Building a Cyber Threat Intelligence Capability from Scratch – Part II: Team Building
Welcome back to Part II of our four-part series on building a Cyber Threat Intelligence (CTI) capability from scratch. This article will discuss how you can build a CTI team as your business grows in maturity. If you missed Part I then you can read it here.
Introduction
In Part I, the foundations for the new CTI capability were laid down whereas now we are looking at how to build a CTI team, what skill sets they could have and how they might be organised as the capability develops. There are many ways you can organise a CTI team and you can be relatively flexible and agile on how they operate as long as you have experienced leadership at the head of the team. Below will be an overview of different capabilities and team structures that you can hopefully take inspiration from in how you could mix and match capabilities to suit your organisation requirements.
Building the Team
You may think that a CTI team will be incredibly expensive and you will need to hire a Manager, a Team Leader and many analysts skilled in various specialisations to achieve your needs but let me allay your fears. Eventually, this scenario may be the case but initially, you could start with just one analyst. In terms of our scenario from Part I, remember where we are in terms of capability maturity. In our scenario from Part I, we are at the earliest maturity level. So, we will begin by overviewing how a brand-new capability could be structured and build out from there.
Beginner Team
The Beginner Team will have their work cut out for them due to the sheer amount of work required to get this capability off the ground. It is suggested at a minimum you have an experienced Team Leader and one/two analysts, to begin with. This will allow them to map the environment of the business, analyse the likely threats against the business and build a working intelligence cycle capability. You can also organise the team to focus on current and future threats of the business. The Current Threat analyst can provide intelligence on current incidents and help mitigate live threats whereas the Future Threat Analyst can focus on understanding future threats against the business and what security controls should be in place to combat them.
In regards to the salary data, the information has been gathered from a variety of sources, hence why there is sometimes a range in amounts due to the large variation of certain roles. Salaries will be influenced by the experience of the analyst and if they have any specialist skills. They have been provided to give a general impression of the cost of this capability and the salaries provided are an average within the industry. The main sources used to collate this information if you wish to research yourself include:
- https://www.itjobswatch.co.uk/
- https://www.glassdoor.co.uk/index.htm
- Google Job Searches
Intermediate Team
After a period of hopefully proving the effectiveness of CTI to the business, you should receive an increase in resources to improve the team. At this point, you can start to become creative in how you use your team members. It is advised that you now employ a CTI Manager, who can provide the overall strategy and manage the relationship with the business hierarchy along with an Assistant Manager. This Assistant Manager now runs the CTI Teams within the business and their daily operations. In terms of the analytical teams, you can start to specialise them maybe in terms of the types of threat intelligence they collect (mentioned in Part I and include Strategic, Operational and Tactical intelligence). Depending on manpower, you could have one or more analysts per type of intelligence depending on the requirement or need of the business at the time. Additionally, you can add a counterintelligence team who are designed to monitor and discover intelligence leaks from within the business and attempt to discover threat actor collection capabilities against the business.
Advanced Team
It is at this point that you can really begin to flex your creative imagination in terms of your CTI capability to provide a fast, effective and creative CTI team. Rather than talk about teams, you can begin to develop specialisations within your capability that are developed based on your business requirements. You can even combine certain specialisations within teams or have analysts with multiple skill sets spread across different teams. For example, you could have an analyst within the Operational Team, who specialises in Threat Actors in the EMEA geographic region or an OSINT Analyst who works across both the Strategic and Counterintelligence Team. A simple guide on how you can do this is below and within these teams, you can for example, have Current Threat, Future Threat, Strategic, Operational and Tactical analysts. You also still have the CTI leadership linking with and briefing the business hierarchy along with an Assistant Director managing the CTI teams. I have not included all the variations the teams can take but simply given you the inspiration for how you could organise your own capability.
Just breaking from the scenario, one of the main criticisms I may receive from this article is that it is not outlining increasing maturity within a CTI capability as we move through the different levels but rather just showing what you can do with more money and resources made available. I accept this and understand that you could have a company that decides to build a capability that has a lot of resources and can go straight to the 'Advanced Team' but that does not necessarily mean the company has a mature CTI capability. You can of course, for example, have a small but highly mature and effective team but I wanted to use this article to highlight the many capabilities on offer within CTI and how they can interact with other teams within a business to create a CTI capability. Future articles will explain capabilities and processes and how they mature as a business develops this capability.
*Please note regarding the above structure that this is just based on a fictitious company and how potentially they could set up their capability. This is by no means best practice but rather an example. What it doesn't show is that analysts could be shared across teams various teams for example.
You decide to begin your capability with a Team Leader (i.e. you) and a single analyst and slowly build your capability from there. The advanced team is something you aspire to reach and you realise that there are also many other ways that the team can be structured depending on the priorities of the business at the time.
Now we have our team, join us next week where we must begin the process of understanding our own environment in terms of knowing the business inside out both physically and digitally. This process is essential if we are to understand what our strengths and weaknesses are, our critical assets and what type of threat actors are likely to target us.
*Special thanks goes to the many UK Threat Intelligence specialists whom I have had the pleasure over the last 24 months meeting and working with and who have helped shape these ideas and provided inspiration.