How to mature your organisation’s threat intelligence capabilities - PwC

Show full breadcrumb Seize tomorrow’s tech to reinvent your business Today’s issues Cybersecurity and privacy Cyber threat intelligence How to mature your organisation's threat intelligence capabilities Threat intelligence maturity How to mature your organisation’s threat intelligence capabilities Blog 10 minute read June 25, 2024 Share Integrating threat intelligence into cyber defence operations, as well as other key groups across organisations, is key to shifting the advantage in the defenders’ favour and building cohesive relationships. Prevalent. Pervasive. Persistent. These three Ps increasingly describe the macro trends for many types of cyber threats, challenging many SecOps teams to evolve and mature their practices, as well as take a broader approach to risk management. As the cyber threat landscape evolves and expands through other domains, having an internal, multifaceted intelligence capability is key. 1. Understand and prioritise threats Organisations are challenged, not just by the malicious threat actors themselves but also by regulators and shareholders, to address an increasing number of emerging threats as technology and operational demands evolve. Implementing threat intelligence leading practices can help an organisation better understand the threat landscape in the context of its unique considerations and concerns, such as the company’s operating footprint, strategy for growth, specialised intellectual property, and sensitive datasets and customers. The landscape can further shift based on other considerations, such as threat actors targeting the company’s sector or industry, as well as their potential motivation for targeting the company specifically (e.g., for extortion using stolen data, or for the theft of sensitive research and development). Threat intelligence can then help determine which threats need to be prioritised within the organisation and how, such as by assessing potential impact as well as how proximate the threats are to the organisation. For example, has the same or similar threat actor compromised the organisation’s environment in the past, or has the threat actor compromised a specific technology that is used by the organisation? A threat intelligence function can then develop and implement tailored intelligence requirements to cast these priorities to other elements of the organisation, such as threat detection and vulnerability management. These actions demonstrate an organisation is using threat intelligence to inform its security operations to focus on the most pressing threats for risk management. Having multiple intelligence sources, perspectives, and backgrounds on threats is essential to building the collective expertise within a threat intelligence function, especially when considering how much the spectrum of threat actors, capabilities, and targeting operations has grown in recent years. While many threat actors continue to use techniques and tooling that have been effective for years, we are seeing more threat actors conducting operations through capabilities that are shared, sold by commercial quartermasters, or even “leased,” such as affiliates working with the operators of Ransomware-as-a-Service programmes. Ransomware threat actors, and cyber criminals more broadly, have for a long time been opportunistic in their operations; however, as cyber threats grow more pervasive and sophisticated, we are observing financially motivated threat actors refining their approach to victimisation to maximise their illicit proceeds. Further, threat actors from all motivations are increasingly demonstrating their dynamic nature and abilities to quickly exploit opportunities. Threat actors of espionage, sabotage, and hacktivism motivations continue to conduct tailored operations against victim organisations for a number of reasons, such as for intelligence collection, intellectual property theft, and downstream and upstream targeting against sensitive entities, such as client bases, supply chains, and sensitive operations or projects. Threat intelligence, and specifically threat landscape reports, consider these factors and provide additional information about these prioritised threats, such as common or overlapping tools, techniques, and procedures (TTPs) to build security controls around. Threat landscape reports can also assist with intelligence-led penetration testing and controls testing. Visualising threat intelligence in your organisation Threat intelligence can take various forms in your organisation, depending on a range of variables such as requirements, resources, and adjacent teams and structures. Threat intelligence functions can also evolve over time within your organisation as its capabilities and remit shift. Regardless of how and where threat intelligence may sit within your organisation, its remit will also be determined by the needs of your organisation and may involve the following: Technical analysis, such as infrastructure, malware, initial access, vulnerability exploitation, deep and dark web (DDW), and open source intelligence (OSINT). Strategic analysis and management, such as geopolitical and technological issues, anticipatory intelligence and forecasting, intelligence requirements, stakeholder analysis, and collection posture. Explore some of the high level forms threat intelligence can take in an organisation, and note that some threat intelligence functions may resemble a combination of these. 1. Collateral responsibility 2. Embedded capability 3. Standalone programme 2. Integrate intelligence through cross-functional workflows and teams Numerous stakeholders within an organisation benefit from threat intelligence, especially when clear processes and workflows exist to support consistent communication and follow-up actions. For example, having a process to query the company’s threat intelligence function for context around a specific issue will assist the organisation as it navigates an evolving threat landscape or specific situation. By developing cross-functional workflows and teams, an organisation is encouraging proactive communication, triage, action, and feedback concerning cyber threats and other related issues across teams, such as SecOps, incident response, risk management, etc. Threat intelligence may highlight a critical vulnerability which is being actively exploited by threat actors, and these workflows will support the organisation’s identification, escalation, and remediation efforts. These activities demonstrate an organisation is using threat intelligence to quickly identify, respond to, analyse, and develop additional mitigations against relevant cyber threats, and that these processes are supported by multiple elements of the organisation. 3. Maximise intelligence from internal systems and operations Internal data, such as information collected from systems monitoring the organisation’s environment (e.g., SIEM, EDR, DNS, netflow etc.), is critical to contextualising threat intelligence, supporting the organisation’s SecOps, and building strategic intelligence capabilities to inform other aspects of the organisation, such as future business operations. Intelligence from internal systems, such as events, user behaviours, and scheduled and unscheduled activities can inform the baseline of expected activities, as well as generally when those activities should occur and from which systems and users. By determining the baseline, organisations can then use threat intelligence, threat hunting, threat detection, auditing, and other processes to identify and evaluate anomalous activity. As these processes mature, organisations can establish playbooks and threat management libraries to document, iterate, and conduct proactive exercises to bring multiple elements of the organisation together to work through realistic threat scenarios and responses. These activities demonstrate an organisation maintains robust programmes and capabilities for detecting and responding to threat activity within its systems. Developing a threat intelligence function staffed with analysts who have robust expertise in the company’s internal systems and operations can benefit adjacent teams within the organisation as well, such as penetration testing and threat hunting. The threat intelligence function more broadly should be heavily integrated and connected with other internal stakeholder teams to assist in routine and tactical conversations about various security activities. This integration should also extend to more strategic discussions about the broader threat landscape and how that may impact the organisation’s decisions, such as future business, operating locations, third party risk concerns, etc. 4. Leverage external intelligence to inform broader threat trends and developments Once proficient in internal data and systems, threat intelligence can integrate external intelligence and use it for contextualising the organisation’s environment - conveying the most relevant elements and sparking discussions about potential issues and impact. Threat intelligence seeks information and clarity not only on technical security issues, such as threat actors and actively exploited vulnerabilities, but also geopolitical, technological, and other cross-disciplinary issues that can and do impact the threat landscape and threat actor motivations. As the threat landscape evolves, trends emerge, and rapid shifts are detected within industry, threat intelligence is key to an organisation navigating these developments and prioritising which intelligence needs to be integrated for awareness, actioned in the near term, considered in longer term initiatives or discussions, or otherwise disregarded. These activities demonstrate an organisation is using threat intelligence to stay current on evolving threat developments and trends, as well as potential issues on the horizon due to emerging technology, geopolitical tensions, and other factors. Information overload is challenging organisations’ SecOps and broader operations and risk management practices, and through threat intelligence expertise paired with threat management strategy and prioritisation, elements within an organisation can work within a common framework to not only prioritise the most important information, but also proactively seek high fidelity threat intelligence from numerous sources, such as open source, industry exchanges, and commercial sources and partners. A collection management framework can be tactically applied, such as to alert tuning; operationally applied, such as addressing ad hoc needs through external partnerships (e.g., industry and government) for information related to a specific incident; and strategically applied, such as recurring briefings on strategic topics to executive leadership or across the organisation’s enterprise intelligence programme. Threat intelligence and cyber incidents Before an incident During an incident After an incident Threat intelligence is central to understanding the cyber threat landscape and issues impacting your organisation, industry, and operating location. This is especially key before, during, and after cyber incidents. 5. Drive continuous improvement through intelligence and lessons learned As threat and risk management processes evolve, organisations can continuously improve their programmes by drawing upon lessons learned, from internal and external incidents and perspectives, and integrating threat intelligence. By intentionally flowing threat intelligence expertise and lessons learned into stakeholder operations, organisations can continuously evaluate how: The dynamic between security enhancements and threat actor responses is shifting, such as threat actor responses to multi-factor authentication implementation within organisations; Threat actors targeted and/or compromised their environments in the past, and what lessons can be learned and issues can be addressed to mitigate future attempts; Threat actor social engineering is evolving, such as spoofing and targeting IT staff within organisations; Internal security processes and training need to be updated based on the latest trends and methods threat actors use to target organisations and compromise networks; and, Technical or strategic issues are impacting other organisations in certain sectors, industries, or geographies, and which may then impact their own needs. These activities not only demonstrate an organisation is applying lessons learned from past incidents and threat intelligence to bolster its cyber security defence strategies, but they also promote intelligence cycle practices for continuous improvement across the organisation. Alongside our intelligence production operations, PwC Threat Intelligence specialises in maturing intelligence programmes and functions for enterprise adoption, often as part of broader security transformation programmes. Our threat intelligence maturity methodology supports our clients in building and maturing their intelligence programmes so they are integrated across a spectrum of business operations while remaining defender-focused. Our differentiator is integrating this approach with our long history of consulting expertise, global acumen in regulatory standards and frameworks, and working closely with clients globally across many sectors and industries. We offer a dynamic approach that builds on extensive experience across our team in network defence, cyber threat intelligence, and cross-disciplinary and diverse intelligence tradecraft for the public and private sectors. Authors Sierra Stanczyk Senior Manager, Advisory, PwC United States is the Intelligence Operations Lead for PwC Global Threat Intelligence and has been a strategic analyst with the team since 2021. Sierra joined PwC after 12 years with the Federal Bureau of Investigation and brings a diverse experience of leading, building, and assessing intelligence programmes for the public and private sectors. Email Cyber threat intelligence Explore how to protect against disruptions and data losses Learn more Global cybersecurity & privacy Learn how national and local concerns add a twist to cybersecurity challenges and responses. Find out more Featured insights Global Digital Trust Insights Survey 2024 A playbook for executives who are ready to advance their companies' cybersecurity strategies. Why does strategic threat intelligence matter? Why does strategic threat intelligence matter? PwC’s Global Centre for Crisis and Resilience At PwC’s Global Centre for Crisis and Resilience, we help clients prepare for, respond to, and emerge stronger from crises. Follow us Get in touch Hide Required fields are marked with an asterisk(*) Name* Business email address* What can we help you with?* Country/Territory/Legal Entity Select country or territory Global Afghanistan Albania Algeria Angola Antigua Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Benin Bermuda Bolivia Bonaire Bosnia & Herzegovina Botswana Brazil British Virgin Islands Bulgaria Burkina Faso Burundi Cambodia Canada Cape Verde Caribbean Cayman Islands Central African Republic Central Americas Central and Eastern Europe Central Asia and Caucasus Channel Islands Chile China Colombia Cost Rica Croatia Cyprus Czech Republic Denmark Djibouti Dominican Republic Ecuador Egypt El Salvador Eritrea Estonia Ethiopia Finland France Gambia Georgia Germany Ghana Gibraltar Greece Greenland Guatemala Guernsey Guinea Bissau Honduras Hong Kong SAR, China Hungary Iceland India Indonesia Interaméricas Iraq Ireland (Republic of) Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kosovo Kuwait Kyrgyzstan Laos Latvia Lebanon Liberia Libya Liechtenstein Lithuania Luxembourg Macau SAR, China Macedonia Malaysia Mali Malta Marshall Islands Martinique Mauritania Mauritius Mexico Middle East Region Moldova Monaco (Principality of) Mongolia Montenegro Morocco Mozambique Namibia Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Norway Oman Pakistan Panama Papua New Guinea Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Rwanda San Marino Sao Tome and Principe Saudi Arabia Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Korea Spain St. Kitts and Nevis St. Lucia Sudan Surinam eSwatini/Swaziland Sweden Switzerland Taiwan Tajikistan Tanzania Thailand Togo Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay U.S. Virgin Islands Uzbekistan Venezuela Vietnam West Bank and Gaza Yemen Zambia Brasil Francophone Africa Latin America Middle East Nordic Russia South East Asia Guyana Eurasia Africa Andorra TerritoriesandLanguagesOthers_PwCCountry36 Tick the box to verify you are not a robot. * Your personal information will be handled in accordance with our Privacy Statement. You can update your communication preferences at any time by clicking the unsubscribe link in a PwC email or by submitting a request as outlined in our Privacy Statement. Submit Allison Wikoff Global Threat Intelligence Lead, Director, PwC US Email Jason Smart Director, Threat Intelligence APAC, PwC Australia Tel: +61 406 088 747 Email Rachel Mullan Global Threat Intelligence Lead, Director, PwC United Kingdom Email Matt Carey Global Threat Intelligence Lead, Director, PwC Sweden Email Kris McConkey Global Threat Intelligence Lead Partner, PwC United Kingdom Tel: +44 (0)7725 707360 Email PwC office locations Site map Contact us © 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. This website may contain AI-generated or AI-assisted content, including text, images, and multimedia assets. Legal notices Privacy Cookie policy Legal disclaimer Terms and conditions Cookies: The choice is yours We use cookies to make our site work well for you and so we can continually improve it. The cookies that are necessary to keep the site functioning are always on. We use analytics and marketing cookies to help us understand what content is of most interest and to personalise your user experience. It’s your choice to accept these or not. You can either click the 'I accept all cookies’ or 'Reject all non-essential cookies' button below or use the switches to choose and save your choices. For detailed information on how we use cookies and other tracking technologies, please visit our cookies information page. I accept all cookies Manage Consent Preferences Necessary cookies These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Personal preferences cookies Personal preferences cookies These cookies enhance your experience by remembering your selected preferences so that content can be tailored accordingly on future visits. They only store simple preference values and do not collect or retain information that could identify you. Analytical/Performance cookies Analytical/Performance cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Functional cookies (personalization) Functional cookies (personalization) These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Targeting cookies (marketing) Targeting cookies (marketing) PwC may present ads to you on other sites to promote relevant services, articles or events. The cookies are used to make advertising messages more relevant to you and your interests. They also perform functions like preventing the same ad from continuously reappearing. These advertisements are solely intended to make you aware of relevant PwC promotions. PwC does not sell your data to any third parties. Please see our privacy policy for more details. Cookie List Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject all non-essential cookies Save my cookie choices and close