What Is Cyber Threat Intelligence.
there is no clear definition that describes what threat intelligence is, which often leads to the misuse of this concept. We can say that Cyber Threat Intelligence, also known simply as CTI, refers to the set of organized data on computer threats that allows to prevent or mitigate possible attacks.
Many teams in the operations sector receive large volumes of alerts, including Indicators of Compromise (IoC), which are data that arises from activity in a system that provides information on the behavior of a threat and allows contextualize incidents and classify them. On the other hand, through threat intelligence it is possible to contain and eradicate threats in real time.
It is extremely important to understand that data and information alone are NOT intelligence.
That said, we can say that Cyber Threat Intelligence refers to the processing of data and information to generate intelligence.
But it does not end there, since through Threat Intelligence infinities of cybersecurity problems are solved as it is a process that builds its knowledge base from many factors.
Table of Contents
Types of Cyber Threat Intelligence
Within the CTI, two types of intelligence can be distinguished:
- Operational : also known as “Technical Threat Intelligence”, it is a type of intelligence that includes information on vulnerabilities, attacks, and Indicators of Compromise. With this type of intelligence, incidents can be prioritized in terms of the impact they could have on the company. In addition, the operational part of threat intelligence can analyze threats and block the various commands it uses.
- Strategic : this type of intelligence provides information on the landscape of computer threats that can affect the organization (also known as “Threat Landscape” ). It is extremely useful for executive and managerial levels, since it allows to know the impact of an attack and the economic risks, as well as tendencies on attackers and forms of attack to which the company may be exposed in case of not making decisions.
Cyber Threat Intelligence Cycle
Threat intelligence is not a new concept. It was born as a result of decades of analysis by government and military agencies. Initially it focuses on the following phases:
- Planning and Objective: in this phase it is important to develop and identify the requirements to perform threat intelligence.In accordance with the above, the type of intelligence to be developed is designed and planned.This phase is essential to identify, validate and prioritize the type of intelligence that must be developed according to the needs of the company.
- Collection : in this stage, information is collected from various sources according to the needs raised in the previous phase. This phase is also notable for using data collection through various OSINT sources and various technical sources that contribute to the knowledge base of the Indicators of Compromise. Something to highlight is that within the CTI data collection can also be collaborative.
- Processing and exploitation : after having surveyed various sources, it is time to convert that information into adequate data to produce intelligence for the company. In this phase, the Threat Intelligence team must add context to the information to create intelligence. This phase stands out for discriminating information that is not relevant to the needs, which helps to eliminate false positives.
- Analysis and production: After processing this information, it is possible to move forward with the interpretation and analysis of the data to produce threat intelligence. This stage is the one that involves the intelligence analyst the most, since progress on the analysis of particular threats often concludes with a more specific investigation. In addition, in this phase reports are generated, which must be concise and as assertive as possible to help decision-making. Generally, this report includes an action plan indicating how to move forward in the event that threats are found and recommendations provided by the intelligence analyst.
- Dissemination and integration:In this phase the intelligence produced in the previous stage is distributed to different sectors. Before distribution, it must be taken into account that the information must be presented in reports considering the different professional profiles. For example, if the report generated is aimed at a more tactical profile, the intelligence report must contain details of the methodologies, tactics, techniques and attack procedures of the cybercriminals detected. If it is for an operational profile, for example, some personnel responsible for the operational security of the company, the report must clearly contain the measures and recommendations necessary to mitigate the attack. Regarding the strategic profiles within the company, the report must contain details of the economic impact that the economy could suffer.
- Evaluation and Feedback: in this stage only the results of the analyzes are evaluated adopting constant improvements. This phase is common to all the aforementioned stages. According to Valentina Palacín, in her book “Threat Intelligent and Data-Driven Threat Hunting” , this phase is one of the most difficult, since it is difficult to get feedback from the users who receive intelligence reports. For CTI analysts, this stage is very important, since if users give more accurate feedback, it is possible to adjust the mechanism of the CTI process to generate more relevant information / intelligence for users.
Cyber Threat Intelligence Sources
Within the CTI collection stage, we must observe from which types of sources the CTI process feeds. Among the fundamental sources used by the CTI are:
- Technical sources : there are innumerable technical sources of the OSINT style that offer many indicators of compromise that help us increase our knowledge base. However, it must be taken into account that when using these resources there are large amounts of false positives.
- Forums that use cybercriminals: cybercriminals often communicate through forums that offer MaaS (Malware as a Service), with which, by performing analysis and crossing data with other references, really valuable content can be obtained.
- Dark Web: some of this source is included in cybercriminal forums. It is often difficult to access this information due to the high level of complexity that these resources represent.
- Media : these sources often provide information on new threats, but as a counterpart it is difficult to connect with the risk of each one of them.
- Social media: This source contains a large amount of data, as several security researchers publish indicators about threats, but like the previous source, you have to be careful with false positives. For this type of source, it is essential to make great efforts to cross references.
Who Consumes Cyber Threat Intelligence?
Some of this was advanced in the section on the life cycle in the “Dissemination and integration” stage . Intelligence is consumed by security teams, which have different approaches. Below is a detail of each of them:
- Strategic : the information received by these personnel is of a high level. Very technical reports are not delivered, only the aspects in terms of financial cost are taken into account that could have an attack. In addition, relevant information on attack trends is provided. Examples of strategic staff: CEO, directors.
- Tactical : it is information about how cybercriminals can carry out attacks. Examples of tactical personnel: Architects or System Administrators.
- Operational : information about certain attacks that reach the company. Example of operational personnel: Personnel and defense
- Technical : the information received by these personnel is associated with the IoC on various malicious code or attacks. These indicators serve to feed other systems, such as EDRs. Examples of operational personnel: SOC Analysts.
conclusion
Through Cyber Threat Intelligence or Threat Intelligence we can process data to convert it into intelligence, which will make decisions to mitigate attacks, be it from blocking targeted attacks, botnets, advanced persistent threats (APT) or even campaigns of phishing. In conclusion, the CTI favors companies to previously survey the activity of cybercriminals, allowing them to develop skills to mitigate and respond immediately to possible incidents.