Transform Your Cybersecurity Approach: The CTI Revolution Starts Here
This article marks the culmination of our journey to demystify Cyber Threat Intelligence (CTI) and underscore its importance. Over the past eight articles, we've explored key cybersecurity functions through a CTI lens, arguing that an intelligence-driven mindset and strategic vision are essential for every aspect of any cybersecurity program. Despite ongoing cybersecurity efforts, both large and small corporations continue to fall victim to data breaches for various reasons, highlighting the need for a paradigm shift with CTI at the helm.
In this piece, we'll lay the groundwork for positioning your CTI function to guide informed decision-making for key leaders in your organization. Designed for large global corporations with the resources to implement this proposal, this guide draws on my unique insights from the highest levels of government, big business, and countless interactions with the community. It's time to recognize CTI as a business enabler and kickstart the CTI revolution.
Introduction of Teams
The entity responsible for an intelligence-driven mindset and function is the Cyber Intelligence Solutions Group (CISG) led by an Executive SVP/Senior Managing Director who reports directly to the Chief Information Security Officer (CISO) and has the potential to interact with the CEO & Board of Directors. (Figure 1).
I know my organizational structure is different from AJ Nash 's call for a Chief Intelligence Officer at the helm. However, I think we’ll get there, but my perspective starts down a level to make it more palatable for businesses.
The CISG is composed of one Senior Director, who leads three Directors responsible for the following functions: Cyber Threat Intel Group, Collections Group, and Risk Control Group. Each Director has a senior manager leading Behavioral Analysis Team, Strategic Analysis Team, Threat Hunt, Offensive Security, Awareness and Training and Vulnerability Management Team.
Lastly, there is a CTI Operations and an internal Security Engineering team that report directly to the Senior Director. (See Figure 2)
Teams, Personnel, and Responsibilities
Executive VP/Senior Managing Director
The ESVP/Senior Managing Director would have daily interactions with the CISO and a case by case with the CEO/Board of Directors. These interactions would consist of Threat Briefings (Think Presidential Daily Brief) that are relevant to the organization. This person would need to have varied experience in both private and public sectors and understanding the strategic value of Intelligence and know how to communicate the value proposition within a business context.
Cyber Threat Intelligence Group (CTIG) Overview
This is your central processing hub of Intelligence for your entire organization. The overall outputs of this team directly feed and help streamline both the Collections Group and the Risk Group functions but also external teams (i.e., Legal, Risk Management, Infrastructure) as well. As I stated previously, if you are a large global corporation, you need a minimum of 10 people performing this function. The two teams that make up the CTIG would have roughly 5 people per team.
Behavioral Analysis Team Overview
This team, along with the Strategic Analysis Team, develops your organization’s threat model to identify the biggest threats. This will help guide operational and tactical teams to prioritize threats. Without threat modeling, you are essentially doing a lot of work with very little value.
Of note, I’ve seen too many CTI teams develop extremely complicated threat model systems with dozens of weighted variables. I get it, we are trying to limit our biases and let the data identify the biggest threats. However, the weighted variables are still too subjective and create too much complexity. The best threat models in my experience have been simple.
The team will also be responsible for leading and managing the Operationalization of the MITRE ATT&CK Framework. I recently had a conversation with a leader, and they said they have never heard of anyone operationalize this Framework. I successfully operationalized it back in 2019.
Strategic Analysis Team Overview
The Strategic Analysis Team is responsible for the global cyber threat landscape and distilling information by working with the Behavioral Analysis Team to identify the top cyber threat actors of concern. Creating and disseminating finished intelligence via Daily threat Briefing and “one-pager” style reports for CISO and the rest of the C-Suite, driving both operational and tactical decision making from the top down.
Key CTIG Responsibilities:
Collections Group (CG) Overview
The Collections Group gathers information on the effectiveness of your security function, proactively driven by CTIG outputs. They initiate investigations and test the organization’s people, processes, and technology.
Threat Hunt Team
They investigate suspicious network activity or proactively search based on prioritization from the CTIG. They work closely with Intelligence, Security Engineering, and the Security Operations Center to ensure the network is clean based on available data.
Recommended by LinkedIn
Offensive Security Team
This team’s responsibility centers around Penetration Testing, Red (aka Threat Emulation) and Purple Team functions. The team avoids duplication of effort and silos by integrating these functions under one umbrella. They take inputs from the CTIG to identify potential risks efficiently.
it’s about creating a trusting environment where everyone can share their best perspective.
Key CG Responsibilities:
Risk Control Group (RCG) Overview
This group’s responsibilities lie in identifying potential risks and creating a comprehensive mitigation strategy through training, cyber threat landscape awareness, compensating controls and addressing vulnerabilities. They rely on CTIG insights to prioritize threats and associated vulnerabilities.
Cyber Awareness & Training Team
Responsibility of building a robust cyber awareness and training programs beyond traditional phishing tests, using scenario-based virtual training aligned with the latest threat trends.
Vulnerability Management Team
This team identifies and patches vulnerabilities, develops compensating controls for unpatched systems. They use automated tools and the CTIG to prioritize the most critical vulnerabilities.
Key RCG Responsibilities:
Additional Teams
Think of both CTI Operations and Security Engineering Teams as the infrastructure for CISG to be running smoothly day in and day out. They would report directly to the Senior Director.
CTI Operations
Responsible for administrative tasks within CISG, including creating templates, aggregating performance metrics, managing vendor communications, and handling training requirements. They ensure the smooth functioning of the CISG by relieving teams of administrative burdens.
Key Responsibilities:
Security Engineering
This team integrates and maintains the security stack for the CISG, automating tools for offensive security teams and ensuring system functionality. They enable CISG to function seamlessly without relying on core engineering teams.
Key Responsibilities:
Closing thoughts
It would be naïve of me to suggest that building a cultural intelligence-driven mindset and organizational structure, as I just proposed, will happen overnight, if at all. There will be resistance for a complex of reasons stemming from entrenched processes, not being cognizant of blind spots, biases and assumptions, CTI viewed only as a function associated with threat feeds, CTI is snake oil, and many others. I know this proposal is outside of the box thinking and it’s human nature to resist change and seek comfort in the familiar.
Furthermore, I firmly understand the complexities of large bureaucratic organizations, budget constraints, and personnel and power dynamics. Implementing this proposal won’t be an immediate shift but a strategic journey for those willing. The vision laid out here may not be replicated exactly, but it sets the groundwork for intelligence to play a more pivotal role in your organization. As I mentioned previously, my guiding philosophy is “Talk Less, Listen More” and I acknowledge that I have blind spots as well and don’t presume to have the answers to our biggest challenges in cybersecurity but it’s about creating a trusting environment where everyone can share their best perspective. Together, we can build a more resilient and adaptive intelligence framework. Join the CTI revolution today—your contribution matters.
#CTIRevolution #CTIBusinessEnabler #ThinkAgain #BlindSpots #IntelligenceDriven #StrategicMindSet
Steven Venezie, CISSP Lea Cure Thorpe Max Margolis Thomas Farquharson Khushboo Doshi Paloma Prutsok Anwar Georges-Abeyie Basma Basem (. Luis Fernandez Jr. Marco Corradin Aglika K. Patricia Philippeaux Jeremy Dallman Lisa Ackerman Janet Rathod Natalia Oropeza Noureen Njoroge Executive MBA Kem Gay Stefania Fieramosca Aviv Ben-Or, PhD
Global Risk Governance Executive | Professional Speaker | Funniest Man in Cybersecurity
5moInteresting recommendations, Danny Magallanes. I think CTI is valuable, but there are many other functions in security program management that are valuable as well. Given that organizations of all sizes have limited resources, where would you place this proposed function on the list of priorities for the global security program?
Chief Operating Officer - APAC at Resecurity
5moDanny, thanks for bringing this front and center.
InfoSec Risks Assessment Specialist: ISO 27005 ISRM| OCEG-GRCP | Cybersecurity Content Creator (Udemy Courses) | IAM Governance | Podcaster(CyberJA) | Aspiring CISO
5moVery helpful! Keep up the good work brother.