2021 SANS Cyber Threat Intelligence survey

Executive Summary

The past year has been filled with changes to almost every aspect of daily life, and cyber threat intelligence (CTI) work did not go untouched. CTI is analyzed information about the capabilities, opportunities, and intent of adversaries conducting cyber operations. Adversaries tend to operate in and across digital networks and equipment that shape and impact businesses, critical infrastructure, and people’s daily lives. Understanding how threat actors are targeting information, systems, people, and organizations helps organizations and individuals alike understand how to perform threat hunting and security operations, respond to incidents, design better systems, understand risk and impact, make strategic changes, and protect themselves from future harm.

While this year’s survey captured some major ways in which CTI work has changed, we also noted more subtle changes across this year’s responses with reversals of trends we had seen developing over the past several years. This year has also shown us how valuable time is, and we are appreciative of the practitioners who made the time to help us analyze the trends in CTI.

Even with the difficulties that 2020 brought, CTI work has continued to grow and mature. A record number of organizations reported that they have clearly communicated intelligence requirements as well as methods and processes in place to measure the effectiveness of CTI programs. These improvements continue to show the resilience of the field and the value of CTI as a resource for clarity and prioritization when complex challenges arise.

Key Takeaways

• The way CTI analysts operate has changed due in large part to the coronavirus. For example, analysts are more often disseminating information asynchronously through emails and dashboards rather than in-person briefings. Also, more analysts are back to working on their own as a sole CTI analyst, even as organizations depend more on their CTI functions for prioritization and protection of a suddenly remote workforce. And while many CTI analysts might be finding themselves working from home, they are not without tools to support them. Automation improvements in many areas of CTI collection and information processing have made parts of the increased workload more manageable.
• CTI is not just for the top 1% of organizations. This year we saw an increase in the number of small organizations that have CTI programs. While these organizations might start out with an individual analyst, or even one splitting time between other security functions, this growth shows that CTI has matured into a field where more and more organizations perceive that the benefits are worth the investment. The improved support that CTI provides for security at all levels, from tactical to strategic decision making, benefits organizations of all sizes and across all industries.
• CTI tools and processes are becoming more automated, giving analysts more time to spend on higher-level analytic activities rather than repetitive collection and processing tasks. This year we saw CTI analysts integrate more information from government security bulletins and media reporting into their analysis. This change shows a need for tools and processes that better support the inclusion of this data source to support analysis and help identify potential misinformation or disinformation that could negatively impact analysis.

Download the report to find more.