updated Sept 7, 2023

What is a CTI Framework?

Cyber threat intelligence (CTI) frameworks simplify and organize intelligence gathering, ensuring the collection, analysis, and sharing of relevant information with stakeholders.

A CTI framework is a structured approach used to gather, analyze, and utilize information about potential cyber threats. They can vary in structure and focus. However, they typically consist of several parts: threat identification, threat intelligence feeds, analysis techniques, incident response procedures, information sharing protocols, and continuous monitoring.

They help organizations better understand the threat landscape, improve their security posture, and make more informed decisions to mitigate risks.

Which Framework Should I Use?

As the CTI industry continues to grow, so does the discipline’s thinking tools, or frameworks. Whether your intelligence team uses the cyber Kill Chain, Diamond Model, or MITRE ATT&CK, you can find a one that helps your security team gather and organize intelligence.

We are likely to see even more frameworks emerge in the near future as CTI security and threat landscapes continue to develop. This is an advantage in many ways. The proliferation of frameworks highlights the growth of the CTI industry. Building common vocabulary and concepts to articulate what are often highly complex threats ultimately makes CTI more digestible.

ReliaQuest utilizes frameworks like MITRE ATT&CK to provide actionable intelligence on significant incidents. One example is the US accusing the Russian GRU. Another example is concerns about the cyber threat following the assassination of Iranian General Qasem Soleimani.

Risk and Challenges to Using CTI Frameworks

The growing role of these frameworks also poses challenges to the industry. Analysts should focus on the benefits of each approach instead of spending too much time measuring different frameworks against each other. Ultimately, we should not see CTI thinking tools as a zero-sum game. We don’t need one framework to rule them all.

Analysts may adopt CTI frameworks without understanding their purpose or the issues they address, which can be risky. It’s important to have a clear purpose when integrating MITRE ATT&CK, rather than just doing so without any real reason.

Different CTI frameworks can co-exist. Let’s discuss some practical rules to keep in mind when integrating a cyber threat framework into intelligence practices.

Embarking on creating and building a threat intelligence capability? Check out our Threat Intelligence Deep Dive.

How Should You Use CTI Frameworks?

Frameworks are, ultimately, thinking tools. Each framework possesses unique characteristics and developers have made different design decisions regarding their degree of abstraction and focus.

It’s better to think of frameworks as options in a cookbook. We can choose the ones that work best for the situation or problem we’re dealing with.

This is an approach widely recognized elsewhere in the industry. After all, there’s no one way to perform penetration testing or malware analysis. Instead, red teamers and malware analysts possess a cookbook (or toolkit) of different programs and techniques. Depending on the challenge at hand, it’s up to them to decide which tools would be most useful and appropriate.

Knowing the strengths and weaknesses of various CTI frameworks is important. However, it is even more crucial to understand when each framework is suitable or not suitable for different situations. This shift in mentality allows for the peaceful coexistence and more agile use of different frameworks.

5 Rules for Integrating CTI Frameworks

Despite the clear benefits of using CTI frameworks, there’s a risk of applying them in the wrong way. The following set of rules provides a practical checklist for practitioners looking to integrate these thinking tools into their intelligence processes.

Know Your Audience

CTI frameworks should always be audience centric. This is where the idea of a cookbook is vital. On the one hand, a C-suite audience will struggle to follow along with frameworks considered straightforward in the industry. Intelligence teams should always be aware of the danger of overwhelming non-techies and senior stakeholders.

On the other hand, in other contexts a more detailed frameworks is too simple. Juan Andres Guerrero-Saade cautions that the industry’s current thinking tools may result in a fragmented approach to intelligence. This fragmented approach could hinder consumers from fully comprehending attacks and potentially lead to increased complacency.

Avoid the Reverse-Engineering Trap

Intelligence teams should ideally look at the challenges they face and ask how to solve them. This is the time to consider how various CTI frameworks might help (or not). CTI frameworks should ultimately address a problem and improve a team’s products and services.

Intelligence teams often make the mistake of integrating CTI frameworks before identifying problems to solve. They end up justifying why they used the framework.

Frameworks Aren’t a Magical Elixir

As useful as they can be, CTI frameworks are rarely a substitute for hard work. While it might make analysts’ lives easier, intelligence is not the same as tagging.

Intelligence is an ongoing and dynamic process that often requires nuanced assessment and tradecraft. You should regularly assess the use of frameworks as threat actors change and refine their tactics over time. This highlights the importance of more dynamic forms of adversary profiling. Frameworks can play a role in capturing tactics of threat actors, but they can be implemented in good or bad ways.

Not Everything Needs a Framework

As great as frameworks can be, they should be enablers, not straitjackets. Using a framework for the sake of using a framework helps no one. Analysts should often present intelligence requests via frameworks, but they shouldn’t be afraid to go off-piste. Analysts should discard frameworks if they can present intelligence in a more digestible and straightforward way for the audience at hand.

Don’t Dismiss DIY

Unlike plastic, single-use frameworks don’t have a carbon footprint. You can develop frameworks, fancy tables, and flashy infographics to present a very particular problem, but you’ll will never use them again. They can be thrown away, reassembled, and modified in whatever way makes the most sense. As long as such an approach improves the delivery of intelligence, you should embrace flexibility.

The cyber-security industry is now a vast space that comprises different audiences, communities, and problems. A variety of CTI frameworks should reflect this reality. The growing role of conceptual frameworks within the CTI community presents opportunities to improve the intelligence provided to consumers.

But people can also misuse these thinking tools. Ensure you focus on using framework to solve problems and improve the delivery of intelligence. And the industry will ensure that thinking tools we use play a central role in improve security.

More CTI Framework Resources

Curious to see how we’ve used cyber threat intelligence frameworks in assessments here at ReliaQuest? Check out some of the examples below.

Mapping Iran’s Rana Institute to MITRE Pre-ATT&CK and ATT&CK

Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework

Mapping the Tyurin Indictment to the Mitre ATT&CK™ framework

Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK

SamSam But Different: MITRE ATT&CK and the SamSam Group Indictment

The 2017 FSB indictment and Mitre ATT&CK

MITRE ATT&CK™ and the North Korean Regime-Backed Programmer

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations