Using the CTI-CMM Model to Evaluate Threat Intel Program Maturity

Chris Horsley
Chris Horsley
Chief Technology Officer
Using the CTI-CMM Model to Evaluate Threat Intel Program Maturity
October 18, 2024

It’s okay to admit that you don’t know exactly what CTI means.

Of course, you know it stands for Cyber Threat Intelligence, and you might have a general sense it has something to do with staying on top of threats. 

How, though, do you actually build a successful CTI program in an organisation?

What activities should it perform?

What should it produce?

For who?

The CTI-CMM (Cyber Threat Intelligence Capability Maturity Model) helps us answer those questions, starting with what CTI actually is and why we do it, through two simple principles:

1. CTI is the “eyes and ears” of a proactive defence and risk reduction strategy.

2. CTI is a key enabler to protect the organisation and reduce risk to key assets.

Am I doing CTI already?

Probably, yes!

If you are reading blogs, sharing reports with colleagues, and staying on top of what is happening with threats, you are doing the essence of what a CTI program can do.

Before you put “CTI analyst” on your resume though, this activity alone would be a very ad-hoc, low maturity form of CTI.

There’s that word, maturity.

It might seem – at first – a strange term to use, more commonly associated with teenagers than security initiatives. 

Dig deeper and you’ll find that the concept of maturity has a lot to offer us as CTI practitioners.

How do we measure CTI program “maturity”?

Experts differ on how to define CTI program maturity, but one recent model we really like here at Cosive is the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM), a community project led by volunteer contributors from Intel 471, IBM X-Force, Kroger, Mandiant and Bank of America.

CTI-CMM provides a baseline for a seemingly obvious question: what should your CTI programme actually do, and what’s the full potential scope?

Is, say... vulnerability management actually CTI? (Spoiler: yes).

For us, what makes the CTI-CMM maturity model appealing is a core principle that rings clear and true to us as long-time CTI practitioners:

The success of an effective CTI program relies on its ability to bring value to your stakeholders - the people who you’ll help make better decisions using CTI.

It exists to support the people who make decisions and take actions to protect your organisation.

When we talk about CTI program maturity, we’re really talking about a CTI program’s capability to deliver value to its stakeholders and support the organisation’s core objectives.

This sounds obvious, but you’d be surprised how many organisations can invest a lot of money into a CTI program without considering who will use their CTI products like reports and feeds, and how those will be consumed.

This is not an approach that tends to have a good ending.

Who are your CTI consumers?

Who is actually going to consume the CTI that we create?

Which systems will consume the automated feeds we produce, and who are their users?

Who will read the briefings, reports, wiki articles, and emails we distribute?

These questions help us to identify the stakeholders for our CTI program.

Once we’ve identified these stakeholders, CTI-CMM also gives us a way to understand the value we’re providing them.

CTI-CMM suggests ten stakeholder domains that are commonly relevant to CTI programs, along with various use cases to consider for each:

Domain Focus CTI Use Cases
Asset, Change and Configuration Management (ASSET) What are we protecting? ASSET-1: Improve Asset Visibility
ASSET-2: Safeguard Assets
ASSET-3: Accelerate Detection of Asset-Related Threats
Threat and Vulnerability Management (THREAT) What does the threat landscape and emerging attacks against software weaknesses look like? THREAT-1: Enhance Attack Prevention and Preparedness
THREAT-2: Improve Detection Engineering
THREAT-3: Enhance Threat Hunting
THREAT-4: Inform Offensive Security Operations
THREAT-5: Improve Patch Prioritization
Risk Management (RISK) How do we use CTI to inform risk assessment and decision making? RISK-1: Align CTI Practices to Risk Management Strategies
RISK-2: Improve Risk Decisions, Assessments, and Controls
Identity and Access Management (ACCESS) How are identity abused during intrusions we know about, and how would we detect such abuse? ACCESS-1: Accelerate Remediation of Identity-Related Threats
ACCESS-2: Fortify Identity and Access Protection
Situational Awareness (SITUATION) Stay across developments in cyber security threats to factor that into threat models. SITUATION-1: Maintain Comprehensive Understanding of the Cyber Threat Landscape
Event and Incident Response, Continuity of Operations (RESPONSE) Prepare for likely incidents we expect to encounter based on reports from peers. RESPONSE-1: Strengthen Pre-Incident Preparedness
RESPONSE-2: Improve Incident Analysis and Response.
RESPONSE-3: Enhance Post-Incident Recovery and Continuity of Operations
Third-party Risk Management (THIRD-PARTIES) Understand potential or realised risks from third-parties such as breaches or supply chain risks. THIRD-PARTIES1: Accelerate Detection of Third-Party Threats
THIRD-PARTIES2: Mitigate Third-Party Risk Exposure
Workforce Management (WORKFORCE) Understand how threat actors will exploit your people to achieve objectives. WORKFORCE-1: Support and Safeguard Human Resources Practices
WORKFORCE-2: Support Development of Training and Education Assets
WORKFORCE-3: Support Cybersecurity Management in Workforce Development Efforts
Cybersecurity Architecture (ARCHITECTURE) Make sure your controls match the threats your CTI lifecycle is uncovering. ARCHITECTURE-1: Inform Architecture Strategy to Improve Infrastructure Resilience
ARCHITECTURE-2: Support Prioritization of Cybersecurity Initiatives
ARCHITECTURE-3: Drive CTI Tools and Infrastructure Integration
Cybersecurity Program Management (PROGRAM) Make sure your CTI programme remains fit for purpose. PROGRAM-1: Define and Evolve the CTI Lifecycle and Program
PROGRAM-2: Strengthen Communication of CTI Insights to Executives

So what does CTI program maturity actually mean?

CTI-CMM assesses our CTI program’s ability to deliver value across each of these domains.

The framework proposes that in order to provide CTI consumers with the greatest possible value, a CTI program should provide tactical, operational and strategic threat intelligence across multiple domains.

(If you need a quick refresher on the three types of threat intelligence before we continue, you can find definitions in our CTI crash course.)

The four maturity levels

CTI-CMM breaks maturity down into four levels:

CTI0: Pre-foundational - No CTI activities performed in this area.

CTI1: Foundational - Ad hoc, unplanned, reactive activities.

CTI2: Advanced - Planned, consistent and repeatable activities with a focus on short and intermediate-term results.

CTI3: Leading - Practices are measurable and aligned to business outcomes, with a focus on recommendations that deliver long-term results.

Here is an example of maturity indicators given for an aspect of the Threat and Vulnerability Management domain: how well the CTI program supports patch prioritisation. This example shows how maturity indicators are applied to a specific organisational objective.

Omitted here is level CTI0, in which the CTI program is not yet providing any threat intelligence to support patch prioritisation.

The CTI-CMM website hosts the latest copy of the document outlining the framework, which includes a comprehensive list of 80+ maturity indicators across the domains.

Rather than go through each indicator exhaustively here, let’s explore the common characteristics, attributes, and patterns across these indicators.

CTI0 - Pre-foundational Maturity Indicators

No CTI programme. At this level, there are no relevant CTI activities happening. At an organisational level, this could mean that the security team is not yet generating threat intelligence–although we’ve argued previously that almost every SecOps team is doing some level of threat intelligence. At the domain level, this means the CTI program is not yet involved with this domain, or sub-domain.

CTI1 - Foundational Maturity Indicators

Ad hoc, tactical CTI. At this maturity level, threat intelligence is ad hoc, reactive, and typically focused on the tactical level e.g. maintaining lists and wiki pages, alerting, and sharing IoCs. The CTI program generally provides intelligence without much organisational context, analysis, or recommended courses of action.

CTI2 - Advanced Maturity Indicators

Stakeholder-focused, tactical and operational CTI. At this maturity level, the CTI program is providing both tactical and operational threat intelligence, including sharing contextual insights specific to highly relevant threats (for example, a report highlighting the increase in spear phishing attacks against similar financial organisations in New Zealand). The CTI program undertakes frequent, planned activities to deliver value to stakeholders.

CTI3 - Leading Maturity Indicators

Tactical, operational, and strategic CTI that supports actionable recommendations. The CTI program delivers prescriptive recommendations that help the organisation make better decisions and take prudent action. Threat intelligence is closely aligned with long-term strategic objectives for both stakeholders and the organisation as a whole. Domain strategy is shaped and supported by CTI.

Four levels of maturity, four underlying themes

We’ve observed that there are four themes underlying the progression between maturity levels outlined in the CTI-CMM framework:

1. Moving from ad hoc to programmatic intelligence

As the CTI program’s maturity level increases, CTI activities shift from being ad hoc and reactive to planned and systematic.

2. Moving from tactical to strategic intelligence

CTI programs at lower levels of maturity typically generate only tactical intelligence, like alerts and IoCs. This kind of intelligence is useful only to a subset of stakeholders and automated systems and tools (e.g. security operations teams, SIEM systems). 

Leading CTI programs generate intelligence at all three levels: tactical, operational, and strategic, to benefit all stakeholders, from analysts, to managers, to the C-suite.

3. Moving from generic to contextual intelligence

At lower levels of maturity, the CTI program shares limited context and commentary alongside its observations.

As CTI programs grow in maturity, analysts provide greater context for their organisation alongside the threat intelligence they share.

At the highest levels of maturity, the CTI program rarely shares intelligence without additional tagging, context and analysis to help internal decision makers plan a course of action.

4. Moving from neutral observations to prescriptive recommendations

At lower levels of maturity, CTI programs share mainly neutral observations and facts, e.g. this domain has been flagged as malicious. At higher levels, the CTI program shares recommended courses of action based on insights from its curated intel collections.

How the maturity assessment process works

Step 1. Assessing maturity

Something else we like about the CTI-CMM framework is that it allows us to assess a CTI program’s maturity across all 10 domains as well as the organisation’s overall CTI maturity (the average across the domains).

This domain-specific insight is arguably more useful and actionable than an overall maturity rating.

The full CTI-CMM framework is freely available, including all the information required for self-assessment.

However, we’re often called upon to run independent CTI maturity assessments for our clients.

We find that independent assessment offers a few advantages over self-assessment:

  • We bring with us expertise in CTI maturity assessment and the CTI-CMM framework. In most cases, our clients have not run a CTI maturity assessment before.
  • As independent experts, we can provide an unbiased, objective view of the organisation's CTI capabilities.
  • We have assessed many organisations and can provide insights based on industry benchmarks.
  • An independent assessment often holds more weight than self-assessment with senior leadership and stakeholders, as it comes from a neutral, trusted third party.

However, it’s what comes after a CTI maturity assessment where value is truly created for the organisation.

Step 2. Planning

The next step after assessment is planning to improve CTI maturity, one level at a time.

For example, if the organisation is currently at maturity level 0 in the domain “Improving asset visibility”, the next step is to formulate a plan to reach level 1.

In this case, the plan may outline how the CTI program could help to maintain an inventory and risk classification of assets.

Plans to improve CTI maturity across each domain can be taken together to form a roadmap to improve the CTI program’s overall maturity level.

Planning and roadmapping should be done in close collaboration with CTI consumers to understand their objectives and how best to provide them with tangible value.

Step 3. Deploy

Make it happen: work closely with your stakeholders to put your plans into action and execute the roadmap to improve CTI maturity.

Step 4. Measure

It’s time to reflect on our progress in executing our roadmap.

We must ask ourselves and, in some cases, our stakeholders:

  • Are we providing measurable value?
  • Are we demonstrating the value we are providing?
  • Which aspects of our roadmap have not yet been implemented? What do we need to make them happen?
  • What support do we need from leadership to continue improving the effectiveness of our CTI program?

Armed with these questions and enough time to observe the impact of the changes we’ve deployed, we’re ready to repeat the assessment process.

Repeat

Yes, that’s right–CTI maturity assessment is ideally not a one-off exercise.

Instead, it’s an ongoing cycle of assessing, planning, deploying, and measuring, with each cycle resulting in measurable improvements to CTI program maturity.

Next steps

If you’d like to gain a deeper understanding of the CTI-CMM model, or to explore the possibility of conducting a self-assessment, we suggest referring to the CTI-CMM project website for the latest version of the framework.

If you’re interested in having us run a CTI maturity assessment for your organisation, please get in touch. We’ll provide you with a set of clear, realistic and actionable steps your organisation can take to increase the value your CTI program provides to its stakeholders.

Cover photo by Thomas Serer on Unsplash.

Related posts

Browse all articles
February 21, 2024

Building Production-worthy Software in SecOps Teams: An Impossible Challenge?

Before jointly founding Cosive with Kayne Naughton and Terry MacDonald, Chris Horsley (Cosive’s CTO) spent many years working in national CSIRTs in both Australia and Japan, as well as doing freelance secure software development for operations teams. In this interview Chris Horsley (CTO at Cosive) talks about the challenges of building software and doing development in SecOps teams.

February 21, 2024

Getting More Out of MISP and Microsoft Sentinel

Typically, SecOps analysts will have many daily routines, one of which will be to check their favourite Threat Intelligence Platforms, read the latest threats and note down any that are worthy of attention. Next, they’ll add those threats to the their central log analysis and alerting platform (e.g. Microsoft Sentinel) as something to look for. Depending on how many feeds analysts are watching and how active the bad actors are, this can be a very time consuming process. Granted, an important one, but still time consuming. Wouldn't it be nice if we could save the planet one tree at a time by doing away with all the post-it notes with one-off IP addresses and domain names? Could we get MISP and Microsoft Sentinel to talk directly without wasting analyst time?