Implementing a threat intelligence program that meets the definition of threat intelligence control as described in ISO/IEC 27002:2022 — a set of standards set forth by the International Organization for Standardization — is not onerous.

The ISO/IEC 27002 standard describes a non-exhaustive list of security controls that organizations can implement on their own or as part of an ISO/IEC 27001-compliant cybersecurity program.

The guidance within ISO 27001 identifies which security controls are appropriate, while ISO 27002 describes the controls in detail and how they can be implemented. Threat intelligence is a recent addition to the controls having been included in the 2022 edition of the standards, which are adopted by more than 160 countries around the world.

What is threat intelligence?

Threat intelligence is simply information about threats. The goal of threat intelligence is to help decision-makers make better decisions by being better informed about current threats and those they may face in the future.

In a world where the risks posed by the ever-changing cyber threat landscape are in constant flux, yet resources are constrained, deciding which security measures should be deployed depends on risk appetite and an understanding of the nature of the threats. Effective threat intelligence informs decision-makers in a timely manner about how the threat landscape is changing and enables management to act to counter these threats.

Acting against threats may be as simple as updating a block list or require considering where investments in new countermeasures should be made. The standard states that the purpose of threat intelligence should be to “provide awareness of the organization's threat environment so that the appropriate mitigation actions can be taken.” The details of exactly what actions are required are for the organization’s decision-makers to choose.

Obtaining threat intelligence

Few organizations routinely generate intelligence from their own data. Most organizations receive and make use of intelligence published from third parties such as government agencies, specialist providers or collaborative groups.

At Talos, we pride ourselves on the quality of the intelligence we publish. We publish intelligence on the significant threats that we identify on our blog and provide a summary of recent key threats in our weekly Threat Source newsletter.

Organizations can collect this intelligence, review the threats described, consider if and how the threat is relevant to them, and the necessity of making any potential additional mitigations. Circulating this information to the relevant people provides vital awareness of current threats, and provides actionable intelligence if changes need to be made to counteract these.

A threat intelligence program

At its simplest, a rudimentary threat intelligence program consists of the program’s objectives, the sources from where intelligence will be gathered, the frequency of that collection, and what will we do with the gathered information.

The wording of ISO/IEC 27002 provides an outline for the program’s potential objectives. Threat intelligence should be: “relevant, insightful, contextual, actionable.” The collection of intelligence that satisfies these four requirements will almost certainly be useful to wider cybersecurity activity.

Setting out the sources of intelligence may be as easy as listing the providers of threat intelligence that are already consulted, and how often they will be consulted. Subscribing to the Talos weekly newsletter provides information about the most prevalent malware.

This intelligence can be used to identify which (if any) of the organization’s defense systems detected the threat. Reflecting on if the threat could have been detected earlier and passing any recommendations to management constitutes a viable threat intelligence program.

The Talos Threat Spotlight posts and Quarterly Trends reports provide details of threats and the techniques used by threat actors. Analysing these and considering how (or if) such malicious strategies would be detected and blocked, or if additional mitigations are required, and passing this information to management would also be an effective use of threat intelligence.

Further Controls

Additional controls defined in ISO/IEC 27002 can form part of the threat intelligence process or benefit from an intelligence input. Relevant controls include:

5.6 Contact with special interest groups - being part of a community sharing experiences and intelligence with industry peers allows the further collection of intelligence and contextualization of that information.

8.7 Protection against malware & 8.23 Web filtering – informing users about the current threats that they are likely to face, providing information about they can identify threats and helping protect systems helps improve the organization’s security posture.

8.8 Management of technical vulnerabilities – prioritizing the mitigation and patching of vulnerabilities based on their potential and current risk of abuse requires identifying the assessed severity of a vulnerability and how this may change.

8.15 Logging & 8.16 Monitoring activities – determining the system information to log, store and query allows malicious behavior to be uncovered, if threat intelligence is applied to understand how threats may manifest themselves within log data.