What on earth can Kentucky Fried Chicken and good cyber threat intelligence (CTI) have in common? Do they both have a secret recipe? Are they both finger-licking good?
No. It is a lot simpler than that. Both KFC and good intelligence have three things in common.
- They have both relevant
- They are both timely
- They are both actionable
These are the key pillars to having a finger-licking good time at KFC and are the backbone of what makes threat intelligence good.
My years of sifting through threat intelligence have taught me that whenever you assess the intelligence your CTI team is ingesting, you should always measure it against these three metrics. If the intelligence fails in any of these three. It’s time to improve its quality and, with it, the overall effectiveness of your CTI program.
Let’s dig in and see how these three metrics can help you assess what good threat intelligence is.
Good Threat Intelligence is Relevant
Cyber threat intelligence needs to be relevant to the organization you are protecting.
There is a whole host of intelligence that is produced every day about the latest threats and vulnerabilities. This information can be easy to get lost in. Often CTI teams focus on the stuff that is making the headlines rather than what is relevant to their organization.
For instance, if a new CVE is causing havoc for business worldwide but is irrelevant to yours, there is no point in searching for its Indicators of Compromise (IOCs). If a prominent threat actor is targeting companies based in Asia and you operate exclusively in Europe, you probably don’t need to perform threat hunts looking for this threat actor’s tactics/techniques/procedures (TTPs).
Just like if you go to KFC, you are probably looking for fried chicken rather than a salad. Good intelligence is what your organization wants (or needs to) ingest. It is the vulnerabilities related to your software and the threat actors targeting your business, sector, or country.