What information do you need?
If you haven't got the time to look at all the sources of information that are available, you need to be able to decide which sources are going to provide you with the information you need in line with your PIRs and validate and apply confidence ratings to the usefulness and accuracy of those sources. A data source that supplies smoke and mirrors won’t help you achieve an improved risk posture.
At this point, you need a human. A real-life analyst, to be asking: Does the data support our PIRs? Is it useful? Is it actionable?
Asking these questions allows the analyst to verify, remove false positives, add context and ultimately prepare recommended actions around emerging threats.
Who needs to know?
What is the greatest deterrent to effective actionable cyber threat intelligence? Siloes. An effective threat intelligence program includes a strategic approach to collaboration and information sharing. This doesn't simply refer to the sharing of CSVs of IOC (Indicators of Compromise) to internal security teams, but the dissemination of actual human-readable information briefs.
There are many different groups within an organisation and each different group is better served by having the information represented in a different manner. Some technical groups could use threat intelligence to configure internal security infrastructure to passively detect new cyber threats, whereas abbreviated, impactful, targeted content that may reveal new specific business risks may help inform executive leadership’s decision-making.
When looking at your communications model for your program, you need to be asking: What type of information would help enhance my organisation’s awareness and prioritisation? How best should I transmit that information? What type of information is applicable to which audience?
The end-game: prevent, disrupt, and respond
The aim for any organisation when building a threat intelligence program, should be to move from a reactive state to a more proactive approach — to be able to get ahead of cybercrime. The use of intelligence data must go beyond simply blocking an attack before it can breach the network. The objective must include disrupting its ability to achieve its desired goal, which means your threat intelligence program and systems needs to provide actionable intelligence.