5 Steps to Prepare an Effective Threat Intelligence Plan


If you know where to look, bad actors expose clues and insights about upcoming attack plans. David Carmiel, CEO of KELA, offers practical advice for creating a threat intelligence plan for powering proactive and preventative steps to improve digital defenses.

We live in interesting times. The current reality is that every organization – private or public sector, from small business to big enterprise – is at risk from the ever-growing cybercrime ecosystem. Cybercriminals continually search for new opportunities to achieve one simple goal: monetizing the data they obtain through illicit means.

Most of us dwell in the surface layer of the internet, where popular browsers and websites exist. But cybercriminals are active in the hardest-to-reach corners of the cybercrime underground, which many of us never see or even know about. 

Organizations have a constant need to defend against and defeat these bad actors, but are challenged by not knowing where to look, what they should be looking at or having enough staff resources with the skills to figure it out. Even if they had those capabilities, most organizations do and should have policies that prohibit employees from searching the dark web. In some sectors, it’s even legally prohibited. The result is a lack of insight into the true threats an organization may be facing. They don’t know what’s coming until it’s too late.

Learn More:  Cyber Threat Intelligence: A Useful Tactic To Reduce Cyber Risks

It doesn’t have to be that way. There are practical steps that all organizations can take towards gaining and using an intelligence plan that will help them better defend their valuable digital assets.

1. Be proactive, not reactive

The offense is the best defense. Don’t wait for an attack to happen; work to proactively defeat cyber threats before they cause harm. Start now by educating yourself on the need for threat intelligence, and identifying how your organization can get savvy on what cyber criminals are talking about and trading in. This changes quickly. 

2. Establish a method of operations.

Decide whether you want to engage an outsourced team to manage your threat intelligence efforts or build an in-house team of analysts to do it. As already noted, your team may not have the skills, knowledge or permission to collect intelligence in all of the places criminal actors dwell. But if you do have the in-house option, make sure your analysts are experienced enough to know what kinds of threats to look for and how to assess them when found. Be sure to think about automated vs. manual intelligence collection. Manual collection may make sense when you’re getting started, but over time automation will help scale your efforts as your organization and its points of risk grow. Manual investigations are also subject to human error, and teams can naturally overlook threats that are relevant and critical to your organization’s safety. Automating operations can improve efficiency and make sure things aren’t missed. 

Learn More: Why Data Discovery and Classification Are Crucial for Modern Enterprises

3. Map out your key assets

Next, map out all possible entry points that cyber criminals could leverage to get into your organization. It’s easy to overlook things, so be sure to make the time and effort to understand everything that could affect your organization’s security. Cyber criminals are good at connecting dots, so consider all possible paths of ingress – physical assets like your key executives and their family members, digital assets such as your domains or IP addresses, and even your supply chain and cloud providers who can provide access to your systems.  

4. Define KPIs

As you create your plan, think about how to determine when you have reached your threat intelligence goals. Define clear key performance measures that will help you calculate return on your intelligence investment. This can be a bit tricky because it’s not easy to calculate damage from what could have happened but didn’t because you prevented an attack. Still, you can define scores or levels of exposure that you would want to reach, specific actors you want to track, patching of vulnerabilities in your software infrastructure, and other tangible goals based on your key asset mapping. 

5. Continually re-evaluate your plan in the context of changing needs

First, congratulate yourself for developing and executing on a solid plan. You are a big step ahead of many of your peers. But your plan cannot stay static because cybercriminals and their methods are always changing. Your security protocols must adapt to that shifting ecosystem. Take, for example, Initial Access Brokers, middlemen selling compromised network access to the highest bidders on the dark web. IABs weren’t a serious threat even two years ago, but now they are critical because they significantly facilitate network intrusions for ransomware operators. There are always new forums, marketplaces, Telegram channels and more; these must be constantly tracked. 

All of this can feel a bit daunting, but it’s a must in today’s digital environment. Don’t despair. A good plan and the right team, whether in house or a trusted partner, will go a long way in keeping your organization safe. 

Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.