How CTI Powers Better Risk Assessments
Most technical practitioners I know avoid GRC like the plague. But a friend recently put it in perspective: Everything in cyber eventually boils down to risk.
It was a fair point. In CTI, we are great at the "who" and the "how" but we don't always take that crucial leap: linking our intelligence directly to the organization's risk.
I did some reading and realized that a risk assessment shouldn't be a "pure" GRC job handled in a silo. CTI plays a massive role in supporting them with real-world evidence.
A Quick Side Note: This methodology is adapted from the CSA Guide to Conducting Cybersecurity Risk Assessment. Even if you aren't protecting CII systems, the logic—from threat modeling to likelihood scoring—is a universal blueprint for any mature security shop.
Phase 1: Setting the Rules (Establishing Context)
You have to decide what "risk" actually means to your specific organization. If you don't have a common language, you're just throwing buzzwords at the board and hoping for budget.
- The Definition: We define risk as a function of Likelihood and Impact.
- The Appetite: The level of risk an organization is willing to accept, this is Risk Tolerance.
- The Stakeholders: Identifying key players like the Head of Organization and Business Owners ensures accountability isn't just a bullet point on a slide.
Phase 2: Mapping the Targets (Risk Identification)
This step focuses on identifying what could go wrong within your environment. It’s about moving beyond the generic "we might get hacked" and figuring out how they’d actually get to the stuff that matters.
- Crown Jewels vs. Stepping Stones: You need an inventory. Crown Jewels are critical to your business while Stepping Stones are the "lower-value" assets attackers use to pivot deeper into the network.
- Threat Modeling: This is a structured process to link threat events into a sequence of attack.
- Risk Scenarios: These combine four elements: the Asset, the Threat Event, the Vulnerability, and the Consequence.
How CTI Supports Risk Identification:
| Task | CTI Support Strategy |
|---|---|
| Asset Identification | CTI informs which assets are likely to be "Crown Jewels" by providing intelligence on what attackers are actively seeking to exploit in your specific sector. For example, if a CTI report shows state-sponsored actors are targeting specific brands of ICS, those controllers are immediately identified as high-priority assets. |
| Threat Modeling | This is the most direct application of CTI, identifying threat events and using Attack Modelling to describe an adversary's intrusion approach and sequence. Using known TTPs, a team can model a realistic Attack Sequence, such as an adversary moving from an initial phishing email to a "stepping stone" server to reach a critical system. |
| Risk Scenarios | CTI provides the specific "Threat Event" and "Vulnerability" data needed to construct well-articulated, realistic scenarios rather than generic guesses. This allows for precise scenario building, such as: An attacker delivers a spear-phishing email (Threat Event) to an unsuspecting user (Vulnerability) on their corporate account (Asset), leading to the disclosure of hashed credentials (Consequence). |
Phase 3: The Math (Risk Analysis)
To stop guessing, we break Likelihood down into three metrics scored from 1 to 5:
- Discoverability: Can they find the hole? (Think: Censys, ExploitDB).
- Exploitability: What technical skills and tools are required to pull this off?
- Reproducibility: How stable is the exploit, and does it work consistently every time?
Note: Exploitability is the "entry barrier" (can a novice do this with a public script?), while Reproducibility is the "success rate" (will it actually work every time they try?).
How CTI Supports Risk Analysis:
| Metric | CTI Support Strategy |
|---|---|
| Discoverability | CTI provides the evidence needed to determine how much information about a vulnerability is in the public domain. By monitoring tools like Shodan, ExploitDB, or dark web forums, CTI can identify if your organization’s specific asset IP addresses or unpatched vulnerabilities are being indexed or actively discussed by adversaries. |
| Exploitability | CTI assesses the technical skills and complexity of tools required for an adversary to carry out an attack. For example, if intelligence confirms that a "one-click" exploit script for a vulnerability has been published on a public forum, the Exploitability score would hit a 5 because the attack no longer requires a nation-state level of skill. |
| Reproducibility | CTI tracks the stability of known exploits and whether they require specific, rare environmental conditions to work. A CTI report might clarify that a certain vulnerability is "unstable" and only works during a rare race condition, allowing you to lower the Reproducibility score and focus on more reliable threats. |
Phase 4: The Triage (Risk Evaluation)
This is where you determine which risks are glowing red. You use a 5-by-5 risk matrix to calculate the risk level and compare it against your tolerance.
- Prioritize: Compare the risk level (Likelihood x Impact) against your risk tolerance.
- The Register: Record all scenarios, current risk levels, and treatment plans in a Risk Register.
How CTI Supports Risk Evaluation:
| Task | CTI Support Strategy |
|---|---|
| Prioritize Risk | CTI helps determine which risks are most urgent by identifying which threat actors are currently active or which vulnerabilities are being actively exploited in the wild. For instance, if two vulnerabilities both have a "High" technical severity score, CTI can reveal that only one is currently being used in active ransomware campaigns, allowing the organization to prioritize that specific risk for treatment. |
| Sector Context | Intelligence acts as a trigger for re-assessment by showing an uptick in attacks against specific industries. This data prompts a re-evaluation of risk levels for related scenarios, ensuring their defenses aren't calibrated for a "quiet" landscape when the reality is a heightened threat environment. |
Phase 5: The Payoff (Respond to Risks)
There are four main paths to bring risks within an organization's tolerance:
- Mitigate: Fix it by implementing security controls.
- Avoid: Stop doing the thing that causes the risk.
- Transfer: Buy insurance or outsource the headache.
- Accept: Acknowledge it and move on (if it’s within tolerance)
How CTI Supports Respond to Risks:
| Response | CTI Support Strategy |
|---|---|
| Mitigation | CTI identifies the specific Tactics, Techniques, and Procedures (TTPs) of likely adversaries to ensure that chosen security controls are appropriate and relevant to the actual root cause of a risk. This allows the organization to select measures that directly reduce the Likelihood or Impact of a threat event |
| Avoidance | CTI identifies when a threat is so high or unfixable—like a supply-chain compromise in a third-party tool—that the only safe move is to discontinue the activity or disable the software entirely. |
| Transfer | CTI provides the "Real-World Impact" data needed to justify the cost of cyber insurance or to set specific security requirements when outsourcing to a vendor. |
| Acceptance | If you choose to accept a risk because it's currently low, CTI monitors the landscape to alert you the moment a new exploit or actor makes that "Acceptance" invalid. |
CTI as a support for Risk Assessments
At the end of the day, a risk assessment without CTI is just a static document gathering dust in a compliance binder. It’s an educated guess. CTI is the pulse that makes the entire process "live." It ensures that when you spend a dollar or an hour on security, you're spending it on a threat that’s actually coming for you
If we want CTI to be more than just an interesting news feed for the technical team, we have to start translating our intelligence into the only language the business actually speaks: Risk.
