Cyber Threat Intelligence (CTI)
Definition
Threat Intelligence
(T.I.
) is data that is collected, processed and analyzed to understand a threat actorâs motives, targets and attack behaviors.
it refers to information that organizations can use to combat cyber threats
cybersecurity experts and data scientists examine, visualize and analyze large volumes of unorganized data to turn it into actionable insights that power informed decisions
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. - Gartner
Cyberattacks
- malware, ransomware, phishing, man-in-the-middle, denial-of-service, APTs ...
3 Types of TI
Maturity curve - The context and analysis of CTI become deeper and more sophisticated with each level.
TACTICAL
- focus on the immediate future and identifies simple indicators of compromise (IOCs
) by performing malware analysis/enrichment and ingesting threat indicators into defensive systems.
almost always automated (feeds)
IOCs short lifespan
Stakeholders: SOC Analyst, SIEM, Firewall, Endpoints, IDS/IPS
OPERATIONAL
- focus on understanding the attack adversaries, campaign tracking and actor profiling (the "who", the "why" and "how").
human analysis needed, longer useful life
Stakeholders: Threat Hunter, SOC Analyst, Vulnerability Management, Incident Response, Insider Threat
STRATEGIC
- focus on understanding trends and adversarial motives, engage in strategic security, inform business decisions and the processes behind them.
shows how global events, foreign policies, and other long-term local and international movements can potentially impact the cyber security of an organization
Stakeholders: CISO, CIO, CTO, Executive Board, Strategic Intel
Lifecycle
T.I. lifecycle
- the process of turning raw data into finished intelligence for decision-making and action.
Every research is based on a variety of different versions of the intelligence cycle, but the end aim is always the same: to lead a cybersecurity team through the development and execution of an effective threat intelligence program.
Requirements
- sets the scope/roadmap (goals & methodology) for a specific threat intelligence operation
Collection
- data gathering to satisfy objectives (traffic logs, OSINT, etc)
Processing
- raw data filtered, categorized, translated into an analysis-suitable formatAnalysis
- find answers to the posed questions, asses intelligence significance and severity, spot IOCs (indicators of compromise)
Dissemination
- translate analysis into a digestible format report for stakeholders/audience, analysts
Feedback
- receive stakeholder feedback establishing future adjustments and reports
The above key considerations (listed with -) are taken from the Flashpoint Blog post.
Benefits
Use Cases
Standards and Frameworks
Cyber Threat Intelligence is shared/exchanged with tools, products or other entities via two (independent) standards - STIX and TAXII.
STIX
(Structured Threat Information Expression) - an open-source structured language and serialization format used to exchange CTI, designed to improve:
collaborative threat analysis
automated threat exchange
automated detection and response, and more
TAXII
(Trusted Automated Exchange of Intelligence Information) - a transport mechanism, an application layer protocol for the communication of cyber threat information in a simple and scalable manner, over HTTPS.
designed to support the exchange of STIX-represented CTI
can be used to share non-STIX data
STIX states the what of T.I. and it is the packaging.
TAXII defines the how and is the vehicle carrying the package.
STIX and TAXII are machine-readable and can easily be automated.
Applications
Threat Landscape
Campaign Analysis
Threat Actor Tracking
Intelligence Requirements
Current Intelligence
Threat Detection & Hunting
Forensics
Malware Analysis
Incident Response
Vulnerability & Risk Management
Analyst Competencies
Critical Thinking
- problem-solving, hypothesis developmentData Collection & Examination
- process important or noise informationCommunication & Collaboration
- writing, public speaking, interpersonal skillsTechnical Exploitation
- malware analysis, pentesting, social engineering, etcInformation Security
- level of awareness, vulnerability research, network defense, incident responseComputing Fundamentals
- networking, operating systems, programming/scripting
đ Be a lifelong learner, connect with the community, build communication skills and evolve.
Resources
Awareness
RSS Feed
Social Media
Blogs
Podcasts
Education
Self-Initiated
CTFs
Academic Programs
Vendor Certifications & Training
Open-source tools & Tutorials
Networking
Social Media
Conferences
Infinity Groups
Certifications
đ Resources đ
Video material
Tools
Last updated