Cyber Threat Intelligence (CTI)
Last updated
Was this helpful?
Last updated
Was this helpful?
Commercial T.I.:
OSINT Tools for Threat Intel:
[...]
Threat Intelligence (T.I.) is data that is collected, processed and analyzed to understand a threat actor’s motives, targets and attack behaviors.
it refers to information that organizations can use to combat cyber threats
cybersecurity experts and data scientists examine, visualize and analyze large volumes of unorganized data to turn it into actionable insights that power informed decisions
Maturity curve - The context and analysis of CTI become deeper and more sophisticated with each level.
TACTICAL - focus on the immediate future and identifies simple indicators of compromise (IOCs) by performing malware analysis/enrichment and ingesting threat indicators into defensive systems.
almost always automated (feeds)
IOCs short lifespan
Stakeholders: SOC Analyst, SIEM, Firewall, Endpoints, IDS/IPS
OPERATIONAL - focus on understanding the attack adversaries, campaign tracking and actor profiling (the "who", the "why" and "how").
human analysis needed, longer useful life
Stakeholders: Threat Hunter, SOC Analyst, Vulnerability Management, Incident Response, Insider Threat
STRATEGIC - focus on understanding trends and adversarial motives, engage in strategic security, inform business decisions and the processes behind them.
shows how global events, foreign policies, and other long-term local and international movements can potentially impact the cyber security of an organization
Stakeholders: CISO, CIO, CTO, Executive Board, Strategic Intel
T.I. lifecycle - the process of turning raw data into finished intelligence for decision-making and action.
Every research is based on a variety of different versions of the intelligence cycle, but the end aim is always the same: to lead a cybersecurity team through the development and execution of an effective threat intelligence program.
Requirements - sets the scope/roadmap (goals & methodology) for a specific threat intelligence operation
Collection - data gathering to satisfy objectives (traffic logs, OSINT, etc)
Processing - raw data filtered, categorized, translated into an analysis-suitable format
Analysis - find answers to the posed questions, asses intelligence significance and severity, spot IOCs (indicators of compromise)
Dissemination - translate analysis into a digestible format report for stakeholders/audience, analysts
Feedback - receive stakeholder feedback establishing future adjustments and reports
Function
Benefits
Sec/IT Analyst
Optimize prevention and detection capabilities and strengthen defenses
SOC
Prioritize incidents based on risk and impact on the organization
CSIRT
Accelerate incident investigations, management, and prioritization
Intel Analyst
Uncover and track threat actors targeting the organization
Executive Management
Understand the risks the organization faces and what the options are to address their impact
Function
Use Cases
Sec/IT Analyst
Integrate TI feeds with other security products Block bad IPs, URLs, domains, files, etc
SOC
Use TI to enrich alerts Link alerts together into incidents Tune newly deployed security controls
CSIRT
Look for information on the who/what/why/when/how of an incident Analyze the root cause to determine the scope of the incident
Intel Analyst
Look wider and deeper for intrusion evidence Review reports on threat actors to better detect them
Executive Management
Assess overall threat level for the organization Develop security roadmap
Cyber Threat Intelligence is shared/exchanged with tools, products or other entities via two (independent) standards - STIX and TAXII.
collaborative threat analysis
automated threat exchange
automated detection and response, and more
designed to support the exchange of STIX-represented CTI
can be used to share non-STIX data
STIX states the what of T.I. and it is the packaging.
TAXII defines the how and is the vehicle carrying the package.
STIX and TAXII are machine-readable and can easily be automated.
Threat Landscape
Campaign Analysis
Threat Actor Tracking
Intelligence Requirements
Current Intelligence
Threat Detection & Hunting
Forensics
Malware Analysis
Incident Response
Vulnerability & Risk Management
Critical Thinking - problem-solving, hypothesis development
Data Collection & Examination - process important or noise information
Communication & Collaboration - writing, public speaking, interpersonal skills
Technical Exploitation - malware analysis, pentesting, social engineering, etc
Information Security - level of awareness, vulnerability research, network defense, incident response
Computing Fundamentals - networking, operating systems, programming/scripting
📌 Be a lifelong learner, connect with the community, build communication skills and evolve.
Awareness
RSS Feed
Social Media
Blogs
Podcasts
Education
Self-Initiated
CTFs
Academic Programs
Vendor Certifications & Training
Open-source tools & Tutorials
Networking
Social Media
Conferences
Infinity Groups
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. -
- malware, ransomware, phishing, man-in-the-middle, denial-of-service, APTs ...
The above key considerations (listed with -) are taken from the .
STIX () - an open-source structured language and serialization format used to exchange CTI, designed to improve:
TAXII () - a transport mechanism, an application layer protocol for the communication of cyber threat information in a simple and scalable manner, over HTTPS.
