A Framework to Establish aThreat Intelligence Program

Threat Intelligence (TI) is a field that has been gaining momentum as an answer to theexponential growth in cyber-attacks and crimes experienced in recent years. The aim of TI is toincrease defender’s understanding of the threat landscape by collecting intelligence on howattackers operate. Simply explained, defenders use TI to identify their adversaries andcomprehend their attacking methods and techniques. With this knowledge, defenders cananticipate attackers’ moves and be one step ahead by reinforcing their infrastructure. Although research papers and surveys have explored the applications of TI and its benefits,there is still a lack of literature to address on how to establish a Threat Intelligence Program(TIP). This lack of guidance means that organisations wishing to start a TIP are on their own inthis challenging task. Thus, their TIP end generating too much or irrelevant data, and in manycases has led security professionals to ignore the intelligence provided by their TIP. This research aims to address this gap by developing an artefact that can guide organisations intheir quest of starting their own TIP. This research followed Design Science Research (DSR)methodology to design and develop a framework which can help organisations defining theirTI requirements and appropriately operationalising intelligence work to support differentInformation Security processes. Additionally, this thesis also contributes to the research fieldof Information Security by presenting a list of evaluation parameters that can be used to measurethe success of the establishment of a TIP. Three main parameters were identified: Quality ofIntelligence, which measures the value of the output produced by the TIP; Intelligence Usage,which evaluates how the intelligence is consumed and applied; and Legal, aspects concernedwith legal requirements.