Strengthening Proactive CTI Through Collaboration

Those who have worked in our industry for a certain amount of time will be acutely aware that executives often encounter information security media articles and flag them to their teams. This is something myself and my peers at other organizations also face. So I decided to write about it, expand my thoughts, offer some tips from my experience and research to hopefully provide a practical solution for a common problem.

This usually prompts inquiries to the Cyber Threat Intelligence (CTI) Team who have to do their best to provide timely and accurate answers, reassuring their executive stakeholders everything is OK or being handled. This often leads to shepherding various Cybersecurity Teams to acquire these answers. Getting to the stage whereby timely and accurate responses can always be provided can be a bit of a mountain to climb, especially for newly created CTI Teams.

An Ideal 7-STEP Solution 

While inevitable, these interactions can be optimized to enhance organizational resilience and foster a proactive security culture. Here’s how CTI Teams can effectively navigate and leverage executive inquiries through collaboration with other Cybersecurity Teams:

STEP 1: Acceptance and Pre-emption

Acknowledge that executives will encounter cybersecurity media articles and embrace it as an opportunity to enhance organizational preparedness. Proactively anticipate inquiries by establishing clear Priority Intelligence Requirements (PIRs) and General Intelligence Requirements (GIRs) with executives and CTI alignment.

STEP 2: Building Trust and Relationships

It will be self-evident early on in the journey to building a CTI Team, that it must earn trust from the executive stakeholders by fostering good, quality relationships. Executives often seek succinct answers, such as whether the organisation is impacted by emerging threats. Building rapport and trust enables CTI to provide concise yet insightful responses.

STEP 3: Establishing Internal Networks

Where collaboration comes in most will be through the development a network of internal subject matter experts or SMEs, which you can call the "fusion center" or "council of experts" to efficiently address inquiries and collaborate on mitigating potential threats. CTI Teams must leverage these connections to gather expert insights and validate findings, enhancing the credibility of their assessments and responses.

Figure 1: The Proactive CTI Fusion Center (aka Council of Experts)

This is important as it will hopefully help prevent an undesirable trust-eroding situation whereby another Cybersecurity or IT Team contradicts the CTI Team's assessments because they simply were not asked about it.

STEP 4: Contextualizing Threats

One ideal approach is to have the resources to craft daily "flash alerts" that provide timely updates on the latest significant security developments. These should also ideally be accompanied by relevant context tailored to the organization's defence posture.

Additionally, Weekly Roundups can offer comprehensive summaries, ensuring executives stay informed without being overwhelmed by constant updates.

STEP 5: Facilitating Executive Awareness

It is important to note that executives are likely to possess insights into organisational vulnerabilities and risks not readily apparent to the CTI Team, likely due to their experience, which is usually what got them to the executive positions.

In return, experienced CTI Teams can also assist in educating executives to ask informed questions and understand the implications of emerging threats on the business landscape.

STEP 6: Business Understanding and Monitoring

CTI should prioritise understanding the organisation's business objectives and technology stack to effectively assess and address potential threats. Leveraging threat intelligence platforms, CTI can monitor for keyword mentions and proactively identify emerging risks.

STEP 7: Confidence in Assessments

While not immediately obvious, CTI Teams should emphasise to their stakeholders that every one of their assessments is based on currently available information to them and they should ideally be accompanied by a confidence level. Transparent communication regarding the assessment's level of certainty enables executives to make informed decisions based on the vulnerabilities, threats, and associated risks.


If the 7-STEP solution above is implemented successfully, your processes around performing proactive CTI duties should look something like the following diagram:

Figure 2: The Proactive CTI Briefing Process

Overall, fostering collaboration between executives and the CTI team is essential for proactive threat management and organisational resilience. By establishing trust, providing contextualised insights, and facilitating executive awareness, CTI can effectively navigate executive inquiries and strengthen the organisation's security posture in an ever-evolving threat landscape.

Further Reading

If you're interesting in learning more about CTI processes as a practitioner, myself and my colleagues from the Curated Intel community put together a GitHub repository of dozens of key resources related to CTI Fundamentals.

Additional CTI program books that I recommend reading that are related to this topic include the Visual Threat Intelligence: An Illustrated Guide For Threat Researchers by Thomas Roccia, the Intel471 Cyber Underground General Intelligence Requirements Handbook (CU-GIRH) by Michael DeBolt, and The Intelligence Handbook: A Roadmap for Building an Intelligence-Led Security Program by Christopher Ahlberg.


Thanks to those on my table at the mid-March 2024 Unconference Event run by Intel471 in London. The discussions we had on this topic were great and helped me write this blog. Shout out to @DE7AULTsec, @dragan_security, and the others.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks