Management in CTI
Client Management & Communication
Effective communication is the backbone of successful Cyber Threat Intelligence (CTI) operations. This module tackles the best practices for managing client relationships and communications within CTI programs. We explore how to foster knowledge sharing among intelligence teams and stakeholders, implement daily coordination checkpoints, define clear escalation paths for critical findings, use secure out-of-band channels for sensitive discussions, and maintain robust progress reporting.
What You'll Learn
- Knowedge Sharing
- Escalating issues during engagements
- Project management in CTI operations
- liasing with third parties
- Communicating securely
- Understanding regulated schemes
- Risk
Knowledge Sharing
Knowledge sharing ensures that valuable threat information and lessons learned are disseminated to all who need them. Intelligence teams often work with diverse internal stakeholders (SOC analysts, incident responders, IT teams, management) and sometimes external partners (peers in ISACs, clients, etc.). Establishing a culture and processes for open knowledge exchange is critical during the egagement and beyond. Although this typically would form part of the Direction & Review it makes sense to tackle some of the challenges in this module in more depth.
Centralized Knowledge Repositories
Maintain a shared knowledge base or Threat Intelligence Platform (TIP) where analysts document findings, indicators, attacker TTPs (Tactics, Techniques, Procedures), and investigation notes. This repository acts as a living library that others can reference to avoid duplicating work and to build on past insights
Regular Information-Sharing Sessions
Organize periodic briefings or knowledge-sharing meetings. For example, teams might host weekly intel updates or “brown bag” sessions where an analyst presents a recent case or new threat trend. Such forums encourage analysts to share insights and discuss emerging threats or tools
Cross-Functional Collaboration
Encourage collaboration between CTI and other teams. For instance, threat intel analysts should routinely share relevant findings, for example with incident response and vulnerability management teams. A collaborative approach breaks down silos
Establish Trust and Clear Guidelines
When sharing intelligence, especially externally or with other departments, set clear guidelines on handling sensitive information. Adopting standardized information classification such as the Traffic Light Protocol (TLP) ensures that everyone knows what can be shared and with whom
Daily Check points
Daily checkpoints are short, routine touchpoints that keep CTI teams synchronized on rapidly evolving threat landscapes. In practice, these are often daily stand-up meetings or briefings tailored to CTI workflows. The goal is to ensure analysts share updates, align on priorities for the day, and surface any blockers or urgent issues.
Daily checkpoints greatly improve situational awareness. Regular meetings, whether they are daily stand-ups, threat intel briefings, or ad-hoc problem-solving sessions ensure team members can promptly discuss issues and share updates with relevant stakeholders. This immediate exchange helps the team quickly align on objectives and respond in a coordinated way.
Keep it Focused and Regular
Invite the relevant stakeholders
Align with the intelligence requirements
Defining Escalation Paths for Intelligence Findings and Engagement Issues
Not all threat intelligence has equal impact, CTI teams must escalate findings through predefined paths to ensure the right people are alerted and appropriate action can be taken. However, escalation paths are not solely for intelligence alerts but also for issues arising from the intelligence engagement itself, such as access delays, miscommunication between teams, or discrepancies in intelligence analysis. I'd like to focus on the latter, operational and engagement-related issues can hinder intelligence effectiveness and its critical that not only these issues can be discovered and dealt with but that they can be discussed and remediated during engagements. Some issues you are likely to encounter are:
Access and Data Sharing Barriers
If CTI analysts cannot access necessary logs, threat feeds, or external intelligence sources due to policy restrictions, it must be escalated to security leadership for resolution.
Interdepartmental Coordination Issues
If intelligence findings are not being acted upon due to misalignment between teams (e.g., SOC not prioritizing high-risk intelligence), escalation ensures the necessary leadership intervention
Interdepartmental Coordination Issues
If intelligence findings are not being acted upon due to misalignment between teams (e.g., SOC not prioritizing high-risk intelligence), escalation ensures the necessary leadership intervention
Client or External Partner Disputes
If a client or intelligence-sharing partner disputes findings, delays information delivery, or requests changes outside of scope, the issue must be escalated to engagement managers or legal representatives.
Resource or Budget Constraints
If intelligence operations are hindered by lack of funding, tooling, or staffing, escalation to senior management ensures prioritization of resource allocation.
Secure Out-of-Band Communication Channels
During critical situations, especially where sensitive or potentially compromised information is involved, CTI teams must use secure out-of-band (OOB) communication channels. Out-of-band communication means using an alternative channel separate from normal corporate networks or systems. OOB channels provide a safe way to coordinate without the adversary’s knowledge. They are also useful if primary systems go down (e.g., a ransomware attack taking out corporate email).
When to Use Out-of-Band
1. A high-severity incident is confirmed or strongly suspected
For instance, upon detecting that an attacker may have access to the corporate network
2. Sharing sensitive intelligence
IFor example, discussing a law enforcement-sensitive operation or a whistleblower’s tip might be safer OOB.
3. Incident exercises
(table-top drills), to practice the use of alternate communications, does it work? How well? etc
Implementing Secure Channels
Policy and Training
Have a documented policy that outlines what OOB channel to use and when. Train the team so everyone knows, for example, “If we text ‘OOB NOW’, drop off VPN and switch to our designated emergency chat app on your personal phone.”
Technology Choices
IEvaluate secure comms tools. Some organizations use secure collaboration platforms designed for crises (which provide encrypted chat, call, file share). Others use simpler solutions like a pre-created Signal group or even phone conference lines.
Availability
IOut-of-band doesn’t help if people can’t access it quickly. Make sure all necessary staff have the app installed or know the phone bridge number, including key external contacts if they’ll be involved.
Test, Test, Test!
Conduct periodic drills using the OOB channel to ensure it works and people remember how to use it. An untested system might have flaws (wrong phone numbers, forgotten passwords) that only surface during a crisis if not tested.
Liaising with Third Parties and Regulated Schemes in CTI
Many organizations rely on external intelligence sources, including commercial threat intelligence vendors, Information Sharing and Analysis Centers (ISACs), government agencies, and industry peers. Establishing and maintaining relationships with these third parties is essential for enriching an organization’s threat landscape understanding and staying ahead of emerging threats
Threat Intelligence Feeds and Partnerships
Organizations should assess and integrate feeds from reputable intelligence vendors and government sources (such as CISA, Europol, or sector-specific ISACs). This ensures a broader perspective on threats targeting similar organizations.
Collaboration with Cybersecurity Communities
Engaging with cybersecurity forums, industry consortiums, and professional groups allows intelligence teams to stay informed about ongoing threats. Active participation in information-sharing initiatives strengthens collective security.
Operationalizing External Intelligence
Third-party intelligence should not be consumed passively. Organizations must integrate external data into their detection and response processes. This means validating external Indicators of Compromise (IOCs), correlating findings with internal telemetry, and automating enrichment workflows where possible.
Managing Third-Party Relationships
Maintaining Memoranda of Understanding (MoUs) with intelligence-sharing partners formalizes cooperation. These agreements should define data-sharing expectations, confidentiality protections, and communication protocols during active threat engagements.
Compliance with Regulated Schemes
For organizations operating in regulated industries such as finance, healthcare, and critical infrastructure, compliance with cybersecurity frameworks and threat intelligence-sharing mandates is non-negotiable. Ensuring adherence to such requirements enhances both security posture and regulatory standing.
Financial Sector
The Financial Conduct Authority (FCA) and the European Banking Authority (EBA) require financial institutions to report cyber incidents and threat intelligence findings.
Healthcare
The Health Insurance Portability and Accountability Act (HIPAA) mandates breach reporting, and organizations must demonstrate security intelligence programs to ensure compliance.
Critical Infrastructure
Frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, EU NIS2 Directive, and UK NCSC guidance emphasize intelligence-led security approaches.
Many governments have cyber intelligence-sharing programs that organizations can participate in, such as:
- UK: The Cyber Security Information Sharing Partnership (CiSP)
- US: The Cybersecurity and Infrastructure Security Agency (CISA)
- EU: The European Union Agency for Cybersecurity (ENISA)
Organizations should maintain a structured approach to liaising with regulatory bodies and national cybersecurity agencies to ensure compliance while maximizing intelligence-sharing benefits.
Challenges in Third-Party Collaboration and Compliance
Legal and Compliance Barriers
Some industries have strict data-sharing regulations that may limit the exchange of certain threat intelligence. Organizations should work with legal teams to define clear guidelines on permissible intelligence-sharing activities.
Varying Intelligence Quality
Not all third-party intelligence is equally valuable. Organizations should establish processes for validating external intelligence before integrating it into security workflows.
Timeliness and Actionability
External intelligence must be timely and actionable. CTI teams should evaluate third-party intelligence providers based on their relevance and the speed at which insights can be operationalised.
Introduction to Risk Management in CTI
Firstky, this will be a light touch on Risk and how it goes hand in hand with Cyber Threat Intelligence, specifically threat assessments. I do not want to try and add a full module on RISK as this is outside the scope really, however having said that, its imperative you understand RISK, the frameworks and its application at a fundemantal level.
Risk management is the process of identifying, evaluating, and prioritizing risks, then applying resources to minimize and control the likelihood or impact of those risks. In the context of cybersecurity and Threat Intelligence, risk management aims to understand cyber threats and decide how to address them before they cause harm. Effective risk management within CTI helps organizations focus on the most critical threats and allocate security efforts where they matter most. An assessment of cyber risks provides a clear view of which threats could harm the organization’s operations, reputation, or assets, enabling teams to prioritize defenses accordingly
The purpose of risk management in CTI is to reduce uncertainty about cyber threats and ensure that limited security resources address the most significant risks. By continuously evaluating threats (like new vulnerabilities or attack campaigns) and assessing how likely and damaging they are, organizations can make informed decisions. For instance, if threat intelligence reveals a critical vulnerability being actively exploited in the wild, a risk-managed approach would flag this as a high-risk issue and prompt immediate patching, whereas a less risky vulnerability might be scheduled for a routine update. In essence, risk management within CTI ensures that cybersecurity measures are prioritized according to the severity of threats – enabling businesses to protect what matters most first. This alignment of security efforts with risk priorities is fundamental: it means that even as threat landscapes evolve, an organization remains focused on mitigating the risks with the greatest potential impact on its mission.
Key Risk Management Frameworks
To manage cyber risks systematically, organizations turn to established frameworks and standards. These frameworks provide structured methodologies for identifying and treating risks, ensuring no critical step is overlooked. Below I will introduce a few of the most well known industry-standard risk management frameworks and how they apply to cybersecurity
ISO 31000 – Risk Management Principles
ISO 31000 is an international standard that offers high-level guidelines on managing all types of risk (not just cyber). It provides organizations with a comprehensive framework to identify, assess, evaluate, and treat risks in a systematic, repeatable way.
ISO 27005 – Information Security Risk Assessment
While ISO 31000 is broad, ISO/IEC 27005 is a standard specifically tailored for information security risk management. It is part of the ISO 27000 family (which includes ISO 27001 for information security management systems) and provides detailed guidance on how to conduct risk assessments and treat risks related to information assets. ISO 27005 essentially bridges the gap between high-level risk principles and the practical steps needed to protect information systems.
NIST SP 800-30 – Cybersecurity Risk Assessment Guide
The U.S. National Institute of Standards and Technology (NIST) provides another cornerstone framework for cyber risk management. NIST Special Publication 800-30 (Revision 1) is a “Guide for Conducting Risk Assessments” and is part of the broader NIST risk management series. While ISO 27005 is aligned with ISO’s approach, NIST SP 800-30 offers a methodology favored by many government agencies and businesses in the U.S. NIST 800-30 defines a risk assessment process that is highly detailed in breaking down threat and vulnerability analysis
Challenges and Best Practices
Up to this point, we’ve discussed how to assess and prioritize cyber risks(following a framework). Operationalizing risk intelligence is about taking those risk insights and embedding them into the organization’s decision-making and security operations. In other words, it’s how we use the output of CTI-driven risk assessments to actually improve security posture on an ongoing basis.
Implementing risk management within a cyber threat intelligence program comes with several challenges. Being aware of these challenges – and following best practices to address them – can greatly improve the effectiveness of risk management. We’ll also touch on emerging trends that are shaping the future of cyber risk management.
Rapidly Evolving Threat Landscape
Cyber threats change quickly – new vulnerabilities, malware, and attacker tactics appear constantly. This makes it challenging to keep risk assessments up-to-date. A risk deemed low last quarter (e.g., attacks on a particular software) might suddenly become high if a new exploit or campaign emerges. Organizations struggle to maintain continuous risk visibility given this fast pace.
Information Overload
With abundant threat data and intel feeds, analysts can be overwhelmed. Sifting through massive amounts of indicators and warnings to determine what is relevant for your organization’s risk is difficult. This can lead to “analysis paralysis” or missing important intel in the noise. Effective filtering and context from CTI are needed to focus on truly relevant risks.
Subjectivity and Bias
Bias seems to pop up eberywhere right :) As noted, many risk assessments rely on human judgment. Different stakeholders might have biases – for example, an application owner might understate a risk because they developed the system (“attachment bias”), or security teams might overstate certain risks (“better safe than sorry” bias.
Quantification Difficulties
While quantitative risk analysis is the ideal for business-aligned decisions, getting accurate data for likelihood and impact is hard. Organizations often lack historical incident data or industry benchmarks. Cyber events, especially rare but catastrophic ones, don’t lend themselves to easy probability calculations. As a result, many organizations stick to qualitative ratings, which though simpler, can be less convincing to executives evaluating cost-benefit tradeoffs.
Communication Gaps
Translating technical risk findings into business terms is not easy, and misunderstandings can arise. Executives might misinterpret a “High risk” label if not given context, or conversely, security teams might downplay a risk in business discussions if they fear sounding alarmist. Achieving a common understanding of risk across technical and non-technical stakeholders is an ongoing challenge.
Metrics and Measuring Effectiveness
It can be challenging to measure how effective your risk management is. If successful, nothing bad happens – which can lead some to question whether the effort is worth it (the classic “nothing happened, so why do we need to spend so much on security?” problem). Demonstrating reduced risk (especially to those outside security) is tricky, and choosing the right metrics (like reduction in high-risk findings over time, faster patch times, etc.) is not straightforward.