Common Objectives of a Threat Intelligence Program - How to Define and Build an Effective Cyber Threat Intelligence Capability (2015)

How to Define and Build an Effective Cyber Threat Intelligence Capability (2015)

Chapter 4. Common Objectives of a Threat Intelligence Program


In this chapter we cover the common reasons to launch a cyber threat-intelligence program, including: raising or lowering revenue, profit, satisfaction, expense or risk, or ensuring compliance with regulatory requirements.


customer data

credit card data

personal identity information


intellectual property

So we have spoken very conceptually so far. But perhaps you are wondering, “what are a common set of ‘why’s’ in a real-world implementation?” As you know by now, they can be raising or lowering revenue, profit, satisfaction, expense, or risk or ensuring compliance with some kind of requirement or regulation. So how does that translate into actual mission activities?


Here are a few common examples that come up time and again when experts talk to their customers.

1. Prevent, identify, and investigate leaks of intellectual property or other internal data. This can be customer data, credit-card data, Personal Identity Information (PII), blueprints, schematics, or the company’s crown jewel, say, a new holographic smartphone. Whatever the intellectual value, the digital assets within the perimeter are supposed to stay there. Stop them from getting out; figure out where they have already gotten out. If the latter is true, investigate what is out and how it happened.

2. Reduce the risk of consumer PII loss or other customer-data breach. This is not necessarily from inside as in the case of intellectual property. It may be because of supply chains, your ecosystem, your vendor, partner, or provider. Take for instance the massive breach at Target; according to published reports, the attack was believed to have started with the social engineering of an HVAC subcontractor. Your intellectual property and customer data are always at risk, and not necessarily from just within your own network perimeter.

3. Increase compliance or reduce the risk of noncompliance, a regulatory sanction, fine, or other potential consequence of your employees, contractors, partners, or suppliers not doing what they are supposed to do.

4. Reduce expenses incurred by online fraud or other cybercrime activity.

4.1. Once you have your why...

Once you have a “why,” that is, a business objective and a defined mission, you will be able to define what kind of intelligence you need to support it. You cannot define what kind of intelligence or data you want to input, ingest, receive, purchase, output, or deliver to management or constituents if you do not know why you are doing it. In other words, the “why” defines the “what.”

Once you know what you want to do, and what kind of mission activities you need to support, you can look at how you would implement it. This means that you can choose to build it in-house, outsource it from a vendor, staff it internally or via contractors, or “plug this into that”. You cannot determine which of these to go for until you know what it is you are trying to accomplish and why you are doing it. Once you know, you can pick an implementation that would work, for example, a cloud-based model, internal model, fusion center, data feeds, and so forth. Whatever it is, once you know how you are going to implement it, you know how to prequalify anyone who is trying to help, support or sell it to you. Put simply, you proceed from WHY to WHAT to HOW to WHO. The process almost always has to go in that order, and for that reason this is the framework, and sequence used throughout the rest of this book.