Research Objectives
Cyber-threat intelligence (CTI) is analyzed information about cyber-threats that helps inform security decision making. Although security professionals recognize the value of cyber-threat intelligence, many organizations still consume it on a superficial basis. Rather than collect, process, analyze, and disseminate cyber-threat intelligence to internal stakeholders, they simply look to cyber-threat intelligence for indicators of compromise (IoCs) like malicious IP addresses, web domains, and files that could be blocked by firewalls, email gateways, and endpoint security tools. Unfortunately, an IoC-based approach to CTI is extremely limited as adversaries can easily change IoCs, thus circumventing security controls, signatures, and blocking rules. Recognizing these limitations, most organizations have established CTI teams to gain a better understanding of the cyber-threats, adversaries, and attacks with the potential to disrupt business operations or steal sensitive data. This is the right decision, but establishing a productive CTI program isn’t easy. CTI program success depends upon a lifecycle approach spanning five phases:
1. Planning and direction.
2. CTI collection.
3. Processing.
4. Analysis and production.
5. Dissemination and feedback.
Mature CTI programs formalize this lifecycle approach, gain a thorough understanding of adversary behavior, and respond with appropriate countermeasures. Immature CTI programs are fraught with waste, overhead, and constant questioning of program results and value. Are organizations establishing mature CTI programs? What are the key success factors? In order to gain insights into these trends, TechTarget’s Enterprise Strategy Group surveyed 380 cybersecurity professionals at organizations in North America (US and Canada) with knowledge of and participation in their organization’s CTI programs.