Philosophical phriday - intelligent threat intel

This morning, Greg asked us on the ISO27k Forum for advice on ISO/IEC 27001:2022 security control A.5.7 Threat Intelligence.

"I've read the details in ISO 27002 and understand it in theory. But what does a threat intelligence program consist of and look like when implemented? What tools would a infosec team use to collect threat intel, how would they analyze it and use it, etc? What have you seen in your own environments or those of clients?"

FWIW here's my response:

I agree with you Greg: the page of advice on threat intel in '27002 is all well and good, but what does this look like in practice? It's not entirely obvious.

At a basic level, it starts with 'situational awareness' - someone simply watching out for potential or actual threats in the organisation's external and internal environments, spotting them, tracking them, thinking about and maybe responding to them. Threats become evident when incidents occur, of course, but also events and near-misses and incidents affecting third parties as reported in the news ... and that's a clue. I keep an eye on general cyber/infosec news sites such as (in no particular order):

• The Register
• The Stack
  
• DarkReading
  
• IT News
  
• Cyberscoop
  
• CSO Online
  
• Computer Weakly
• ITPro
  
• [... insert your favorites here ... and maybe tell the rest of us ...]
  

There are several specialist sources too, such as:

• IT suppliers (e.g. Microsoft, Apple, CISCO, IBM, Google, Amazon ...) casually mention hints about applicable threats in their update/patch reports to customers/users, alongside outlines of the vulnerabilities, fixes and workarounds
• Cyber/infosec suppliers are always keen to pump-up whichever particular classes/types of threat their products allegedly address, consultancies and "research" (paid marketing/promo) firms likewise e.g. Gartner
• 'Proper' scientific studies, surveys and industry reports - mostly annual or less frequent but some have interim updates on major changes
  
• Various national/infrastructure risk registers - an interesting new threat info stream emerging within the past couple of years
• NSA advisories
  
• RISKS List and other infosec newsletters e.g. SANS Newsbytes 
• ISSA, ISACA and other cyber/infosec professional orgs ... including <ahem> the ISO27k Forum
• Hacker groups, pentesters, red teamers generally - with hints about attack techniques 
• [and more]

And general news sources also: 

• LinkeDin, X, Facebook and other general social media - often first to reveal and discuss major incidents and chat about 'threats' (broadly defined)
• CNN, BBC, Al Jazeera etc. i.e. conventional news media, mostly trailing the socials but with the advantage of professional journalists
• Assorted sites for info about threats relating to legal/regulatory changes, environmental concerns, safety and privacy, tech in general (IT, OT, NT, VT, ST ...), governance, security management, assurance, HR/motivation/control, awareness & training, and good security practices such as standards and guidelines (failing to keep pace with evolving good practices is 'bad practice').
• Canned web searches for those recurring and unresolved concerns - whatever nightmares keep you up at night: cloud, supply chains, IoT, AI, fraud, APTs, critical infra, H&S, whatever 
• [More, always more]

Whenever your threat intel starts flagging, plug back in to the global social network and charge up! There's clearly a LOT of information Out There, even without subscribing to paid threat intel services and (these days, I presume) a wealth of costly AI-fueled services ... which makes keeping up a significant ongoing challenge. I find it helps to focus on the information risks (which, out of all the threats affecting our org, industry, locales and technologies, should I be most concerned about this year/quarter/month/week/day, and why? Which of them can I actually do anything about, anyway, and what's our strategy to deal with the possibility of incidents involving the remainder? What have I forgotten or neglected e.g. entire classes of threat just off the side of my radar?).

As CISO/ISM, this is a good agenda item for the regular Monday morning infosec team meetings: what's new? What's up? What's going on Out There and In Here? Get the infosec team (and beyond?) engaged to exploit their interests and specialist knowledge. Set those creative juices flowing at the start of every working week (or day?), not just as part of your occasional risk workshops and so forth.

As an infosec pro and self-confessed nerd, I consider this part of my ongoing professional development/education and, to be honest, I'm fascinated by threats, vulnerabilities, impacts, controls And All That. As a consultant working with a variety of clients in different industries with different risks, and as an SME owner, I relish the challenge of keeping on top of it all. Well, aiming for the top anyway. I'm not immune to nasty surprises. I've missed the boat, been blind-sided, caught a crab, fallen off a log ...