organizations, budget constraints, and personnel and power dynamics. Implementing this proposal won’t be an immediate shift but a strategic journey for those willing. The vision laid out here may not be replicated exactly, but it sets the groundwork for intelligence to play a more pivotal role in your organization.  As I mentioned previously, my guiding philosophy is “Talk Less, Listen More” and I acknowledge that I have blind spots as well and don’t presume to have the answers to our biggest challenges in cybersecurity but it’s about creating a trusting environment where everyone can share their best perspective. Together, we can build a more resilient and adaptive intelligence framework. Join the CTI revolution today—your contribution matters.

#CTIRevolution #CTIBusinessEnabler #ThinkAgain #BlindSpots #IntelligenceDriven #StrategicMindSet

Steven Venezie, CISSP Lea Cure Thorpe Max Margolis Thomas Farquharson Khushboo Doshi Paloma Prutsok Anwar Georges-Abeyie Basma Basem (. Luis Fernandez Jr. Marco Corradin Aglika K. Patricia Philippeaux Jeremy Dallman Lisa Ackerman Janet Rathod Natalia Oropeza Noureen Njoroge Executive MBA Kem Gay Stefania Fieramosca Aviv Ben-Or, PhD

Keyaan Williams

Global Risk Governance Executive | Professional Speaker | Funniest Man in Cybersecurity

5mo

Interesting recommendations, Danny Magallanes. I think CTI is valuable, but there are many other functions in security program management that are valuable as well. Given that organizations of all sizes have limited resources, where would you place this proposed function on the list of priorities for the global security program?

Ben Ouano

Chief Operating Officer - APAC at Resecurity

5mo

Danny, thanks for bringing this front and center.

Richea Perry

InfoSec Risks Assessment Specialist: ISO 27005 ISRM| OCEG-GRCP | Cybersecurity Content Creator (Udemy Courses) | IAM Governance | Podcaster(CyberJA) | Aspiring CISO

5mo

Very helpful! Keep up the good work brother.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics