As the pace of technological development accelerates, building an effective cyber threat intelligence framework has never been more important. The total cost of cybercrime in the US was estimated at $452.3 billion in 2024 and is forecast to rise to a staggering $1.82 trillion by 2028.
Given the potential impact of cyber threats, it’s vital to keep ahead of the curve. Keeping ahead of cybercriminals is essentially like being in an arms race. As technology evolves, the techniques used by malicious actors evolve in parallel. To keep your organization safe requires constant vigilance.
Importance of proactive security
Traditional cybersecurity protocols have largely been reactive -- they focus on fixing a vulnerability after it has been brought out into the open, and often after it has been successfully exploited.
How much better would it be if you could counteract these threats before they actually caused an issue?
That’s a better way to think about how the future of cybersecurity will affect operations. And it’s exactly what creating a cyber threat intelligence framework is designed to do.
So, how do you start building this kind of framework? Here are five steps you can take to ensure your organization is taking a proactive approach to security and building an intelligence framework.
1. Conduct a comprehensive assessment
First, assess where you’re starting from. This means taking a full inventory of all your digital assets so you can begin to understand what kind of threats they need to be defended against.
This should include:
- Hardware, including any personal devices used as part of a BYOD policy
- Software, both as-a-service and installed on your hardware
- Systems, such as infrastructure automation
- Data, especially sensitive information such as payroll details or customer accounts
Make sure to include everything that could disrupt your operations if it were compromised. Doing this is essential because not all networks and processes are alike, so there’s no one-size-fits-all threat intelligence framework.
For instance, if your operations use a computing at the edge approach to maximize processing efficiency, the security challenges you’ll be faced with will be different from using an entirely cloud-based system.
2. Understand all aspects of threat intelligence
One mistake that many organizations make is to focus on the fine detail of individual threats rather than to consider the bigger picture. To avoid this, try to develop your understanding of the three different categories of threat intelligence: tactical, operational, and strategic.
Tactical
Largely technical, this targets immediate risks such as malicious URLs, cloud email security vulnerabilities, and IP addresses that are known threats. This can be gathered from open-source feeds and automated security tools, making it easy to accomplish. The downside is this intelligence tends to go out of date fast as the current threats change.
Operational
This requires human analysts at the helm. That’s because it aims to establish why and how threats happen through the skilled interpretation of data. It encompasses tracking the different techniques used and profiling the individuals and groups who pose a threat.
It also looks for potential areas of vulnerability and targets them - for instance, securing AI apps or staying on top of the latest malware. This type of intelligence yields longer-lasting insights because it studies aspects of threats that change more slowly.
Strategic
The big picture. Strategic intelligence analyzes how cyber threats combine with – or are influenced by – larger-scale phenomena such as geopolitical developments and global events. For instance, does your secure hosting provider host sites that might be the subject of politically charged cyberattacks? Paying attention to things like this is essential for figuring out how existing or future threats could impact your business.
3. Collect actionable intelligence from multiple sources
To follow best practice in cybersecurity, you must cast your net wide in terms of collecting data. Don’t simply sit back and rely on standard threat assessments or vulnerability notifications.
These open-source (OSINT) and human intelligence (HUMINT) sources can be invaluable:
- OSINT: Any publicly available sources of information, including news sites, analyst blogs, or social media.
- HUMINT: Feedback from people in your circle, for instance your employees, clients, or other stakeholders.
4. Choose the right cyber threat intelligence tools
You have a wide variety of available tools to assist you in setting up your own cyber threat intelligence framework, but the right one for your organization will depend on how you operate.
Factors to consider before selecting a suitable threat intelligence tool include:
- Sources of data: You’ll hopefully be using OSINT and HUMINT sources as recommended above. But it’s also crucial to check which and how many sources your intelligence tool draws from. The more – and the more reputable – the better.
- Scope: Be clear about the scope of research and implementation you need your tool to satisfy. For example, you may prefer it to focus on real-time threat intelligence or on longer-term strategic considerations.
- User-friendliness: Don’t forget usability. Ideally, the interface should be as intuitive as possible so that it’s straightforward to deploy.
- Customization options: It’s important that you can tailor your intelligence to your specific organization’s goals. Ensure there are sufficient customization options to meet your needs. As well as threat intelligence tools, it’s a good idea to invest in customized learning content that helps your team stay up to date with the latest cybersecurity best practices.
5. Monitor and fine-tune your strategy
Once you’ve developed your strategy and put it into action, you must monitor its effectiveness in the real world.
Conduct regular reviews of how your framework is performing. Track network traffic, carry out detailed intelligence analysis, and check for vulnerabilities on a regular basis. Do you notice an uptick in suspicious activity around your event ticketing platform? Maybe it’s time to change providers. Where you find gaps, tweak your strategy to fill them.
Summary
The core objective of any cyber threat intelligence framework is to keep your organization safe. And there are two fundamental elements to achieving this: being prepared and staying alert. The first lays the groundwork for effective everyday security, and the second means you’ll be ready if a crisis hits.
With a well-considered intelligence framework in place, both of these are achievable. As long as you establish rigorous procedures, monitor multiple reliable data sources consistently, and focus on deriving actionable insights, you’ll be putting your organization in an excellent position, whatever cyber threats may come your way.
Eric Wahlquist is Senior Content Marketing Manager at SUSE.