This assessment is currently not part of any peer group. To enable this section you can create a peergroup, or alternatively join a group for which you have been invited.
Cyber Threat Intelligence Maturity Platform
Your guide to strong Cyber Threat Intelligence"
CTIM Assessment Report for Maturity Assessment
Understanding your CTI Maturity based on the CTI Maturity model
Created on: February-11, 2021
Assessment identification number: This number is required to link the assessment with peer groups, for people to search for the assessment on the platform, and allows us to better support you. The ID for this assessment is: EXAMPLE AD-HOC.
Table of contents
Please note that you have the option to claim your results at the end of this report
1. Introduction
Cyber threat intelligence capabilities offer important benefits to the security posture of your organization. Building such a new functionality from scratch however is a challenging task. Existing CTI programs provide full value only if necessary prerequisites are met, the right activities are conducted, and information is integrated into the right places. Based on your submission this report will give you insight into the state of your CTI program based on the CTI Maturity Model (CTIM), presents the maturity rating of your organization, and includes a set of recommendations. This section briefly discusses CTI maturity to place your results in context, before continuing with your assessment summary, breakdown of the results, and the roadmap to CTI maturity. For more information on the assessment methodology, please see our documentation.
1.1 Mature Cyber Threat Intelligence
For CTI to be effective, it needs to be embedded and tightly integrated throughout the organization. On the one hand, cyber threat intelligence requires direction, knowledge and engagement from the organization. Without input from stakeholders on their assets and concrete information requirements, it is not possible to collect cyber threat intelligence that is relevant and fits the needs of the organization. For example, if the people who create CTI do not know what kind of systems, software and infrastructure is running, they cannot be on the watch for potential threats targeting these resources.
On the other hand, threat intelligence is only effective if it is absorbed by the organization and is integrated into the right places. For instance, when the group has received intelligence how a threat actor has been able to compromise other companies in your sector through some new type of spear-phishing attack, this information has to be put into practice to be useful, such as being loaded into intrusion detection systems and disseminated as an alert message or awareness training to your staff.
Organizations that have a mature cyber threat intelligence capability, have established this mutual support and put business processes in place that generate high-quality threat intelligence, integrate it and support the CTI activities at essential points across the organization.
1.2 Components of CTI Maturity
Through observation of successful CTI programs, expert interviews and field research, we identified 5 domains and 12 different themes we call focus areas that are important to a successful CTI program. These together form the top layer of the CTI Maturity Model (CTIM). We will now briefly explore the 5 domains. Descriptions for the focus areas are provided as part of the breakdown analysis in section 3.
CTI within the organization
Governance provides the organisational leadership for the consumption and production of CTI. The business objective, critical assets, and stakeholders interact with the team responsible for CTI, and make requests for intelligence products that help them in their decision making. In the CTIM model, we thus assess how management and stakeholders provide direction and utilize the CTI results.
People are at the heart of every organisation. For a CTI program to be successful, an organization needs to bring together people with many different types of expertise and specializations. The model looks in terms of People at the resources made available to CTI, the internal development of skills required for CTI, and how functions essential for CTI are located and defined throughout the organization.
Technology supports and realizes an organization's critical business functions. These assets, ranging from computers to network infrastructure, are also the target or means of attack for cyber threats. For CTI to be successful, it is vital that the organization understands its security controls, provides means for threat intelligence to be used to improve its defences, and has insight into its technical assets. In the survey, the CTIM model measures this integration for successfull utilization of CTI.
Generation and Integration of CTI
Intelligence is a process, a product and a business function. Within the two domains Intelligence Generation and Intelligence Integration we assess the activities that are necessary to produce threat intelligence that is of high quality, actionable and timely, and investigate whether the created intelligence products fully meet the requirements of the stakeholders.
For successful Intelligence Generation, the organization needs to identify and collect the right type of data best suited to answer its intelligence needs. Data also needs to be validated and contextualized to become useful for decision-makers, and repeated investigations should create a body of knowledge in terms of tradecraft and intelligence results to not look at individual pieces of data, but put information into context and arrive at a long-term global view of the threat landscape it faces.
The successful absorption of threat intelligence throughout the organization is first an issue of creating interest by stakeholders but it also requires technical, legal, and procedural groundwork. Intelligence Integration assesses the maturity of the organization from this perspective and investigates whether feedback loops exist to continuously improve the CTI program and meet its objectives.
2. Assessment Summary
Based on your submission we have performed a CTI maturity evaluation, this section provides an overview of the results of your assessment. The highest-ranking domain is People, operating at maturity level 2. The lowest ranking domain(s) are Technology, and Generation, having met all requirements associated with level 0. Overall progress towards completing all maturity components is made at 80.3%. The figure below provides a summary of the results, representing the progress made towards completing a maturity level in each domain. A further breakdown per domain is provided in section 3.
We recommend viewing the results in landscape orientation.
Level 1
Level 2
Level 3
Level 4
Level 5
Governance
People
Technology
Intelligence Generation
Intelligence Integration
Based on these results we score the overall CTI Maturity rating at level 0, which corresponds to the level where all the requirements are met for individual domains. Progress towards maturity level 1, the next maturity stage, is at 83.3%. We further explore your current maturity rating and provide a direction for further growth in Section 4.
3. Breakdown and Recommendations
Completing a specific maturity level relates to accomplishing a certain number of activities within each of the domains. The number of required activities differ for each domain and maturity level. A capability level describes the progress made towards completing all the activities within a domain or focus area. This section provides a breakdown of your assessment results represented as a capability level, revealing the progress you have made in each domain towards every maturity level.
The section is structured based on the domains in the CTI Maturity model. Every subsection concentrates on one domain and corresponding focus areas. This report displays the progress made towards a specific maturity level for every domain and focus area. Furthermore, a description of organisations operating at the completed level is provided, followed by recommendations on how to improve your current rating and move to the next level.
3.1 Governance
Governance provides the organizational drivers for the consumption and production of Cyber Threat Intelligence. These drivers are created through the identification of the crown jewels of the organization and are essential to a successful operation. Stakeholders identified through these crown jewels are responsible for interacting with the CTI group and the using of cyber threat intelligence products. Aforementioned processes play an essential role in the integration of CTI within organizations. Your Governance maturity rating is evaluated to level: 1, with an overall progression of 77%, as can be observed below.
Level 1
Level 2
Level 3
Level 4
Level 5
Governance consists of two focus areas, namely 1) Critical Business Functions and 2) Stakeholders. This section will now investigate how the results for Governance break down to each of the focus areas and provide recommendations towards improving them.
3.1.1 Critical Business Functions
Critical business functions are the elements that are essential for successful continuous operation of an organisation, having clear insight into these functions enables them to make targeted intelligence requests. These requests are used by the CTI group to create intelligence products, providing the organisation with a course of action that can be used by the organization to ensure their critical functions remain secure against cyber threats. You achieved a maturity rating of level 1, with an overal progress towards maturing your critical business processes of 81%. A breakdown of these results per maturity level is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
Organizations operating at level 1 have taken the first steps towards identifying their cyber risks. They began to explore how cyber risks are related to the organization and its business processes. Value is derived as the organization moves away from ad-hoc decision making in the cyber domain, towards security controls designed to reduce the cyber risks faced by the organization.
Recommendations: Determining the main cyber risks to the organisation requires identification of their critical business functions, critical assets, and the dependencies between them. Determining the impact that cyber threats will have on business continuity is impossible without such insights. This knowledge drives cyber threat intelligence and supports the creation of intelligence products relevant to the reduction of the cyber risk to the organisation. After identification of their cyber risks, organisations perform analysis to obtain further understanding of their risk profile. These organisations are specifically interested in understanding the consequences if these risks were to materialize, what the main factors are, and to create an estimation of the actual risk posed to the organisation. These results are used when selecting appropriate countermeasures and risk mitigation strategies. This information helps prioritize generation of threat intelligence to the most critical risks.
3.1.2 Stakeholders
Stakeholders are those people and groups within an organization for which cyber threat intelligence is expected to provide value. Stakeholders use intelligence products to improve the security function of critical assets and business functions within their control. Interactively with the CTI group, stakeholders ensure the best possible intelligence products are created. You achieved a maturity rating of level 1, with an overal progress towards maturing your Stakeholders of 75%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
Intelligence creation is a process that is driven by requests, without a need for intelligence, consumption of the final product is unlikely and the value-added remains minimal. Organizations operating at maturity level 1 have started to drive their intelligence production based on requests from stakeholders (which could be the Intelligence group itself).
Recommendations: Intelligence products need to be aligned with the needs and absorption capabilities of the stakeholders. Understanding the context and operational requirements of stakeholders allows the CTI group to tailor their intelligence products for the intended audience. To build this understanding we recommend the collection of stakeholder information, such as their absorption capabilities, operational context, and to identify their expectations. Intelligence products need to be consumed by stakeholders to provide a benefit for the organisation. When stakeholders are aware of the cyber threats to their assets, and the impact of these threats on their operations, they are more likely to use intelligence products, and develop product ownership. We recommend the building of risk awareness regarding threats on stakeholders assets, and the alignment of expectations through sharing of stakeholder needs and their operational context. This will ensure that intelligence products help stakeholders reduce the risk of cyber threats on their business functions and assets..
3.2 People
At the heart of every organization, you will find people, and cyber threat intelligence especially requires human expertise. Inspiring people to be their best natural selves, support their personal development to remain functional at the cutting edge, and provide security awareness for non-security personnel are essential aspects for CTI to be successful within the organization. To provide clarity for CTI talent, the objectives for the CTI group are determined and mapped into responsibilities for specific roles, which are then assigned to individuals. Finally, talents are empowered in their roles by providing them with trade-craft training and development. Your People maturity rating is evaluated to level: 1, with an overall progression of 77%, as can be observed below.
Level 1
Level 2
Level 3
Level 4
Level 5
People consists of two focus areas, namely 1) Talent Management and 2) Training and Development. This section will now investigate how the results for People break down to each of the focus areas and provide recommendations towards improving them.
3.2.1 Talent Management
People need to know their roles and responsibilities within the organisation, and how these are connected to the objectives of the CTI group and the vision of the organization. For the CTI program to successfully meet its objectives, ample people are required with the ability to fulfil these responsibilities. Talent management considers both the distribution of roles and the sourcing of talent. Furthermore, talent management ensures the availability and readiness of CTI personnel by taking into consideration people both inside as outside the organization. You achieved a maturity rating of level 2, with an overal progress towards maturing your Talent Management of 92%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
Operating at maturity level 2 there is a defined chain of reporting and risk responsibility regarding intelligence reports and briefings. The core responsibilities of the CTI group towards the organization have been established and are agreed upon by all parties. CTI group responsibilities have been decomposed towards specific talent responsibilities ensuring the defined CTI roles can meet the agreed CTI group objectives.
Recommendations: Skilled people are essential for the creation of cyber threat intelligence, to guide them in their tasks they are assigned roles defining their work, while informing the organization who is responsible for what. To further facilitate this we recommend that the position of the CTI group within the organizational structure is clearly defined by the organisation. Some prefer to locate CTI within their Security Operations Centers, while others have a specific intelligence department, of which cyber threat intelligence is a component. Having a clear position within the organisation makes the chain of command clear, helping the organisation with actively defining and driving CTI. CTI Stakeholders rely on intelligence products during their decision making, thus reliance of the CTI group is paramount. To build a stable CTI environment we recommend that the CTI group implements processes that assess the workload of CTI talent, actively retains CTI employees, evaluates the available skills and capabilities within the group, and maintains a pool listing internal and external talent sources. A metric for success is demonstrated by the CTI group being able to successfully handle work surges.
3.2.2 Training and Development
Cyber threats are continuously evolving, along with our understanding of these threats and solutions to reduce the risk of cyber incidents. Effective cyber threat intelligence requires people that continually develop themselves. Strong education and development programs ensure that required knowledge is available within the organization and encourages continuous training opportunities. Security awareness programs assure that everyone within the organization has a basic understanding of security, how it directly affects them, and what they can do to contribute towards a more resilient environment. You achieved a maturity rating of level 2, with an overal progress towards maturing your Training and Development of 76%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
At maturity level 2 organizations continue to build their cybersecurity awareness program, motivating employees to report anomalies to the CTI group. Stakeholders have access to material that introduces them to Cyber Threat Intelligence, the CTI group, and why this matters to them. Such educational material explains how to request intelligence from the CTI group, and how to use intelligence products. The stakeholder training material is easily accessible and provided by the CTI group when an interaction between parties starts. The training program available to CTI talent continuous to expand.
Recommendations: Effective cyber threat intelligence requires that stakeholders and employees are aware of cybersecurity concerns and the return on investment that CTI provides them. We recommend that there is an organisational mandate specifying that employees are expected to following security awareness trainings. Security aware employees make better use of intelligence products, and help the intelligence process by reporting anomalies. Furthermore, we recommend you further extend your training program to develop CTI talent. INSA, for example, provides information on the development of CTI talent in their Cyber Intelligence whitepaper: https://www.insaonline.org/cyber-intelligence-preparing-todays-talents-for-tomorrows-threats/.
3.3 Technology
To support the organisation a wide range of technologies is available, for example, computers, software, or various networked infrastructures. These technologies run the risk of being targeted by cyber actors with nefarious goals, thus providing a cyber threat to the organization. It is vital that the organisation understands their security controls, provides the means necessary for threat intelligence to improve existing controls, and give insight into all their technological assets. This enables the CTI group to provide actionable intelligence that is tailored to the organization, stakeholder, and their unique situation, giving specific advice on how to reduce cyber risk exposure. Your Technology maturity rating is evaluated to level: 0, with an overall progression of 78%, as can be observed below.
Level 1
Level 2
Level 3
Level 4
Level 5
Technology consists of two focus areas, namely 1) Secure Infrastructure Design and 2) Vulnerability Management. This section will now investigate how the results for Technology break down to each of the focus areas and provide recommendations towards improving them.
3.3.1 Secure Infrastructure Design
Cyber resilience of an organization is accomplished through secure infrastructure design by the application of security controls. Securing an organization against cyber threats requires a range of adaptive security controls. Adaptive controls create a tight web that makes it increasingly difficult, and thus expensive, for threat actors to achieve their goals against the organization. Resilient security programs leverage cyber threat intelligence to their advantage by amplifying the effectiveness of implemented security controls. You achieved a maturity rating of level 0, with an overal progress towards maturing a Secure Infrastructure Design of 70%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
Recommendations: A certain level of secure infrastructure is required for cyber threat intelligence to add value. We recommend that you focus on adding network segmentation and monitoring solutions to your infrastructure. Base your network design on best practices, and incorporate the information security requirements of your data and assets. Build CTI into your design by having your infrastructure provide intelligence insights and be capable of absorbing intelligence products.
3.3.2 Vulnerability Management
Organizations resilient to cyber threats know which assets are operating within their environment, which assets they expect to be present, and the state in which they operate. The CTI group relies on this knowledge to gain a greater understanding of organizational and stakeholder needs. This understanding helps them to create valuable cyber threat intelligence for their stakeholders. Furthermore, knowing which assets are active within the organizations' environment drives the discovery of vulnerabilities and weighing solutions for their mitigation. You achieved a maturity rating of level 0, with an overal progress towards maturing your Vulnerability Management of 90%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
Recommendations: Cyber threat intelligence requires strong asset management for the creation of meaningful intelligence products. Inaccurate data will adversely affect intelligence products and cyber risk evaluation. We recommend that you maintain an inventory of hardware assets present within your organization, along with their strategies for disposal. This information should be openly shared with the CTI group. Furthermore, we recommend the use of advisories and vendor reports for the discovery of vulnerabilities within your assets.
3.4 Intelligence Generation
Intelligence is both a process and a product. To create intelligence, data and information is analyzed with the objective to answers a specific request. By placing the analysis results into context to fit the need of the stakeholder, and include a course of action, intelligence is created. The creation of intelligence is a multi-process operation, requiring data collection, intelligence analysis, understanding of the stakeholders, and a body of knowledge from which information on, for example, historic events or previous intelligence products, can be drawn. Your Intelligence Generation maturity rating is evaluated to level: 0, with an overall progression of 82%, as can be observed below.
Level 1
Level 2
Level 3
Level 4
Level 5
Intelligence Generation consists of three focus areas, namely 1) Collection and Exploitation, 2) Interpretation and Contextualisation, and 3) Body of Knowledge. This section will now investigate how the results for Intelligence Generation break down to each of the focus areas and provide recommendations towards improving them.
3.4.1 Collection and Exploitation
Intelligence generation relies on the consumption of information and data collected from a set of sources. The selection of the sources happens through a set of requirements based on intelligence requirements and performance metrics. Collected information and data need processing and evaluation, to ensure reliability, believability, and consistency, before becoming useful to the analysis process. You achieved a maturity rating of level 0, with an overal progress towards maturing your Collection and Exploitation of 80%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
Recommendations: Excellent cyber threat intelligence products requires effective and accurate data collection. We recommend that you begin by identifying the sources which will help you answer particular intelligence requirements. Ensure that the format in which information and data is collected is supported by later stages in the intelligence generation process.
3.4.2 Interpretation and Contextualization
Fusing the collected data with observations, experience, and situational awareness is the first step in the analysis process. Customizing the processed information to meet the intelligence requirements and stakeholder needs will provide an organization with intelligence products. Collecting feedback from stakeholders then ensures the intended intelligence product is indeed delivered. You achieved a maturity rating of level 1, with an overal progress towards maturing your Interpretation and Contextualization of 80%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
Organizations scoring a maturity level 1 on interpretation and contextualization develop their intelligence analysis processes by driving their investigations through intelligence requirements and limiting their analysis scope by determining what should and shouldn't be investigated.
Recommendations: Successful CTI generation requires direction and clarity. We recommend that you limit Intelligence processes by specifying what should, and what should not be investigated and breaking up intelligence requirements into specific intelligence requests. The CTI group obtains their intelligence requirements either from stakeholders or by performing a critical gap analysis on existing requirements. We recommend that the analysis process is started by taking into consideration the analytical challenge to ensure that the findings will meet the intelligence goal. This can be done by selecting a specific path to a solution and using indicators for your validation. For your analysis select from the available objective and subjective methods and align with your intelligence requirement.
3.4.3 Body of Knowledge
Cyber threat intelligence leverages a body of knowledge to create intelligence products. This corpus archives collected data created intelligence for future use, while ensuring easy and efficient access to this information for privileged users (e.g. intelligence analysts). Integration with processes within the organization ensures the CTI group has access to all the knowledge they need. You achieved a maturity rating of level 1, with an overal progress towards maturing your Body of Knowledge of 87%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
Operating at level 1, organizations have established requirements concerning intelligence data, such as, for example, the inclusion of timestamp and source information from where the data originated. After completing their intelligence analysis, the CTI group shares the intelligence products with the stakeholder(s) and adds it to the intelligence warehouse for future access. This warehouse provides simple search methods to recover data and information.
Recommendations: Effective intelligence analysis requires access to a body of knowledge. We recommend that your data-warehouse contains various raw data, intermediate results and generated intelligence. Such information is highly valuable to the CTI group and your organization and should thus be covered by your organization's information security processes. Furthermore, we recommend that you create a process for the storing of intelligence products and providing simple methods to stakeholders for accessing these products.
3.5 Intelligence Integration
Cyber Threat Intelligence operates within and aims to influence, a larger system, thus integration into the organisation and absorption of products by stakeholders is required for it to empower the organisation. Distribution channels ensure that the correct stakeholders are reached, who are then asked to provide feedback. The feedback is used in evaluation cycles aimed to better cater to stakeholder needs. Absorption of intelligence products by stakeholders creates cyber situational awareness throughout the organization, which positively impacts the cyber resilience of the organisation. Your Intelligence Integration maturity rating is evaluated to level: 1, with an overall progression of 78%, as can be observed below.
Level 1
Level 2
Level 3
Level 4
Level 5
Intelligence Integration consists of three focus areas, namely 1) Distribution, 2) Quality and performance, and 3) Situational Awareness. This section will now investigate how the results for Intelligence Integration break down to each of the focus areas and provide recommendations towards improving them.
3.5.1 Distribution
Stakeholders have access to their intelligence products through various distribution channels. Although initially shared with the stakeholder(s) requesting a specific intelligence product, multiple parties can benefit from the same intelligence. Thus, sharing of information processes and policies are required to ensure effective and efficient distribution. You achieved a maturity rating of level 1, with an overal progress towards maturing your Distribution of 89%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
At maturity level 1, organizations are creating tactical intelligence. Consequently, the CTI group actively distributes indicators of compromise to relevant stakeholders. Threats posing a risk to the organization are identified and turned into operational intelligence providing short and medium-term courses of actions for improving network resilience. Furthermore, the CTI group distributes intelligence to at least two internal parties, such as risk management, IT security, or threat hunters.
Recommendations: Excellent CTI groups have a strong portfolio. We recommend the CTI group extends their portfolio with a threat landscape report for the organisation, providing strategic information to support management decision making processes. Based on this threat landscape report we recommend extending the internal intelligence audience.
3.5.2 Quality and Performance
The quality of intelligence products depends on a set of product requirements and process performance. Intelligence product requirements give stakeholders a picture of what they can expect from intelligence products. Intelligence performance metrics provide insight into the functioning of the CTI program. By continuously improving the CTI processes, the expectation is that over time the quality of CTI products will improve. Furthermore, performance indicators drive the CTI process improvements and provide organizational drivers. You achieved a maturity rating of level 1, with an overal progress towards maturing your Quality and Performance of 79%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
At maturity level 1, organizations have established a clear language and definitions used in intelligence products. The intelligence products include definitions or references for the meaning of words, such as, for example, the words of estimation probability or the admiralty system. The CTI group has documented their intelligence processes, and overviews with descriptions for CTI related processes are available.
Recommendations: Effective CTI programs continuously improve their products and processes. We recommend you extend your documentation by including a style-guide for intelligence products, and requiring that CTI communication adapts to the language of the target audience. The latter improves consumption and usability of the provided products. Furthermore, we recommend that intelligence products include suggestions on courses of action which support the decision making process, such as configuration rules, patches, or vulnerability information. Indicators of compromise, which can be loaded into available security control systems. For your CTI related processes create and maintain procedures and methods, and along with their descriptions continuously improve improve them. Finally, use a planned approach when performing CTI related processes.
3.5.3 Situational Awareness
To create effective cyber threat intelligence, the organization requires situational awareness of their cyber environment. By understanding the cyber threat landscape, CTI analysts can create the intelligence products that stakeholders use to make decisions, thus creating a resilient environment. The cyber threat landscape, however, is continuously evolving. The result is that it is paramount for organizations to observe their environment, and understand what their observations mean. Through this understanding, organizations can predict the behaviour of cyber threat actors and their impact on cybersecurity. You achieved a maturity rating of level 1, with an overal progress towards maturing your Situational Awareness of 62%. A detailled breakdown of your results for this focus area is provided next.
Level 1
Level 2
Level 3
Level 4
Level 5
Operating at maturity level 1, organizations are exploring the concept of Situational Awareness, specifically related to cyber threats. This exploration will help them determine their first steps towards perceiving the environment.
Recommendations: We recommend that your organization provides perception on the environment to the CTI group. Create a characterization by identifying elements such as your assets, people, events and environmental factors, then establish visibility into the environment. Furthermore, ensure that the CTI group has monitoring capabilities for all locations and understand the possible conditions of assets and actions that can be taken?
4. Roadmap to CTI Maturity
A maturity assessment is like a map, it determines where you are, compared to where you want to go, and enables you to plot a course. Some prefer to set their own course, while others stick to recommended roads. The roadmap to CTI maturity is the recommend path, with certain milestones along the way, following expert discussions. These milestones are called stages of maturity, or maturity levels, each requiring a certain number of elements within each domain to be completed. When all requirements are achieved, including those of previous milestones, a new maturity level is reached.
The previous sections discussed the position of the entity being assessed and the progress made in each CTI domain towards the maturity levels. This section will focus on the maturity rating for the entity specifically. We start with a discussion on where the entity is located now, what is the maturity rating, and how does this break down for the domains and focus areas. Based on these results we provide a set of recommendations that are aimed at helping the entity reach the next maturity level. Thus, if the entity is found operating at level 2 maturity, the recommendations will focus on moving the entity towards level 3. Domains having already reached level 3 will in this example then not get recommendations. This sets a path for growing a CTI program over time.
4.1 Where are you now?
The maturity rating associated with the organization under assessment is determined to be level 0. To gain an understanding of the entity's CTI maturity rating we explore two perspectives. Starting at the highest layer of the maturity model we explore the maturity rating for each domain, revealing those domains operating ahead of the curve, and the barriers preventing further growth. Following this, we dive further into the assessment results and explore how the focus areas relating influenced the results. These results allow the building of a path towards maturity, address in the next section.
Domain assessment:
The CTIM model has a top layer called Domains, each represented on the figure below, corresponding to an individual rating (coloured) and progress towards the next stage (transparent).
We note that the domain People is ahead of the curve,
whereas
Technology,
and Generation
are acting as barriers against further growth.
Growth following our CTI maturity model thus requires a focus on the latter.
Focus Areas assessment:
The CTI maturity model has multiple layers of detail where each domain consists of multiple focus areas, allowing a more detailed breakdown of assessment results.
Previously we already found the domains ahead of the curve, and those forming a barrier to growth. This is also reflected by the focus areas, which help us understand the barriers in more detail.
The spider figure below represents each of the 12 focus areas, the solid colour represents the current maturity level for each focus area whereas the transparent area represents the progress made towards the next level.
We identify that
Talent management,
and Training and development
are ahead of the curve,
whereas
Secure infrastructure design,
Asset management,
and Collection and exploitation
are acting as barriers
towards the next maturity level.
4.2 Progressing to the next stage
Based on your current results, we created a set of recommendations that will help you grow towards the next maturity level. These recommendations arise from the full decomposition underlying the CTI maturity model, validated by CTI experts operating in multiple economic sectors. The remainder of this section will explore these recommendations.
Secure infrastructure design
A certain level of secure infrastructure is required for cyber threat intelligence to add value. We recommend that you focus on adding network segmentation and monitoring solutions to your infrastructure. Base your network design on best practices, and incorporate the information security requirements of your data and assets. Build CTI into your design by having your infrastructure provide intelligence insights and be capable of absorbing intelligence products.
Asset management
Cyber threat intelligence requires strong asset management for the creation of meaningful intelligence products. Inaccurate data will adversely affect intelligence products and cyber risk evaluation. We recommend that you maintain an inventory of hardware assets present within your organization, along with their strategies for disposal. This information should be openly shared with the CTI group. Furthermore, we recommend the use of advisories and vendor reports for the discovery of vulnerabilities within your assets.
Collection and exploitation
Excellent cyber threat intelligence products requires effective and accurate data collection. We recommend that you begin by identifying the sources which will help you answer particular intelligence requirements. Ensure that the format in which information and data is collected is supported by later stages in the intelligence generation process.
5. How do you compare?
Your report will be extended with a survey of Cyber Threat Intelligence maturity and will include a comparison of your results with the average progress made by the other submissions. For this, we are waiting for the full Cyber Threat Intelligence Maturity Survey to complete. Specifically, we will enhance your report with a general comparison and a sector-specific comparison. Additionally, it is possible to measure yourself against your peer group(s). You can do this by creating a specific group and having your peers join with their assessment results.
5.1 Comparison with your peers
CTI Maturity peer groups provide the ability to create a group to which you can invite others. Once a certain number of submissions, at your control, has been reached we will calculate the group average maturity score and provide you with an automatically generated group report. In addition to this group report, each individual submission will be provided with a automatically generated comparison report, revealing how you compare to the average of your peer group.
5.2 Comparison with submissions from your sector
We are waiting for the full Cyber Threat Intelligence Maturity Survey to complete before unlocking this section. Please check back later.
5.3 Comparison with all submissions
We are waiting for the full Cyber Threat Intelligence Maturity Survey to complete before unlocking this section. Please check back later.
5. Appendix
Assessment Methodology
Based on the domains of CTI generation and integration as well as the organizational support functions Governance, People and Technology, we analyzed and decomposed each of the focus areas into 29 process groups and 83 concrete business processes and activities that organizations would run to realize the development and support of their cyber threat intelligence program. Not all of these business processes will be of equal importance, for example a large multinational will require a different CTI generation and support structure than a small- or medium enterprise, also an organization just starting out with CTI will pursue different activities than an organization with a mature program.
We hence rank each business process and rate it with a maturity level ranging from 0 to 5, in other words determine whether this is an essential activity for the successful start of a CTI program, whether it will provide benefit only later on once the business processes around the generation, integration and support of threat intelligence have sufficiently matured, or it is an activity only relevant for highly advanced use cases.
In the CTIM survey, we ask you a set of 250 questions that help us assess which activities you are currently pursuing, to which extent you are implementing these processes, and how these processes are connected throughout the organization. From this, we compute your maturity at the level of focus areas and domains as shown below and thus provide you with very detailed insight on your current level of cyber threat intelligence in your organization, as well as provide recommendations on how to continue the development of your program.
CTI Maturity Levels
A CTIM maturity level is a well defined evolutionary stage which describes a certain level of ability for CTI within your organisation. Each level is attributed certain characteristics regarding your CTI processes. The level 'defined' for example indicates that you have defined your core CTI processes and can perform these repeatedly. More advanced characteristics are attributed to higher maturity levels, where the most advanced are found at level 5. Maturity levels thus provide a path that an organisation can follow when transitioning from ad-hoc CTI to a highly mature environment. The CTI maturity model describes a total of 6 distinct levels, which are displayed in the figure followed by a short description is provided.
- Ad-Hoc: The organisation has not started with CTI, or does so following an ad-hoc approach.
- Defined: This level indicates that core CTI processes are defined and can be performed repeatedly.
- Aligned: The CTI processes are aligned with the organisation following standard processes and procedures.
- Controlled: The CTI group measures and controls intelligence production through processes and procedures.
- Optimising: The organisation works to optimise the CTI production according to strategic requirements.
- Innovating: At this state the organisation functions at the cutting edge, going beyond optimising its processes by developing new solutions and predicating future actor developments.
Claim your results
You can claim this assessment report by registering for an user account. This will make your report visible only to those with these access credentials. Registration will provide you with a set of recommendations that you can use to growth to the next maturity level. We will perform a CTI maturity survey, and make these results available to users to compare with their own results.
To register for an account, please click here