Cyber Threat Intelligence – An Expensive Waste of Time?

The Origins of Formalised Intelligence-Led Testing

Over the past decade, the landscape of cybersecurity has undergone significant changes. Regulatory bodies began demanding more concrete evidence of security measures and maintenance activities from regulated organisations. However, organisations faced a lack of clear guidance on what and how to test within their environments. As a result, they often resorted to costly and comprehensive approaches, such as manual penetration tests and vulnerability scanning, which proved to be inefficient for mature cybersecurity organisations.

To address this challenge, the UK financial services regulatory bodies joined forces with CREST to create an intelligence-led testing framework called CBEST. This ground breaking initiative aimed to leverage available intelligence on both the target organisation and the threat landscape to answer a crucial question: How is a potential hack most likely to occur? By utilising this approach, organisations could plan and conduct focused testing engagements that provided greater value to both clients and regulators. The success of CBEST led to the establishment of similar schemes by regulatory bodies worldwide.

The Cyber Threat Intelligence Assessment typically consists of two key components: Threat Intelligence and Targetable Intelligence. These components drive two essential consulting activities that take place during the assessment process.

  • In the Threat Intelligence phase, intelligence collection and threat analysis is conducted on the target organisation. This involves identifying potential threat actors, their motives, and capabilities. By combining this information with an understanding of the critical assets, infrastructure, and likely attack techniques, attack scenarios are drafted that simulate real-world threats.
  • In the Targetable Intelligence phase, the intelligence team collaborate with the organization through workshops to identify specific targets within their infrastructure. These targets may include sensitive data locations, mission-critical applications, and key personnel. Intelligence is then gathered on these target assets, the overall infrastructure, and the digital footprint surrounding them, collectively known as the Attack Surface.

The Cyber Threat Intelligence Assessment culminates in the delivery of two comprehensive reports:

  • Threat Intelligence Report: This report provides a strategic-level security assessment and analytical methodologies used to develop the tactical-level simulated attack scenarios. Each scenario is accompanied by detailed profiling of the associated threat actor, providing valuable insights into their motivations and techniques.
  • Targeting Annex Report: This report presents the exploitable information and security intelligence that is uncovered during the assessment, focusing on the target’s digital footprint. It includes a thorough assessment of the potential consequences of these findings, enabling the organisation to understand and address the risks associated with their digital presence.

Limitations of the Intelligence-Led Testing Approach

While Cyber Threat Intelligence exercises and subsequent intelligence-led tests have proven to be valuable for many organisations mandated by their regulatory bodies, it’s important to acknowledge their limitations and the criticisms they face.

One common criticism is that these engagements can be overly specific. For instance, they may provide precise details such as “Boris will use lethal_attack.exe to compromise target X.” From a psychological standpoint, this level of specificity can make the information more believable. Imagine the difference between a fortune teller saying, “You will win the lottery sometime this month,” and “You will win £150 on this Friday’s EuroMillions.” The specific version tends to instill more trust and belief because it gives the impression that the source must have a deep understanding of the subject matter.

Now, consider the following scenarios:

  • If you experience no hacks at all over the next year.
  • If you are hacked, but the perpetrator turns out to be Sergio instead of Boris.
  • Or perhaps it was Boris, but he used a different attack method or targeted a different system.

These variations can significantly impact confidence in the intelligence and testing. While some may argue that it’s unfair to judge based on such discrepancies, it highlights the pitfalls of being overly specific in an attempt to establish authority.

Furthermore, threat assessments can be relatively expensive, sometimes even comparable in cost to the subsequent intelligence-led testing itself. This raises an important question: If your organisation is not mandated by regulations to undergo such engagements, is there an alternative approach that offers better value?

Understanding the “How” in Cyberattacks

Take a moment to consider why certain types of organisations are targeted by various but repeating malicious threat actors using very similar tactics and techniques. The answer lies in the commonalities they share in terms of critical assets, security controls, and business operations. Let’s delve into a couple of examples to illustrate this point:

  • Physical retail stores These establishments often face physical attacks and abuse of their Point of Sale (PoS) systems. Why is that? It’s because their most valuable asset is their physical stock, which can be physically stolen. Additionally, their payment systems handle financial transactions, making them attractive targets for theft and fraud.
  • Government organisations One of the most prevalent types of attacks they experience is the loss or exposure of confidential data, whether maliciously or accidentally. Why does this happen? Government organisations typically handle vast amounts of sensitive information, which makes them highly valuable to attackers. Moreover, considering the large number of staff members and the limited cybersecurity training they may have, combined with constrained cybersecurity budgets, the outcome becomes somewhat predictable.

These examples provide a glimpse into the diverse profiles of different industries. Each industry faces unique challenges and vulnerabilities that threat actors exploit. Understanding the specific dynamics of your organisation and industry is crucial for building a solid baseline of cybersecurity defences.

In the following section, we will outline practical steps to establish this baseline and enhance your organisation’s security posture. By gaining insights into the “how” of cyberattacks and aligning them with your critical assets, security controls, and business operations, you can better prioritise your efforts and fortify your defences against potential threats.

Identifying Your Organisation’s Attack Surface

When it comes to assessing your organisation’s attack surface, there’s a remarkable framework at your disposal: MITRE ATT&CK. It’s a knowledge base of adversary tactics and techniques based on real-world observations. Once you become familiar with this framework, you’ll find yourself spending a significant amount of time exploring its depths!

At a high level, the framework breaks down the anatomy of an attack into tactics and the techniques that implement those tactics. Currently, version 2 of the framework encompasses the following tactics (with the number of associated techniques following):

  • Initial Access11
  • Execution34
  • Persistence62
  • Privilege Escalation32
  • Defense Evasion69
  • Credential Access21
  • Discovery23
  • Lateral Movement18
  • Collection13
  • Command and Control22
  • Exfiltration9
  • Impact16

That’s a considerable amount of ground to cover and defend against. It’s natural to wonder if there’s a way to focus on the tactics that are particularly relevant to your organisation. And the answer is, fortunately, yes!

Let’s consider the example of a retail organisation. How can you make use of the framework? It’s as simple as searching for “retail,” which will yield a variety of results, including details of threat actors like FIN6, FIN7, and FIN8.

By analysing FIN6, for instance, we can observe that they utilise a range of techniques. While there are numerous techniques, they constitute only a subset of the entire framework:

  • Initial Access2/11
  • Execution5/34
  • Persistence3/62
  • Privilege Escalation6/32
  • Defense Evasion8/69
  • Credential Access3/21
  • Discovery3/23
  • Lateral Movement1/18
  • Collection5/13
  • Command and Control4/22
  • Exfiltration1/9
  • Impact0/16

This narrower focus allows you to concentrate your defensive and remediation efforts more effectively. However, you may be wondering if this approach suffers from the same limitations as Cyber Threat Intelligence, as discussed earlier in this blog. And the answer is, to some extent, yes. But fear not, as we can overcome this challenge by repeating the exercise for other identified threat actors and creating an aggregate or overlay of repetitive techniques. Let’s do that by including FIN7 and FIN8.

Now we have the following profile, with the numbers representing all three threat actors, two threat actors, one threat actor, and the total in the framework:

  • Initial Access2/0/1/11
  • Execution4/0/2/34
  • Persistence3/2/0/62
  • Privilege Escalation2/5/1/32
  • Defense Evasion1/5/6/69
  • Credential Access0/1/3/21
  • Discovery0/1/5/23
  • Lateral Movement1/1/1/18
  • Collection0/3/3/13
  • Command and Control2/2/4/22
  • Exfiltration0/2/0/29
  • Impact0/0/1/16

To illustrate it visually:

This provides us with a much more useful perspective! We can now determine that threat actors targeting the retail sector are most likely to employ the techniques marked in red (15), probably attempt those in green (22), and could utilise those in blue (27). With this prioritised roadmap, you can effectively enhance your security posture, starting from the left and progressing to the right. Naturally, preventing the initial compromise takes precedence over thwarting the threat actor’s data exfiltration.

However, what we’ve covered so far is just the beginning. There may be other financially motivated groups or industry-specific threat actors that you’d like to include to further enhance the results. For instance, you might consider groups targeting the pharmacy, consumer electronics, or gaming industries.

Furthermore, it’s essential to review the results and assess their applicability to your specific environment. Some techniques may be more relevant to Linux systems, while others may be more applicable to Windows.

Lastly, it’s important to note that the worked example in this article only focused on the techniques. In a real-world scenario, you would likely delve into the more granular sub-techniques. This approach provides you with additional tracking points, although they will be smaller and easier to implement.


In the realm of cybersecurity, Cyber Threat Intelligence assessments undoubtedly play a significant role by providing valuable intelligence and intricate details. Regulated organisations may even be obligated to undergo such assessments. However, for those with more flexibility in their approach, this blog has presented an alternative method that is both quicker and more cost-effective, yielding comparable results.

By harnessing the power of the MITRE ATT&CK framework and customising it to suit your organisation’s specific needs, you can gain invaluable insights into your attack surface and strategically bolster your defences against potential threats. The systematic nature of this approach makes it easy to articulate and defend to your management:

These are the threat actors known to target our sector. I’m not claiming that any particular group will specifically target us, but as you can see, there are significant commonalities. We have prioritised our efforts based on reported statistics, and here are the references to support our decisions.

This is a compelling argument that showcases your proactive and informed approach to security. And remember, if you require assistance with any aspect of this process, Metis Security is here to lend a helping hand.

In conclusion, embracing a proactive and tailored approach to cybersecurity based on the MITRE ATT&CK framework empowers your organisation to stay one step ahead of potential threats and safeguard your valuable assets. Stay vigilant, stay informed, and keep evolving your security strategies to stay ahead of the ever-evolving threat landscape.

David Morgan

Founder & Consultant

Trusted Microsoft Cloud Security Advisor with 27 years experience | Empowering Businesses to Embrace Cloud Innovation with Confidence

Skills chart of the author David Morgan, high level expertise in Cyber Security, Network Security, Azure, Microsoft 365, Penetration Testing & Breach Attack Simulation

Related Posts