Skip to main content

Operationalizing a Cyber Threat Intelligence Solution

December 21, 2016

Cyber threat intelligence is a process required to make action-oriented, judgement-based decisions that are not otherwise possible. Optiv recommends considering four essential attributes of threat agents mapped back to a security posture, as well as six essentials courses of action, known as threat modeling, in order to properly produce, consume and act upon cyber threat intelligence.  

Operationalizing a cyber threat intelligence solution begins with aligning to a risk management strategy. A cyber threat intelligence solution is focused upon identifying high value assets (crown jewels) and the mitigation controls that are in place to detect or prevent attacks. The outcome of this process is enhanced situational awareness mapped back to risk management for an organization. This results in identification of threats to high-value assets, gaps in controls that need to be mitigated and aligned with assigned risk, and the ability to influence policy decisions both within the security organization and aligned to the strategic goals of the business.

Blog Featured CTI 1.1

To begin, security organizations need to ask these three questions:

  • What is it I am trying to protect? 
  • Who am I trying to protect it from? 
  • How do I protect it from who wants it?

This start is known as threat modeling. It is a great way to understand how you can begin security alignment with the business, and should be driven by cyber threat intelligence. Security professionals need to engage with their business stakeholders to understand their most valuable assets from their perspective. For some, these are digital assets, such as sensitive employee data, client lists or intellectual property; for others, these are physical, such as particular office sites in high-risk areas, key executives within the organization or assets that don’t reside full time on corporate property.

Once data is collected, cyber threat intelligence is engaged to determine threat actors or agents that may potentially target sensitive assets and how they would do so. It is necessary for intelligence analysts to keep a repository of relevant threat agents and groups, and the common courses of action they take to meet their goals. 

Threat Agents

Threat agents are a group of attackers or an individual actor that has the means and opportunity to conduct an attack. It is important to note that threat actors exist regardless of intent. An untrained employee who has access to a critical asset has the same means and opportunity as an internal spy. If there is malicious intent, it is important to understand threat agent means to enable a threat modeler to infer inherent capabilities of the attacker based on historical analysis of kill chain models or the courses of action an attacker may take.

The first step of this process is to categorize and define the types of threat agents that would pose a risk to the organization. Intel Security created a foundational Threat Agent Library that describes 22 types of threat agents and their motivation, such as financial gain, intellectual property theft or business disruption. Once the motivation of the potential threat agent is estimated, you can map out potential courses of action that threat agents take to meet objectives.

Additional analysis of threat agents is then performed to establish considerations that allow for the development of potential courses of action. There are four main attributes the analyst must contemplate:

  • Composition and Strength: Is the threat agent a group or individual? If it is a group, what is the association?
  • Tactics: Do we have intelligence on historical courses of action?
  • Logistics: What does their infrastructure look like; command and control servers; potential nation-state sponsored or funded?
  • Effectiveness: Are their previously or historically identified successful attacks; how effective are these attacks?

A threat modeler requires access to intelligence information regarding the above factors.  If such intelligence is not available, it is necessary to develop intelligence requirements for the collection and analysis to enable this stage of threat modeling.

Courses of Action

Threat agent courses of action can be described as attack patterns or kill chains. Based off historical patterns and agent means and intent, a threat modeler can develop templates for anticipated courses of action that may be taken to meet an attacker’s objective.

For example, a web application developed for a healthcare provider is targeted by a threat agent to obtain sensitive data. We can use the following attack pattern to develop the threat agent’s course of action if their intent is to sell stolen protected health information (PHI). In this case, we will identify the threat agent as a “data miner”:

  • Stage 1: Reconnaissance
    Threat agent researches and identifies vulnerable parameter in a web application.
  • Stage 2: Develop
    Threat agent develops or reuses available tools to create the most effective method of exploitation.
  • Stage 3: Attack
    Enumerate and escalate: Threat agent tries to identify all accessible data items (enumeration) – as the current user on the current server, and also by trying to increase access to other users and other servers (escalation).
  • Stage 4: Exploration
    Threat agent prioritizes data identified previously and starts retrieval or exfiltration from the target.
  • Stage 5: Theft
    Data leverage: Threat agent impersonates users using stolen credentials, makes fraudulent claims using stolen healthcare insurance information and monetizes PHI in the eCrime marketplace.
  • Stage 6: Disclosure
    The victim, the attacker, researchers and/or journalists disclose breach.

CTI 1.1_1
Figure 1: Web Application Attack Course of Action

A threat modeler repeats this process until all potential courses of action are identified. This will provide a full picture of the threat landscape for the asset and/or maximum gain towards their objectives.  

Organizations that utilize a cyber threat intelligence model must rely heavily on analyzing and consuming cyber threat intelligence information with a dedicated decision maker influencing risk management. It is imperative that organizations begin this process by identifying recon and development stages mapped against risk management for their crown jewels.  This helps ensure proactive protection, and results in the appropriate steps to minimize damage should an incident occur. 

    Danny Pickens

By: Danny Pickens

Senior Director, Theat Management Operations

See More

Related Blogs

April 03, 2018

Escape and Evasion Egressing Restricted Networks – Part 2

Attackers and security assessors alike are utilizing a technique called domain fronting, which masks malicious command and control (C2) traffic. This ...

See Details

March 22, 2018

Intelligence Bulletin – MinionGhost Reemerges

At approximately 9:30am EDT on 20 March 2018, hacktivist collective, MinionGhost, announced planned cyber attacks against unspecified Asian entities. ...

See Details

January 12, 2017

Information vs. Cyber Threat Intelligence

Cyber threat intelligence should always enable decision making and action, but what good is a cyber threat intelligence program if you take no action ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


March 29, 2017

Attack and Penetration Services

Learn how our experts work to expose weakness to validate your security program.

See Details

July 29, 2016

2016 Cyber Threat Intelligence

Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.

See Details

September 09, 2016

Just Enough Insider Threat Defense

At a recent conference for IT leaders, I addressed the theme of, “How much cyber security is enough?” We all probably have had to answer the broad que...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.