Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management Azure Firewall Azure Web App Firewall Azure DDoS Protection GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials How we protect Microsoft Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Security Engineering Portal Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

Tags

Content types

Topics

How to think about building a threat intelligence program

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Red Canary Director of Intelligence Katie Nickels, a certified instructor with the SANS Institute. In this blog, Katie shares strategies, tools, and frameworks for building an effective threat intelligence team.

Natalia: Where should cyber threat intelligence (CTI) teams start?

Katie: Threat intelligence is all about helping organizations make decisions and understand what matters and what doesn’t. Many intelligence teams start with tools or an indicator feed that they don’t really need. My recommendation is to listen to potential consumers of the intel team, understand the problems they are facing, and convert their challenges into requirements. If you have security operations center (SOC) analysts, talk to them about their pain points. They may have a flood of alerts and don’t know which ones are the most important. Talk to systems administrators who don’t know what to do when something big happens. It could be as simple as helping an administrator understand important vulnerabilities.

The intel team can then determine how to achieve those requirements. They may need a way to track tactics, techniques, procedures (TTPs), and threat indicators, so they decide to get a threat intelligence platform. Or maybe they need endpoint collection to understand what adversaries are doing in their networks. They may decide they need a framework or a model to help organize those adversary behaviors. Starting with the requirements and asking what problems the team needs to solve is key to figuring out how to make a big impact.

Also, threat intel analysts must be selfless people. We produce intelligence for others, so setting requirements is more about listening than telling.

Natalia: What should security teams consider when selecting threat intelligence tools?

Katie: I always joke that one of the best CTI tools of all time is a spreadsheet. Of course, spreadsheets have limitations. Many organizations will use a threat intelligence platform, either free, open-source software, like MISP, or a commercial option.

For tooling, CTI analysts need a way to pull on all these threads. I recommend that organizations start with free tools. Twitter is an amazing source of threat intelligence. There are researchers who track malware families like Qbot and get amazing intelligence just by following hashtags on Twitter. There are great free resources, like online sandboxes. VirusTotal has a free version and a paid version.

As teams grow, they may get to a level where they have tried the free tools and are hitting a wall. There are commercial tools that provide a lot of value because they can collect domain information for many years. There are commercial services that let you look at passive Domain Name Server (DNS) information or WHOIS information so you can pivot. This can help teams correlate and build out what they know about threats. Maltego has a free version of a graphing and link analysis tool that can be useful.

Natalia: How should threat intelligence teams select a framework? Which ones should they consider?

Katie: The big three frameworks are the Lockheed Martin Cyber Kill Chain®, the Diamond Model, and MITRE ATT&CK. If there’s a fourth, I would add VERIS, which is the framework that Verizon uses for their annual Data Breach Investigations Report. I often get asked which framework is the best, and my favorite answer as an analyst is always, “It depends on what you’re trying to accomplish.”

The Diamond Model offers an amazing way for analysts to cluster activity together. It’s very simple and covers the four parts of an intrusion event. For example, if we see an adversary today using a specific malware family plus a specific domain pattern, and then we see that combination next week, the Diamond Model can help us realize those look similar. The Kill Chain framework is great for communicating how far an incident has gotten. We just saw reconnaissance or an initial phish, but did the adversary take any actions on objectives? MITRE ATT&CK is really useful if you’re trying to track down to the TTP level. What are the behaviors an adversary is using? You can also incorporate these different frameworks.

Natalia: How do you design a threat model?

Katie: There are very formal software engineering approaches to threat modeling, in which you think of possible threats to software and how to design it securely. My approach is, let’s simplify it. Threat modeling is the intersection of what an organization has that an adversary might target. A customer might say to us, “We’re really worried about the Lazarus Group and North Korean threats.” We’d say, ”You’re a small coffee shop in the middle of the country, and that threat might not be the most important to you based on what we’ve seen this group do in the past. I think a more relevant threat for you is probably ransomware.” Ransomware is far worse than anyone expected. It can affect almost every organization; big and small organizations are affected equally by ransomware.

If teams focus on all threats, they’re going to get burnt out. Instead, ask, “What does our organization have that adversaries might want?” When prioritizing threats, talking to your peers is a great place to start. There’s a wealth of information out there. If you’re a financial company, go talk to other financial companies. One thing I love about this community is that most people, even if they’re competitors, are willing to share. Also, realize that people in security operations, who aren’t necessarily named threat intel analysts, still do intelligence. You don’t have to have a threat intel team to do threat intel.

Natalia: What is the future of threat intelligence?

Katie: Cyber threat intelligence has been around for maybe a few decades, but in the scope of history, that’s a very short time. With frameworks like ATT&CK or the Diamond Model, we’re starting to see a little more formalization. I hope that builds, and there’s more professionalization of the industry with standards for what practices we do and don’t do. For example, if you’re putting out an analysis, here are the things that you should consider. There’s no standard way we communicate except for those few frameworks like ATT&CK. When there are standards, it’s much easier for people to trust what’s coming out of an industry.

My other hope is that we improve the tooling and automation to help support human analysts. I’m often asked, “How can threat intel be automated?” Threat intelligence is fundamentally a human discipline. It requires humans to make sense of complex and disparate information. There’s always going to be a human element of threat intelligence, but I hope we can do better as an industry in figuring out what tools can make analysts powerful and support the decisions that security teams have to make.

Learn more

To learn more about Katie, follow her on @likethecoins, and for more details on Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Natalia Godyla

Natalia Godyla

Sr. Business Planner

See posts by this author

Katie Nickels

Director of Intelligence, Red Canary

See posts by this author

Related posts

Get started with Microsoft Security

Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.

Learn how

Connect with us on social

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads