In this chapter, we’ll take a look at the questions you need to ask yourself before you start collecting cyber threat intelligence. Then we’ll move on to implementation, I promise!
Identify Who Receives Your Intelligence
The first step to effective dissemination is to identify who will use the information you’ve collected and analyzed. So, in your organization, who are the likely recipients of your cyber threat intelligence? Here are a few examples:
Board of directors and senior management
In-house IT security teams
Cybersecurity consultants
CIO/CISO
Compliance officers
Information technology (IT) managers
Cyber risk awareness specialists
Incident response specialists
Vulnerability management specialists
SOC and threat analysts
Imagine you’re working as a SOC analyst in a large company. Your recipients may include the Chief Information Security Officer (CISO), security operations teams, and even the board of directors for strategic decisions. Their expectations are clearly not the same, so it’s best to know who you’re talking to as early as possible.
The content of the information and how often you disseminate it are also key aspects you need to think about before you start collecting data.
Define the Content and Dissemination Frequency
Make sure you are aligned with the threat intelligence goals you set earlier. This means choosing which information to include in your threat intelligence reports and which to leave out. For example, for operational threat intelligence, you don’t need to report a vulnerability in software your company doesn’t use.
In addition, you need to define how often you want to disseminate your results. Are you going to share your results on an ad hoc or regular basis? You’ll need to factor in how critical the information you’re sharing is and how urgently your organization needs to make decisions. For example, you will probably need to disseminate information on a major vulnerability immediately, while you could group together other information in a periodic report.
If you work as a threat analyst for a government agency, your goals may include early detection of attacks and protection of critical infrastructure. This means you’ll need to share information on emerging threats, indicators of compromise, and critical vulnerabilities. You should also share information on emerging threats as soon as you detect them and produce monthly reports to provide a full picture.
Think About the Format of Your Threat Intelligence Results
Next, you’ll need to format your threat intelligence results so you can disseminate them in the most effective way. This means creating deliverables in a format that’s appropriate for the recipients. Format options include the following:
Written reports
Internal communications through business email or messaging solutions
Online dashboards
Face-to-face briefings
Presentations
Blog posts for wider dissemination
Social media posts to reach a wider audience
Newsletters for regular, structured dissemination
As a threat analyst, you could produce detailed threat intelligence reports for your security team, send internal emails to keep the whole company informed, and write blog posts to share information with the cybersecurity community.
You could also use charts and infographics to help operational teams understand more about security trends.
Whichever format you choose, make sure you present the information in a concise way and use data visualization and storytelling techniques to make the results more accessible. Tools like ChatGPT can be useful for digesting complex information and presenting it concisely.
I’ll be sharing plenty of examples with you in Part 3 of the course, when it is finally time to disseminate your results!
In the meantime, here’s an article about a cybersecurity team’s solution for automatically sending customized newsletters to its customers.
You now know who the recipients of your threat intelligence will be, the type of information you’ll be sending them, how often, by what means, and in which format. All you need to do now is work out how often you should collect the information.
Decide How Often You’ll Collect Threat Intelligence
The key to successful cyber threat intelligence is deciding how often you will collect, process, and analyze the information you’re interested in.
Current developments, your availability, and your specific goals will influence how often you collect your threat intelligence.
If you work in an environment where threats evolve rapidly, collecting threat intelligence daily may be necessary. But if you have a large volume of information to process, it may be more realistic to schedule weekly or monthly threat intelligence collections.
Let’s Recap!
Define the dissemination scope by identifying the recipients and the appropriate means of communication.
Choose the content and dissemination frequency based on your threat intelligence goals.
Format your threat intelligence results so they’re optimized for your recipients, using appropriate formats and effective communication tools.
Decide how often you’ll collect threat intelligence based on your goals, the volume of information, and your availability.
Congratulations, you’ve completed the first part of the course! In the next part, you’ll at last be setting up your threat intelligence, including your sources, how to organize the information, how to process it, and which tools to use. But first, I encourage you to take our first quiz! Good luck!