Cyber Threat Intelligence (CTI) involves analyzing information about threats and producing guidance on how to respond. An interesting 2020 survey by the SANS institute on CTI (requires registration) found more organizations then ever adopting CTI programs and focusing on tactics, techniques and procedures (TTPs). The primary goals of these CTI programs are:
- threat detection (89%),
- threat prevention (77%),
- threat response (72%) and
- threat mitigation (59%).
As CTI programs mature they will shift more of their focus to prevention by combining threat intelligence with threat scenarios. The current focus on detection is because CTI is still primarily a tool for security analysts and their job is right of bang.
The report doesn’t mention threat scenario modeling at all, which is a natural extension of CTI program. A threat scenario is a summary of potential consequence(s) of the successful exploitation of a specific vulnerability or vulnerabilities by a threat agent. Combining CTI and threat scenarios can determine the likelihood and impact a specific event or events would have on an organization and identify appropriate mitigating strategies. This approach entails combining modeling external threats with a deep understanding of the organizations risk appetite, internal assets + controls and using those to define and assess threat scenarios – i.e. exactly the type of capability that is expected of a merged red and blue (aka purple) team. Linking CTI (inherent external risks) and threat scenarios (residual risk) provides a predictive model enabling true proactive cyber defense.