September 30, 2021by Cybersixgill

How to Implement an Effective Threat Intelligence Program

About 178,000,000 results. That’s what you get when you Google “How to implement an effective threat intelligence program”. And all those whitepapers, thought leadership longforms, articles, listicles and blog posts are there for a reason - creating and implementing an effective threat intelligence program is one of the key challenges that keep CISOs’ cortisol blood levels really high.

In fact, the internet is swamped in so much content regarding this subject that it is extremely hard to separate the wheat from the chaff. So instead of “X tips to implementing an effective threat intelligence program”, I’d like to propose a different way of looking at threat intelligence, risk, and the steps needed towards a great program.

FileIt takes knowledge, awareness, and time

Implementing and maintaining an effective TI program won’t happen overnight: It takes careful planning and preparation as well as significant investment and support from executive leadership in order for it to be truly effective in the long run. By being aware of the key pitfalls and embracing best practices, organizations can maximize their success in achieving not only their cybersecurity goals, but also their business objectives.

The risk of not doing it is greater

Here’s some of the common challenges organizations are facing today:

Cybercrime will continue to increase in sophistication, volume, AND impact

Threats are a critical national security problem for EVERY country

Our rapidly growing digital footprint means greater attack surface, hence greater risk

There’s a global workforce gap - not enough working hands (or brains for that matter)

SOC is overwhelmed, especially with alert fatigue due to an overwhelming amount of data

So, cyber risk is growing bigger and faster than us humans can manually handle. The time required to reduce risk is more critical than ever. Recently, Cybersixgill held Re:con21 – an invite-only, half-day virtual event bringing together a group of experts and thought leaders in the fields of cybersecurity and cyber threat intelligence. Conversations were flowing, information was flowing, and so were the insights. Here’s 5 Key recommendations on how to implement an effective TI program - brought to you by some of the top-dogs of cybersecurity:


Know what you need it for

A gaming company faces different challenges than a telecommunication company. The former might be struggling with piracy, cheating, cracking, DDoS and more, while the latter can potentially face privacy attacks, leaked credentials, insider threats, and ransomware. Every industry is different, every company is different. First understand what lies on the deep and dark web and how it might impact your organization. Then prioritize your specific use cases first, use it as a guide but account for variable change over time.


Context is king

“I'm sorry” and “my bad” can mean the same thing - unless you're at a funeral. This is by far the best (and funniest) example that illustrates the importance of context. Select vendors and/or solutions that can contextualize threat intelligence for your specific business priorities. This will make your vendor qualification process infinitely easier, faster, and effective.


Check your totemEven though you’re (probably) not in Christopher Nolan’s movie masterpiece “Inception”, always take a reality check. Avoid pseudo-scientific promises, stay away from buzzwords. Ask yourself if or how the solution/vendor/process answers your use-cases and priorities. If you can’t explain this to yourself - walk away and start fresh. A CTI program must be authoritative, actionable, and applicable.


Never send a human to do a computer’s job - and vice versaAutomate what can be automated, free your people to focus on what’s not. An automation-centric approach to security can liberate a human’s time to focus on the important stuff. This includes, but is not limited to, playbooks in Security Analytics, SIEM, SOAR, and TIPs. It’s especially true in intelligence collection and vulnerability assessment.


The power of tiny gains“Aggregation of marginal gains” is a concept that enabled its creator, cycling coach Dave Brailsford, to lead the British cycling team to 10 gold medals at the 2008 Beijing Olympics after a long past of shockingly underwhelming performance. Brailsford believed by focusing on a 1% margin for improvement in every aspect of cycling, the team could achieve greatness. He and his team focused on improving every aspect of performance - and these aggregations totaled 10 gold medals.


This story is depicted in detail in the book “Atomic Habits” by James Clear (if you haven’t read it, you definitely should) illustrated above. Being more effective is a process and not a destination. Or as best said by Depeche Mode in the 1983 iconic song - “everything counts in large amounts”.

So to recap, know what you’re using TI for and why, seek context, stay true to your priorities, and leverage automation as much as you can. And the most important thing - keep getting better even if by a small margin. Outperforming ourselves is a journey worth taking, and so does creating an effective threat intelligence program - only to perfect it even more over time.

For valuable insights from cybersecurity and threat intelligence professionals who participated in Re:con21, The Future of Cyber Threat Intelligence, get the full report, Building the System of Tomorrow - and, of course, reach out if you're interested in attending Re:con 22 next year.

You may also like

SANS Report Blog-Thumbnail

July 18, 2024

SANS CTI Survey 2024: Reports Rise to the Top for Communicating Critical Information

Read more
Analyst looking at multiple monitors

July 11, 2024

Chinese APT40 Hackers Hijack SOHO Routers: Unleashing Cyber Espionage Attacks

Read more
Abstract digital landscape with flowing lines of glowing binary code in blue and orange, representing data streams and modern technology.

July 08, 2024

CVE-204-6387 Poses Risk to Organizations Relying on OpenSSH’s Server (sshd)

Read more