CTIM Assessment Report for Maturity Assessment
Understanding your CTI Maturity based on the CTI Maturity model

Created on: February-11, 2021

Assessment identification number: This number is required to link the assessment with peer groups, for people to search for the assessment on the platform, and allows us to better support you. The ID for this assessment is: EXAMPLE ALIGNED.


Please note that you have the option to claim your results at the end of this report



1. Introduction

Cyber threat intelligence capabilities offer important benefits to the security posture of your organization. Building such a new functionality from scratch however is a challenging task. Existing CTI programs provide full value only if necessary prerequisites are met, the right activities are conducted, and information is integrated into the right places. Based on your submission this report will give you insight into the state of your CTI program based on the CTI Maturity Model (CTIM), presents the maturity rating of your organization, and includes a set of recommendations. This section briefly discusses CTI maturity to place your results in context, before continuing with your assessment summary, breakdown of the results, and the roadmap to CTI maturity. For more information on the assessment methodology, please see our documentation.

1.1 Mature Cyber Threat Intelligence

For CTI to be effective, it needs to be embedded and tightly integrated throughout the organization. On the one hand, cyber threat intelligence requires direction, knowledge and engagement from the organization. Without input from stakeholders on their assets and concrete information requirements, it is not possible to collect cyber threat intelligence that is relevant and fits the needs of the organization. For example, if the people who create CTI do not know what kind of systems, software and infrastructure is running, they cannot be on the watch for potential threats targeting these resources.

On the other hand, threat intelligence is only effective if it is absorbed by the organization and is integrated into the right places. For instance, when the group has received intelligence how a threat actor has been able to compromise other companies in your sector through some new type of spear-phishing attack, this information has to be put into practice to be useful, such as being loaded into intrusion detection systems and disseminated as an alert message or awareness training to your staff.

Cyber Threat Intelligence within organisations.

Organizations that have a mature cyber threat intelligence capability, have established this mutual support and put business processes in place that generate high-quality threat intelligence, integrate it and support the CTI activities at essential points across the organization.

1.2 Components of CTI Maturity

Through observation of successful CTI programs, expert interviews and field research, we identified 5 domains and 12 different themes we call focus areas that are important to a successful CTI program. These together form the top layer of the CTI Maturity Model (CTIM). We will now briefly explore the 5 domains. Descriptions for the focus areas are provided as part of the breakdown analysis in section 3.

CTIM: A novel CTI maturity model.

CTI within the organization

Governance provides the organisational leadership for the consumption and production of CTI. The business objective, critical assets, and stakeholders interact with the team responsible for CTI, and make requests for intelligence products that help them in their decision making. In the CTIM model, we thus assess how management and stakeholders provide direction and utilize the CTI results.

People are at the heart of every organisation. For a CTI program to be successful, an organization needs to bring together people with many different types of expertise and specializations. The model looks in terms of People at the resources made available to CTI, the internal development of skills required for CTI, and how functions essential for CTI are located and defined throughout the organization.

Technology supports and realizes an organization's critical business functions. These assets, ranging from computers to network infrastructure, are also the target or means of attack for cyber threats. For CTI to be successful, it is vital that the organization understands its security controls, provides means for threat intelligence to be used to improve its defences, and has insight into its technical assets. In the survey, the CTIM model measures this integration for successfull utilization of CTI.

Generation and Integration of CTI

Intelligence is a process, a product and a business function. Within the two domains Intelligence Generation and Intelligence Integration we assess the activities that are necessary to produce threat intelligence that is of high quality, actionable and timely, and investigate whether the created intelligence products fully meet the requirements of the stakeholders.

For successful Intelligence Generation, the organization needs to identify and collect the right type of data best suited to answer its intelligence needs. Data also needs to be validated and contextualized to become useful for decision-makers, and repeated investigations should create a body of knowledge in terms of tradecraft and intelligence results to not look at individual pieces of data, but put information into context and arrive at a long-term global view of the threat landscape it faces.

The successful absorption of threat intelligence throughout the organization is first an issue of creating interest by stakeholders but it also requires technical, legal, and procedural groundwork. Intelligence Integration assesses the maturity of the organization from this perspective and investigates whether feedback loops exist to continuously improve the CTI program and meet its objectives.



2. Assessment Summary

Based on your submission we have performed a CTI maturity evaluation, this section provides an overview of the results of your assessment. The highest ranking domain(s) are Governance, People, and Technology, operating at maturity level 2. The lowest ranking domain(s) are Governance, People, and Technology, having met all requirements associated with level 2. Overall progress towards completing all maturity components is made at 79.8%. The figure below provides a summary of the results, representing the progress made towards completing a maturity level in each domain. A further breakdown per domain is provided in section 3.

We recommend viewing the results in landscape orientation.


Level 1
Level 2
Level 3
Level 4
Level 5
Governance
People
Technology
Intelligence Generation
Intelligence Integration

Based on these results we score the overall CTI Maturity rating at level 2, which corresponds to the level where all the requirements are met for individual domains. Progress towards maturity level 3, the next maturity stage, is at 66.2%. We further explore your current maturity rating and provide a direction for further growth in Section 4.



3. Breakdown and Recommendations

Completing a specific maturity level relates to accomplishing a certain number of activities within each of the domains. The number of required activities differ for each domain and maturity level. A capability level describes the progress made towards completing all the activities within a domain or focus area. This section provides a breakdown of your assessment results represented as a capability level, revealing the progress you have made in each domain towards every maturity level.

The section is structured based on the domains in the CTI Maturity model. Every subsection concentrates on one domain and corresponding focus areas. This report displays the progress made towards a specific maturity level for every domain and focus area. Furthermore, a description of organisations operating at the completed level is provided, followed by recommendations on how to improve your current rating and move to the next level.

3.1 Governance

Governance provides the organizational drivers for the consumption and production of Cyber Threat Intelligence. These drivers are created through the identification of the crown jewels of the organization and are essential to a successful operation. Stakeholders identified through these crown jewels are responsible for interacting with the CTI group and the using of cyber threat intelligence products. Aforementioned processes play an essential role in the integration of CTI within organizations. Your Governance maturity rating is evaluated to level: 2, with an overall progression of 85%, as can be observed below.


Level 1
Level 2
Level 3
Level 4
Level 5

Governance consists of two focus areas, namely 1) Critical Business Functions and 2) Stakeholders. This section will now investigate how the results for Governance break down to each of the focus areas and provide recommendations towards improving them.

3.1.1 Critical Business Functions

Critical business functions are the elements that are essential for successful continuous operation of an organisation, having clear insight into these functions enables them to make targeted intelligence requests. These requests are used by the CTI group to create intelligence products, providing the organisation with a course of action that can be used by the organization to ensure their critical functions remain secure against cyber threats. You achieved a maturity rating of level 2, with an overal progress towards maturing your critical business processes of 90%. A breakdown of these results per maturity level is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

Operating at maturity level 2 means that organizations have identified their critical business functions and assets while working towards understanding their dependencies and impact that these elements have on the organization at large. Cyber risks are not only identified, but the sources of risk behind them are known and this information is freely shared with the cyber threat intelligence group. Identified information on cyber risks is used in their analysis to understand the consequences to the organization, which factors play a role, and create an estimation of the risk that the can be used to make strategic decisions towards organizational strategy and (cyber) risk decision making.

Recommendations: By using the critical business functions, critical assets, and their dependencies, risk profiles for the organization can now be created, including the identification of vulnerabilities. These vulnerabilities carry a higher cyber risk with them, and knowledgeable threat actors are more likely to target them. Thus, this information should be shared with the CTI group to support their creating of intelligence products supporting the reduction and mitigation of these risks.

3.1.2 Stakeholders

Stakeholders are those people and groups within an organization for which cyber threat intelligence is expected to provide value. Stakeholders use intelligence products to improve the security function of critical assets and business functions within their control. Interactively with the CTI group, stakeholders ensure the best possible intelligence products are created. You achieved a maturity rating of level 2, with an overal progress towards maturing your Stakeholders of 81%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

Level 2 organizations are moving beyond intelligence that is generated only by the insights of CTI analyst, deriving their investigatory direction from stakeholder needs and requests. To facilitate absorption of their products, CTI analysts are driven to understand the context within which their stakeholders operate and their ability to absorb intelligence products. Intelligence products consequently help stakeholders understand better the cyber risks on their assets. Stakeholders work to support this alignment process by sharing their needs and operational context with the CTI group.

Recommendations: To support the CTI group with the alignment of limited resources when responding to intelligence requests the alignment of intelligence requirements is important. We recommend that the organization allocates resources to improve overall understanding of stakeholders needs regarding their intelligence requirements, hence identifying stakeholder needs based on their operational context, critical business functions, and critical assets. Stakeholders are using CTI products to reduce the risk of cyber threats. To further facilitate this process we recommend that the organization creates a policy regarding the use of intelligence products in decision-making processes. Furthermore, stakeholders should develop product ownership by taking stock in the intelligence generation process and actively work with the CTI group to obtain the intelligence products they require.

3.2 People

At the heart of every organization, you will find people, and cyber threat intelligence especially requires human expertise. Inspiring people to be their best natural selves, support their personal development to remain functional at the cutting edge, and provide security awareness for non-security personnel are essential aspects for CTI to be successful within the organization. To provide clarity for CTI talent, the objectives for the CTI group are determined and mapped into responsibilities for specific roles, which are then assigned to individuals. Finally, talents are empowered in their roles by providing them with trade-craft training and development. Your People maturity rating is evaluated to level: 2, with an overall progression of 85%, as can be observed below.


Level 1
Level 2
Level 3
Level 4
Level 5

People consists of two focus areas, namely 1) Talent Management and 2) Training and Development. This section will now investigate how the results for People break down to each of the focus areas and provide recommendations towards improving them.

3.2.1 Talent Management

People need to know their roles and responsibilities within the organisation, and how these are connected to the objectives of the CTI group and the vision of the organization. For the CTI program to successfully meet its objectives, ample people are required with the ability to fulfil these responsibilities. Talent management considers both the distribution of roles and the sourcing of talent. Furthermore, talent management ensures the availability and readiness of CTI personnel by taking into consideration people both inside as outside the organization. You achieved a maturity rating of level 2, with an overal progress towards maturing your Talent Management of 76%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

Operating at maturity level 2 there is a defined chain of reporting and risk responsibility regarding intelligence reports and briefings. The core responsibilities of the CTI group towards the organization have been established and are agreed upon by all parties. CTI group responsibilities have been decomposed towards specific talent responsibilities ensuring the defined CTI roles can meet the agreed CTI group objectives.

Recommendations: Skilled people are essential for the creation of cyber threat intelligence, to guide them in their tasks they are assigned roles defining their work, while informing the organization who is responsible for what. To further facilitate this we recommend that the position of the CTI group within the organizational structure is clearly defined by the organisation. Some prefer to locate CTI within their Security Operations Centers, while others have a specific intelligence department, of which cyber threat intelligence is a component. Having a clear position within the organisation makes the chain of command clear, helping the organisation with actively defining and driving CTI. CTI Stakeholders rely on intelligence products during their decision making, thus reliance of the CTI group is paramount. To build a stable CTI environment we recommend that the CTI group implements processes that assess the workload of CTI talent, actively retains CTI employees, evaluates the available skills and capabilities within the group, and maintains a pool listing internal and external talent sources. A metric for success is demonstrated by the CTI group being able to successfully handle work surges.

3.2.2 Training and Development

Cyber threats are continuously evolving, along with our understanding of these threats and solutions to reduce the risk of cyber incidents. Effective cyber threat intelligence requires people that continually develop themselves. Strong education and development programs ensure that required knowledge is available within the organization and encourages continuous training opportunities. Security awareness programs assure that everyone within the organization has a basic understanding of security, how it directly affects them, and what they can do to contribute towards a more resilient environment. You achieved a maturity rating of level 2, with an overal progress towards maturing your Training and Development of 84%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

At maturity level 2 organizations continue to build their cybersecurity awareness program, motivating employees to report anomalies to the CTI group. Stakeholders have access to material that introduces them to Cyber Threat Intelligence, the CTI group, and why this matters to them. Such educational material explains how to request intelligence from the CTI group, and how to use intelligence products. The stakeholder training material is easily accessible and provided by the CTI group when an interaction between parties starts. The training program available to CTI talent continuous to expand.

Recommendations: Effective cyber threat intelligence requires that stakeholders and employees are aware of cybersecurity concerns and the return on investment that CTI provides them. We recommend that there is an organisational mandate specifying that employees are expected to following security awareness trainings. Security aware employees make better use of intelligence products, and help the intelligence process by reporting anomalies. Furthermore, we recommend you further extend your training program to develop CTI talent. INSA, for example, provides information on the development of CTI talent in their Cyber Intelligence whitepaper: https://www.insaonline.org/cyber-intelligence-preparing-todays-talents-for-tomorrows-threats/.

3.3 Technology

To support the organisation a wide range of technologies is available, for example, computers, software, or various networked infrastructures. These technologies run the risk of being targeted by cyber actors with nefarious goals, thus providing a cyber threat to the organization. It is vital that the organisation understands their security controls, provides the means necessary for threat intelligence to improve existing controls, and give insight into all their technological assets. This enables the CTI group to provide actionable intelligence that is tailored to the organization, stakeholder, and their unique situation, giving specific advice on how to reduce cyber risk exposure. Your Technology maturity rating is evaluated to level: 2, with an overall progression of 82%, as can be observed below.


Level 1
Level 2
Level 3
Level 4
Level 5

Technology consists of two focus areas, namely 1) Secure Infrastructure Design and 2) Vulnerability Management. This section will now investigate how the results for Technology break down to each of the focus areas and provide recommendations towards improving them.

3.3.1 Secure Infrastructure Design

Cyber resilience of an organization is accomplished through secure infrastructure design by the application of security controls. Securing an organization against cyber threats requires a range of adaptive security controls. Adaptive controls create a tight web that makes it increasingly difficult, and thus expensive, for threat actors to achieve their goals against the organization. Resilient security programs leverage cyber threat intelligence to their advantage by amplifying the effectiveness of implemented security controls. You achieved a maturity rating of level 2, with an overal progress towards maturing a Secure Infrastructure Design of 82%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

At maturity level 2, information from security controls is shared with the CTI group, which use this as a data source. Infrastructure design has grown more resilient through defence-in-depth strategies, with design consideration being made based on organizational requirements and reference designs or best practice. Vulnerability management has been established, responding to vulnerabilities and incidents within the infrastructure.

Recommendations: A secure infrastructure is required for cyber threat intelligence to add value. To further mature in this area we recommend that you are able to determine baseline network behavior, that you have the capability to respond to all phases of a security breach, and your security controls can absorb threat intelligence produced by the CTI group. We recommend that you are able to detect deviations and suspicious behaviors in contrast to the established baseline. Continuously adapt your infrastructure such that organizational and security requirements are met.

3.3.2 Vulnerability Management

Organizations resilient to cyber threats know which assets are operating within their environment, which assets they expect to be present, and the state in which they operate. The CTI group relies on this knowledge to gain a greater understanding of organizational and stakeholder needs. This understanding helps them to create valuable cyber threat intelligence for their stakeholders. Furthermore, knowing which assets are active within the organizations' environment drives the discovery of vulnerabilities and weighing solutions for their mitigation. You achieved a maturity rating of level 2, with an overal progress towards maturing your Vulnerability Management of 81%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

At maturity level 2, organizations create an inventory of their assets and validate this continually. They ensure that their security and intelligence teams have access to information that is up to date and relevant to them. The inventory lists are well documented and contain a record of information required by the cybersecurity and cyber threat intelligence groups. Furthermore, these organizations actively search for vulnerabilities within their environment through scanning techniques, and vulnerability feeds (such as CVE) as sources for their investigation. Any discovered vulnerabilities are prioritized based on their turnaround time, a cost-benefit analysis, and by incorporating coverage and gaps of running security controls.

Recommendations: Cyber threat intelligence requires strong asset management for the creation of meaningful intelligence products. We recommend that you extend your inventory with configuration management, keeping a record of what has changed, the responsible party for that change, and the motivation driving the change. Your vulnerability discovery processes are recommend to include public sources. When responding to vulnerabilities we recommend to include a prioritization based on the risk to critical functions and assets, and having multiple mitigation strategies available.

3.4 Intelligence Generation

Intelligence is both a process and a product. To create intelligence, data and information is analyzed with the objective to answers a specific request. By placing the analysis results into context to fit the need of the stakeholder, and include a course of action, intelligence is created. The creation of intelligence is a multi-process operation, requiring data collection, intelligence analysis, understanding of the stakeholders, and a body of knowledge from which information on, for example, historic events or previous intelligence products, can be drawn. Your Intelligence Generation maturity rating is evaluated to level: 2, with an overall progression of 81%, as can be observed below.


Level 1
Level 2
Level 3
Level 4
Level 5

Intelligence Generation consists of three focus areas, namely 1) Collection and Exploitation, 2) Interpretation and Contextualisation, and 3) Body of Knowledge. This section will now investigate how the results for Intelligence Generation break down to each of the focus areas and provide recommendations towards improving them.

3.4.1 Collection and Exploitation

Intelligence generation relies on the consumption of information and data collected from a set of sources. The selection of the sources happens through a set of requirements based on intelligence requirements and performance metrics. Collected information and data need processing and evaluation, to ensure reliability, believability, and consistency, before becoming useful to the analysis process. You achieved a maturity rating of level 2, with an overal progress towards maturing your Collection and Exploitation of 76%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

Organizations operating at maturity level 2 are extending their collection efforts. The CTI group maintains a clear overview of the relations between the sources used for data collection and intelligence requirement that requires this data. Collection requirements are consistently aligned and revised based on the changing intelligence requirements of the CTI group. The CTI group follows a set of selection criteria that enable the ranking of sources, thus supporting the decision making processes under limited resources. During collection, information and data, are examined for incomplete and impossible data records.

Recommendations: Excellent cyber threat intelligence products requires effective and accurate data collection. We recommend the creation of a database containing all collected data sources, ensuring no duplicate collection efforts are done. Write guidelines for the collection and use of off-the-record information that can be used in the intelligence process. In addition, augment the collected data with additional attributes useful for the analysis before merging it into your data-warehouse, implementing automated processes for your data-pipeline where applicable. On your collected data we recommend that you provide general insights and statistical observations to help CTI analyst focus their work. Finally, your evaluation processes should cover your collection plan, the collected data, and the data processing and enrichment steps.

3.4.2 Interpretation and Contextualization

Fusing the collected data with observations, experience, and situational awareness is the first step in the analysis process. Customizing the processed information to meet the intelligence requirements and stakeholder needs will provide an organization with intelligence products. Collecting feedback from stakeholders then ensures the intended intelligence product is indeed delivered. You achieved a maturity rating of level 2, with an overal progress towards maturing your Interpretation and Contextualization of 80%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

Operating at maturity level 2, organizations create intelligence based on requests for intelligence. These requests are made by stakeholders, or the CTI group, due to critical gaps in stakeholders demands. The intelligence analysis follows a systematic approach, ensuring that the findings and applied analysis methods are meeting intended intelligence goals. Assumptions, made during the analysis process, are validated using objective and subjective methods.

Recommendations: Successful CTI generation requires direction and clarity. We recommend that you create a terms of reference for intelligence investigations, specifying objectives, constraints, assumptions, roles and responsibilities, and CTI deliverables. Prioritize the intelligence requirements, and establish an understanding of the relationships between the intelligence requirements and the organization's operational landscape. Furthermore, when performing intelligence analysis work towards a solution by determining possible paths to a solution and select the analysis method and technique based on the properties of the analysis. Finally contextualize and align the intelligence products with your stakeholders, ensure they are capable of absorbing the produced intelligence products.

3.4.3 Body of Knowledge

Cyber threat intelligence leverages a body of knowledge to create intelligence products. This corpus archives collected data created intelligence for future use, while ensuring easy and efficient access to this information for privileged users (e.g. intelligence analysts). Integration with processes within the organization ensures the CTI group has access to all the knowledge they need. You achieved a maturity rating of level 2, with an overal progress towards maturing your Body of Knowledge of 87%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

Operating at level 2, organizations have established a body of knowledge or data warehouse, that stores the raw data, intermediate results, and generated intelligence and have this covered by their information security processes.

Recommendations: Effective intelligence requires a high quality data-warehouse, or corpus. We recommend that you identify required meta-data to be included in your corpus solution, such as the addition of an expiration date. Define a clear ontology, or dimensions, for your corpus. Moreover, we recommend that your corpus keeps track of data used to create intelligence products and other data considered useful for future intelligence creation. Access to the corpus is provided through the use of organized categories. Additionally, your body of knowledge is recommended to contain an overview of the available tools within the organization, including guides on how to use the technology. Information regarding operational knowledge is provided and maintained, as are details relating to CTI tradecraft.

3.5 Intelligence Integration

Cyber Threat Intelligence operates within and aims to influence, a larger system, thus integration into the organisation and absorption of products by stakeholders is required for it to empower the organisation. Distribution channels ensure that the correct stakeholders are reached, who are then asked to provide feedback. The feedback is used in evaluation cycles aimed to better cater to stakeholder needs. Absorption of intelligence products by stakeholders creates cyber situational awareness throughout the organization, which positively impacts the cyber resilience of the organisation. Your Intelligence Integration maturity rating is evaluated to level: 2, with an overall progression of 75%, as can be observed below.


Level 1
Level 2
Level 3
Level 4
Level 5

Intelligence Integration consists of three focus areas, namely 1) Distribution, 2) Quality and performance, and 3) Situational Awareness. This section will now investigate how the results for Intelligence Integration break down to each of the focus areas and provide recommendations towards improving them.

3.5.1 Distribution

Stakeholders have access to their intelligence products through various distribution channels. Although initially shared with the stakeholder(s) requesting a specific intelligence product, multiple parties can benefit from the same intelligence. Thus, sharing of information processes and policies are required to ensure effective and efficient distribution. You achieved a maturity rating of level 2, with an overal progress towards maturing your Distribution of 57%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

At maturity level 2, organizations are creating operational intelligence alongside tactical intelligence. The CTI group creates threat landscape reports for the organization, providing information that decision-makers can use to support their decisions. The number of internal audiences for CTI products increased to at least three parties, such as risk management, IT security, or threat hunters.

Recommendations: Excellent CTI groups have a strong portfolio, exhibit sharing behavior, and identified their audience. We recommend that the portfolio is further expanded where advice is given on security controls required to reduce the risk exposure to cyber threats. Indicators are validated before being loaded into security controls, and there are intelligence requests from the organizational leadership to which you can respond. Furthermore, we recommend that sharing policies are in place to help with the distribution of cyber threat intelligence, as are guidelines for what CTI products can be shared without an agreement, and easy access to intelligence products is facilitated through a self-service platform from where stakeholders can find and request CTI products. Finally we recommend that your organization identifies external audiences that will benefit by sharing intelligence products.

3.5.2 Quality and Performance

The quality of intelligence products depends on a set of product requirements and process performance. Intelligence product requirements give stakeholders a picture of what they can expect from intelligence products. Intelligence performance metrics provide insight into the functioning of the CTI program. By continuously improving the CTI processes, the expectation is that over time the quality of CTI products will improve. Furthermore, performance indicators drive the CTI process improvements and provide organizational drivers. You achieved a maturity rating of level 2, with an overal progress towards maturing your Quality and Performance of 85%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

At maturity level 2, organizations collaborate with their CTI group towards alignment of products and processes. The CTI group has a style guide that specifies a uniform structure and standardized style to follow when creating intelligence products. Tactical intelligence products include indicators of compromise that their audience can load into their security controls. Furthermore, the CTI processes are documented clearly in business processes, procedures, and instructions and these processes are performed using a planned approach.

Recommendations: Effective CTI programs continuously improve their products and processes. We recommend you continuously update and expand your criteria for intelligence products to achieve higher quality products. Your strategic products include recommendations, such as changes to policy and the security strategy, that support the stakeholder decision making process. Furthermore, intelligence should be available sufficiently early to allow preventive controls to be implemented before a compromise occurs. We recommend that your documentation follows an uniform structure and standard style, where content is determined through a uniform standard. Your documentation on CTI processes is improved by clear characterization, and processes being well understood in terms of requirements, reasoning, and consequences. Finally, sufficient talent and resources are made available to generate intelligence in a controlled manner. The organisation begins integration of cyber threat intelligence by aligning standards, processes, and procedures, ensuring these are consistent with the requirements set by the organization.

3.5.3 Situational Awareness

To create effective cyber threat intelligence, the organization requires situational awareness of their cyber environment. By understanding the cyber threat landscape, CTI analysts can create the intelligence products that stakeholders use to make decisions, thus creating a resilient environment. The cyber threat landscape, however, is continuously evolving. The result is that it is paramount for organizations to observe their environment, and understand what their observations mean. Through this understanding, organizations can predict the behaviour of cyber threat actors and their impact on cybersecurity. You achieved a maturity rating of level 2, with an overal progress towards maturing your Situational Awareness of 75%. A detailled breakdown of your results for this focus area is provided next.


Level 1
Level 2
Level 3
Level 4
Level 5

At maturity level 2, organizations have a characterization of their operational environment. They know which objects, events, people, and environmental factors to expect. This information gives visibility into the organization by looking at locations, conditions, actions, and monitoring coverage. Organizations at maturity level 2 are working to be aware of their surroundings.

Recommendations: We recommend that the CTI group develops the capability to recognize patterns based on the observations from the environment. Identify the cyber threats posing a risk to the characterized environment, determine that threat actors might have, and identify to what extend your environment is exposed to such threats.



4. Roadmap to CTI Maturity

A maturity assessment is like a map, it determines where you are, compared to where you want to go, and enables you to plot a course. Some prefer to set their own course, while others stick to recommended roads. The roadmap to CTI maturity is the recommend path, with certain milestones along the way, following expert discussions. These milestones are called stages of maturity, or maturity levels, each requiring a certain number of elements within each domain to be completed. When all requirements are achieved, including those of previous milestones, a new maturity level is reached.

The previous sections discussed the position of the entity being assessed and the progress made in each CTI domain towards the maturity levels. This section will focus on the maturity rating for the entity specifically. We start with a discussion on where the entity is located now, what is the maturity rating, and how does this break down for the domains and focus areas. Based on these results we provide a set of recommendations that are aimed at helping the entity reach the next maturity level. Thus, if the entity is found operating at level 2 maturity, the recommendations will focus on moving the entity towards level 3. Domains having already reached level 3 will in this example then not get recommendations. This sets a path for growing a CTI program over time.

4.1 Where are you now?

The maturity rating associated with the organization under assessment is determined to be level 2. To gain an understanding of the entity's CTI maturity rating we explore two perspectives. Starting at the highest layer of the maturity model we explore the maturity rating for each domain, revealing those domains operating ahead of the curve, and the barriers preventing further growth. Following this, we dive further into the assessment results and explore how the focus areas relating influenced the results. These results allow the building of a path towards maturity, address in the next section.

Domain assessment: The CTIM model has a top layer called Domains, each represented on the figure below, corresponding to an individual rating (coloured) and progress towards the next stage (transparent). We note that the domains Governance, People, and Technology are ahead of the curve, whereas Governance, People, and Technology are acting as barriers against further growth. Growth following our CTI maturity model thus requires a focus on the latter.

Domain decomposition
CTI Maturity score divided into the five domains specified by the CTI maturity model.

Focus Areas assessment: The CTI maturity model has multiple layers of detail where each domain consists of multiple focus areas, allowing a more detailed breakdown of assessment results. Previously we already found the domains ahead of the curve, and those forming a barrier to growth. This is also reflected by the focus areas, which help us understand the barriers in more detail. The spider figure below represents each of the 12 focus areas, the solid colour represents the current maturity level for each focus area whereas the transparent area represents the progress made towards the next level. We identify that Critical business functions, Stakeholder management, and Talent management are ahead of the curve, whereas Critical business functions, Stakeholder management, and Talent management are acting as barriers towards the next maturity level.

Responsive image
CTI Maturity score divided into the 12 focus areas specified by the CTI maturity model.

4.2 Progressing to the next stage

Based on your current results, we created a set of recommendations that will help you grow towards the next maturity level. These recommendations arise from the full decomposition underlying the CTI maturity model, validated by CTI experts operating in multiple economic sectors. The remainder of this section will explore these recommendations.

Critical business functions

By using the critical business functions, critical assets, and their dependencies, risk profiles for the organization can now be created, including the identification of vulnerabilities. These vulnerabilities carry a higher cyber risk with them, and knowledgeable threat actors are more likely to target them. Thus, this information should be shared with the CTI group to support their creating of intelligence products supporting the reduction and mitigation of these risks.

Stakeholder management

To support the CTI group with the alignment of limited resources when responding to intelligence requests the alignment of intelligence requirements is important. We recommend that the organization allocates resources to improve overall understanding of stakeholders needs regarding their intelligence requirements, hence identifying stakeholder needs based on their operational context, critical business functions, and critical assets. Stakeholders are using CTI products to reduce the risk of cyber threats. To further facilitate this process we recommend that the organization creates a policy regarding the use of intelligence products in decision-making processes. Furthermore, stakeholders should develop product ownership by taking stock in the intelligence generation process and actively work with the CTI group to obtain the intelligence products they require.

Talent management

Skilled people are essential for the creation of cyber threat intelligence, to guide them in their tasks they are assigned roles defining their work, while informing the organization who is responsible for what. To further facilitate this we recommend that the position of the CTI group within the organizational structure is clearly defined by the organisation. Some prefer to locate CTI within their Security Operations Centers, while others have a specific intelligence department, of which cyber threat intelligence is a component. Having a clear position within the organisation makes the chain of command clear, helping the organisation with actively defining and driving CTI. CTI Stakeholders rely on intelligence products during their decision making, thus reliance of the CTI group is paramount. To build a stable CTI environment we recommend that the CTI group implements processes that assess the workload of CTI talent, actively retains CTI employees, evaluates the available skills and capabilities within the group, and maintains a pool listing internal and external talent sources. A metric for success is demonstrated by the CTI group being able to successfully handle work surges.

Training and development

Effective cyber threat intelligence requires that stakeholders and employees are aware of cybersecurity concerns and the return on investment that CTI provides them. We recommend that there is an organisational mandate specifying that employees are expected to following security awareness trainings. Security aware employees make better use of intelligence products, and help the intelligence process by reporting anomalies. Furthermore, we recommend you further extend your training program to develop CTI talent. INSA, for example, provides information on the development of CTI talent in their Cyber Intelligence whitepaper: https://www.insaonline.org/cyber-intelligence-preparing-todays-talents-for-tomorrows-threats/.

Secure infrastructure design

A secure infrastructure is required for cyber threat intelligence to add value. To further mature in this area we recommend that you are able to determine baseline network behavior, that you have the capability to respond to all phases of a security breach, and your security controls can absorb threat intelligence produced by the CTI group. We recommend that you are able to detect deviations and suspicious behaviors in contrast to the established baseline. Continuously adapt your infrastructure such that organizational and security requirements are met.

Asset management

Cyber threat intelligence requires strong asset management for the creation of meaningful intelligence products. We recommend that you extend your inventory with configuration management, keeping a record of what has changed, the responsible party for that change, and the motivation driving the change. Your vulnerability discovery processes are recommend to include public sources. When responding to vulnerabilities we recommend to include a prioritization based on the risk to critical functions and assets, and having multiple mitigation strategies available.

Collection and exploitation

Excellent cyber threat intelligence products requires effective and accurate data collection. We recommend the creation of a database containing all collected data sources, ensuring no duplicate collection efforts are done. Write guidelines for the collection and use of off-the-record information that can be used in the intelligence process. In addition, augment the collected data with additional attributes useful for the analysis before merging it into your data-warehouse, implementing automated processes for your data-pipeline where applicable. On your collected data we recommend that you provide general insights and statistical observations to help CTI analyst focus their work. Finally, your evaluation processes should cover your collection plan, the collected data, and the data processing and enrichment steps.

Interpretation and contextualization

Successful CTI generation requires direction and clarity. We recommend that you create a terms of reference for intelligence investigations, specifying objectives, constraints, assumptions, roles and responsibilities, and CTI deliverables. Prioritize the intelligence requirements, and establish an understanding of the relationships between the intelligence requirements and the organization's operational landscape. Furthermore, when performing intelligence analysis work towards a solution by determining possible paths to a solution and select the analysis method and technique based on the properties of the analysis. Finally contextualize and align the intelligence products with your stakeholders, ensure they are capable of absorbing the produced intelligence products.

Body of knowledge

Effective intelligence requires a high quality data-warehouse, or corpus. We recommend that you identify required meta-data to be included in your corpus solution, such as the addition of an expiration date. Define a clear ontology, or dimensions, for your corpus. Moreover, we recommend that your corpus keeps track of data used to create intelligence products and other data considered useful for future intelligence creation. Access to the corpus is provided through the use of organized categories. Additionally, your body of knowledge is recommended to contain an overview of the available tools within the organization, including guides on how to use the technology. Information regarding operational knowledge is provided and maintained, as are details relating to CTI tradecraft.

Distribution

Excellent CTI groups have a strong portfolio, exhibit sharing behavior, and identified their audience. We recommend that the portfolio is further expanded where advice is given on security controls required to reduce the risk exposure to cyber threats. Indicators are validated before being loaded into security controls, and there are intelligence requests from the organizational leadership to which you can respond. Furthermore, we recommend that sharing policies are in place to help with the distribution of cyber threat intelligence, as are guidelines for what CTI products can be shared without an agreement, and easy access to intelligence products is facilitated through a self-service platform from where stakeholders can find and request CTI products. Finally we recommend that your organization identifies external audiences that will benefit by sharing intelligence products.

Quality and performance

Effective CTI programs continuously improve their products and processes. We recommend you continuously update and expand your criteria for intelligence products to achieve higher quality products. Your strategic products include recommendations, such as changes to policy and the security strategy, that support the stakeholder decision making process. Furthermore, intelligence should be available sufficiently early to allow preventive controls to be implemented before a compromise occurs. We recommend that your documentation follows an uniform structure and standard style, where content is determined through a uniform standard. Your documentation on CTI processes is improved by clear characterization, and processes being well understood in terms of requirements, reasoning, and consequences. Finally, sufficient talent and resources are made available to generate intelligence in a controlled manner. The organisation begins integration of cyber threat intelligence by aligning standards, processes, and procedures, ensuring these are consistent with the requirements set by the organization.

Situational awareness

We recommend that the CTI group develops the capability to recognize patterns based on the observations from the environment. Identify the cyber threats posing a risk to the characterized environment, determine that threat actors might have, and identify to what extend your environment is exposed to such threats.




5. How do you compare?

Your report will be extended with a survey of Cyber Threat Intelligence maturity and will include a comparison of your results with the average progress made by the other submissions. For this, we are waiting for the full Cyber Threat Intelligence Maturity Survey to complete. Specifically, we will enhance your report with a general comparison and a sector-specific comparison. Additionally, it is possible to measure yourself against your peer group(s). You can do this by creating a specific group and having your peers join with their assessment results.

5.1 Comparison with your peers

CTI Maturity peer groups provide the ability to create a group to which you can invite others. Once a certain number of submissions, at your control, has been reached we will calculate the group average maturity score and provide you with an automatically generated group report. In addition to this group report, each individual submission will be provided with a automatically generated comparison report, revealing how you compare to the average of your peer group.


This assessment is currently not part of any peer group. To enable this section you can create a peergroup, or alternatively join a group for which you have been invited.


5.2 Comparison with submissions from your sector

We are waiting for the full Cyber Threat Intelligence Maturity Survey to complete before unlocking this section. Please check back later.

5.3 Comparison with all submissions

We are waiting for the full Cyber Threat Intelligence Maturity Survey to complete before unlocking this section. Please check back later.



5. Appendix

Assessment Methodology

Based on the domains of CTI generation and integration as well as the organizational support functions Governance, People and Technology, we analyzed and decomposed each of the focus areas into 29 process groups and 83 concrete business processes and activities that organizations would run to realize the development and support of their cyber threat intelligence program. Not all of these business processes will be of equal importance, for example a large multinational will require a different CTI generation and support structure than a small- or medium enterprise, also an organization just starting out with CTI will pursue different activities than an organization with a mature program.

CTIM: A novel CTI maturity model.

We hence rank each business process and rate it with a maturity level ranging from 0 to 5, in other words determine whether this is an essential activity for the successful start of a CTI program, whether it will provide benefit only later on once the business processes around the generation, integration and support of threat intelligence have sufficiently matured, or it is an activity only relevant for highly advanced use cases.

In the CTIM survey, we ask you a set of 250 questions that help us assess which activities you are currently pursuing, to which extent you are implementing these processes, and how these processes are connected throughout the organization. From this, we compute your maturity at the level of focus areas and domains as shown below and thus provide you with very detailed insight on your current level of cyber threat intelligence in your organization, as well as provide recommendations on how to continue the development of your program.

CTI Maturity Levels

A CTIM maturity level is a well defined evolutionary stage which describes a certain level of ability for CTI within your organisation. Each level is attributed certain characteristics regarding your CTI processes. The level 'defined' for example indicates that you have defined your core CTI processes and can perform these repeatedly. More advanced characteristics are attributed to higher maturity levels, where the most advanced are found at level 5. Maturity levels thus provide a path that an organisation can follow when transitioning from ad-hoc CTI to a highly mature environment. The CTI maturity model describes a total of 6 distinct levels, which are displayed in the figure followed by a short description is provided.

CTIM: A novel CTI maturity model.

  1. Ad-Hoc: The organisation has not started with CTI, or does so following an ad-hoc approach.
  2. Defined: This level indicates that core CTI processes are defined and can be performed repeatedly.
  3. Aligned: The CTI processes are aligned with the organisation following standard processes and procedures.
  4. Controlled: The CTI group measures and controls intelligence production through processes and procedures.
  5. Optimising: The organisation works to optimise the CTI production according to strategic requirements.
  6. Innovating: At this state the organisation functions at the cutting edge, going beyond optimising its processes by developing new solutions and predicating future actor developments.



Claim your results

You can claim this assessment report by registering for an user account. This will make your report visible only to those with these access credentials. Registration will provide you with a set of recommendations that you can use to growth to the next maturity level. We will perform a CTI maturity survey, and make these results available to users to compare with their own results.

To register for an account, please click here




Contact

  • E-Mail: mark -AT- luchs -DOT- nl

Connect with us