Applying Business and Technical Context to prioritize and generate relevant Cyber Threat Intelligence (CTI)
by Deepak Bellani
Today most threat feeds are comprised of IOCs with each feed providing 1-10M IOCs per year. As the CTI platform adds more feeds , the ability to filter and prioritize threat information becomes a necessity. It is well known that the SOC, Incident Response, Risk and Compliance groups are the primary consumers of CTI. Generating CTI prioritized in order of relevance and importance is useful to help focus the efforts of these high performance groups. Relevance and importance can be determined using business and technical context. Business context is organizational knowledge i.e. its processes, roles and responsibilities, underlying infrastructure and controls. Technical context is the footprint of malicious activity within the organization’s networks, such as phishing activity, malware, and internal IOCs. In this paper, we will examine how business an technical information is used to filter and prioritize threat information.