Threat Intelligence Policy and Procedures - NEO - Global Employment Marketplace Platform

1.0 OVERVIEW

This policy establishes the framework for threat intelligence collection, analysis, dissemination, and utilization at NEO to proactively identify, assess, and respond to cybersecurity threats. The organization implements a comprehensive threat intelligence program aligned with ISO 27001:2022 requirements to enhance security posture and enable informed decision-making.

Threat intelligence enables NEO to anticipate, prevent, and respond to cyber threats more effectively by leveraging actionable intelligence from internal and external sources.

2.0 PURPOSE & BACKGROUND

The purpose of this policy is to:

a. Establish systematic threat intelligence collection and analysis processes b. Enable proactive threat detection and response capabilities c. Support risk-based security decision making d. Enhance incident response through contextual threat information e. Facilitate threat intelligence sharing with relevant stakeholders f. Ensure compliance with regulatory and industry standards g. Continuously improve organizational security posture based on threat landscape evolution

Threat intelligence transforms raw security data into actionable insights that help organizations understand the threat landscape, adversary capabilities, and attack patterns relevant to their business operations.

3.0 ELIGIBILITY

This policy applies to:

All NEO employees involved in cybersecurity operations
Security engineers and analysts
IT operations and infrastructure teams
Incident response team members
Management personnel making security-related decisions
Third-party security service providers
Business stakeholders requiring threat briefings

4.0 POLICY

4.1 Threat Intelligence Program Structure

4.1.1 Program Governance

Threat intelligence program managed by Security Engineer (Łukasz Zuber)
Regular reporting to CTO and executive management
Quarterly program review and strategy updates
Annual threat landscape assessment and program evaluation

4.1.2 Intelligence Requirements

Strategic intelligence: Long-term threat trends and geopolitical factors
Tactical intelligence: Attack techniques, tactics, and procedures (TTPs)
Operational intelligence: Specific threats and campaigns targeting the organization
Technical intelligence: Indicators of compromise (IOCs) and technical artifacts

4.2 Threat Intelligence Collection

4.2.1 Internal Sources

Security Information and Event Management (SIEM) logs and alerts
Endpoint Detection and Response (EDR) telemetry from Kandji
Network monitoring and intrusion detection systems
Incident response findings and forensic analysis
Vulnerability assessment and penetration testing results
Security awareness training metrics and user reporting

4.2.2 External Sources

Commercial threat intelligence feeds and platforms
Open source intelligence (OSINT) from security communities
Government and industry threat advisories
Information sharing organizations and industry groups
Vendor security bulletins and advisories
Academic research and security conference presentations

4.2.3 Collection Procedures

Automated ingestion of threat intelligence feeds
Manual collection from human intelligence sources
Regular monitoring of threat actor forums and marketplaces
Participation in threat intelligence sharing communities
Collaboration with law enforcement and government agencies

4.3 Threat Intelligence Analysis

4.3.1 Analysis Framework

Structured analytic techniques for threat assessment
MITRE ATT&CK framework mapping for TTPs
Diamond Model analysis for threat actor profiling
Cyber Kill Chain analysis for attack progression
Confidence and reliability scoring of intelligence sources

4.3.2 Analysis Process

Collection and aggregation of raw threat data
Normalization and contextualization of threat information
Analysis of threat actor motivations, capabilities, and intentions
Assessment of threat relevance to NEO operations
Production of actionable intelligence reports and briefings

4.3.3 Intelligence Products

Daily threat briefings for security operations team
Weekly threat intelligence reports for management
Ad-hoc threat assessments for specific security concerns
Indicators of compromise (IOC) feeds for security tools
Threat actor profiles and campaign analysis reports

4.4 Threat Intelligence Dissemination

4.4.1 Internal Distribution

Real-time IOC sharing with security tools and platforms
Regular briefings to incident response and operations teams
Management reporting on threat landscape and risk exposure
Training materials incorporating current threat information
Integration with risk assessment and business continuity planning

4.4.2 External Sharing

Participation in industry threat intelligence sharing initiatives
Collaboration with AWS security advisories and notifications
Sharing of non-sensitive threat intelligence with security community
Coordination with law enforcement on threat actor activities
Contribution to collective defense initiatives

4.4.3 Sharing Protocols

Classification and handling markings for sensitive intelligence
Need-to-know access controls for threat intelligence data
Secure communication channels for intelligence sharing
Legal and regulatory compliance for cross-border information sharing
Attribution guidelines for threat intelligence sources

4.5 Threat Intelligence Integration

4.5.1 Security Operations Integration

IOC integration with SIEM and security monitoring tools
Threat hunting campaigns based on intelligence indicators
Incident response enrichment with contextual threat information
Vulnerability management prioritization using threat intelligence
Security awareness training content based on current threats

4.5.2 Risk Management Integration

Threat intelligence input to organizational risk assessments
Business impact analysis incorporating threat landscape data
Strategic planning informed by long-term threat predictions
Vendor risk assessments enhanced with threat intelligence
Compliance reporting supported by threat intelligence findings

4.6 Quality Management

4.6.1 Source Reliability Assessment

Credibility evaluation of threat intelligence sources
Historical accuracy tracking of intelligence providers
Cross-validation of threat intelligence from multiple sources
Regular review and update of source reliability ratings
Documentation of source limitations and biases

4.6.2 Intelligence Validation

Technical validation of indicators of compromise
Corroboration of threat intelligence through independent sources
False positive analysis and feedback loops
Accuracy metrics for intelligence products and assessments
Continuous improvement based on validation outcomes

5.0 PROCEDURES

5.1 Daily Operations Procedures

Morning Threat Briefing (09:00 CET)

Review overnight threat intelligence alerts and notifications
Analyze new indicators of compromise and threat signatures
Assess relevance to NEO infrastructure and operations
Update security monitoring rules and detection capabilities
Brief security operations team on current threat landscape

Threat Hunting Activities

Develop hunting hypotheses based on current threat intelligence
Execute proactive searches across enterprise security data
Investigate anomalous activities and potential threat indicators
Document findings and update threat intelligence database
Coordinate with incident response team for confirmed threats

5.2 Weekly Analysis Procedures

Threat Landscape Assessment

Compile weekly threat intelligence from all sources
Analyze trends in threat actor activities and campaigns
Assess changes in attack techniques and vulnerabilities
Evaluate impact on organizational risk posture
Produce weekly threat intelligence report for management

Intelligence Source Review

Evaluate performance and reliability of intelligence sources
Identify gaps in threat intelligence coverage
Research and onboard new threat intelligence sources
Update source reliability ratings and metadata
Optimize intelligence collection processes and tools

5.3 Monthly Strategic Procedures

Threat Actor Profiling

Update threat actor profiles with new intelligence
Analyze threat actor targeting preferences and capabilities
Assess threat actor evolution and operational changes
Map threat actors to relevant industry sectors and regions
Produce threat actor intelligence briefings for stakeholders

Program Effectiveness Review

Analyze threat intelligence program metrics and KPIs
Evaluate integration effectiveness with security operations
Assess stakeholder satisfaction with intelligence products
Identify program improvement opportunities and requirements
Update threat intelligence strategy and procedures

5.4 Quarterly Strategic Procedures

Threat Landscape Report

Comprehensive analysis of threat landscape evolution
Strategic threat predictions and trend analysis
Geopolitical and regulatory impact assessment
Industry-specific threat analysis and benchmarking
Executive briefing on organizational threat exposure

Program Review and Planning

Quarterly program performance assessment
Budget and resource allocation review
Technology platform evaluation and updates
Staff training and development planning
Strategic planning for upcoming quarter

6.0 ROLES & RESPONSIBILITIES

VP of Engineering:

Overall threat intelligence program management and coordination
Collection, analysis, and dissemination of threat intelligence
Development and maintenance of threat intelligence procedures
Training and mentoring of security team on threat intelligence
Reporting to management on threat intelligence program effectiveness
Executive oversight of threat intelligence program
Resource allocation and budget approval
Strategic direction and program objectives
External stakeholder coordination and relationship management

Executive Management:

Strategic decision making informed by threat intelligence
Resource allocation for threat intelligence capabilities
External communication and stakeholder coordination
Risk tolerance decisions based on threat intelligence assessments

7.0 METRICS AND REPORTING

7.1 Program Metrics

Number of threat intelligence sources monitored
Volume of indicators processed and analyzed monthly
Threat intelligence integration coverage across security tools
Mean time from intelligence collection to dissemination
Stakeholder satisfaction scores for intelligence products

7.2 Effectiveness Metrics

Percentage of incidents with available contextual threat intelligence
Threat hunting campaign success rates based on intelligence
Reduction in false positive rates through intelligence integration
Proactive threat detection capabilities improvement metrics
Decision-making enhancement through strategic intelligence

7.3 Reporting Requirements

Daily threat briefings for security operations team
Weekly threat intelligence summaries for IT management
Monthly threat landscape reports for executive management
Quarterly program performance reports for board oversight
Annual threat intelligence program assessment and strategy review

8.0 TRAINING AND AWARENESS

8.1 Staff Training Requirements

Annual threat intelligence training for all security personnel
Quarterly updates on emerging threats and attack techniques
Specialized training on threat intelligence tools and platforms
Industry conference attendance and knowledge sharing sessions
Certification programs for threat intelligence analysts

8.2 Awareness Programs

Monthly security briefings incorporating threat intelligence
Phishing simulation campaigns based on current threat actors
Security awareness content updated with relevant threat information
Executive briefings on strategic threat landscape evolution
Business unit briefings on sector-specific threats

9.0 COMPLIANCE AND AUDIT

Threat intelligence program compliance with ISO 27001:2022 requirements
Regular audit of threat intelligence collection and sharing practices
Privacy and data protection compliance for intelligence handling
Legal review of threat intelligence sharing agreements
Documentation retention and management in accordance with organizational policies

10.0 RELATED POLICIES

This policy should be read in conjunction with:

Information Security Policy
Incident Response Policy
Risk Assessment Policy
Data Classification Policy
Acceptable Use Policy