Gartner defines intelligence as, “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard”. Expanding on this definition, Cyber threat Intelligence (CTI) can be described in a number of ways, such as seen as the “process of collecting, processing and analysing information regarding adversaries in cyberspace, in order to disseminate actionable threat intelligence, by understanding adversaries’ motivations, capability, and modus operandi, to inform cyber security mitigation measures”.
Today, the most serious data breaches and disruptions result from advanced and persistent cyber-attacks that target specific enterprises or industries. Hacking techniques make detection difficult by utilizing a variety of attack methods such as social engineering and multiphase campaigns that cannot be identified by simple threat indicators or basic frontline defences such as anti-virus.
A robust CTI program can shed light on a multitude of strategic business concerns and risks while yielding huge tactical, operational and strategic benefits to an enterprise. Some of these benefits include –
- Ability to determine adversary/attackers’ motivation, capability and intent
- Enhancing patch management processes so the most dangerous vulnerabilities can be remediated first
- Removing invalid threat indicators so they don’t create false positives
- Helping the C-suit better understand security risks to the business and the probable actions of adversaries in the future and the return on investments in security.
From Data to Information to Actionable Intelligence
In the early days of cybersecurity, threat intelligence was more about ‘data’ which mainly in the form of volumes of IP addresses and logs. Security teams would have a tough time trying to disseminate what the data was trying to tell them. A step up from data became ‘information’ which was unfiltered raw data with limited context, oversight or analysis.
CTI Layers and Use Cases
There are typically three different layers of CTI; Operational, Tactical and Strategic. Each layer differs in the nature and format of the intelligence conveyed, its intended audience and its application.
Operational CTI often relates to details of potential impending operations against an enterprise and helps security teams build a clear picture of actor methodology by piecing together tactical indicators and artifacts.
Tactical CTI is a ‘boots on the ground view’ and is generally the most basic form of intelligence relating to the techniques, tactics and procedures (TTPs) used by threat actors, which is valuable for Security Operations Centres (SOCs).
Strategic CTI can be described as a ‘helicopter view’ of an organizations threat landscape and is particularly valuable in helping an organisation shape its security strategy.
There are several use-cases for CTI and security teams typically use a variety of internal and external sources to provide a rounded and holistic understanding of the threats.
Social Media and Messaging platforms have become part of our daily lives and are increasingly becoming a rich source of CTI as these platforms lure potential victims to click on fraudulent links or download malicious payloads through carefully crafted and convincing messaging and misinformation.
Intelligence from the dark web where ‘members’ buy and sell everything in a marketplace such as custom-made tools for cyber-crime, information on the zero-day vulnerabilities and exploits. This type of intelligence enables security professionals to identify and implement effective mitigating controls before a patch is released and fix the vulnerability as soon as the patch becomes available.
Tabletop exercises are a cost-effective way for simulating real life cyber-attack scenarios using CTI. Examples of scenarios could include a major ransomware attack or a DDos attack. Such intelligence provides the enterprise with a view on how cyber-attack types will impact the enterprise and are particularly effective to engage the executive team.
Security culture, training and awareness is a key aspect to cyber security and as we know, the most successful cyber-attacks are usually initiated through exploiting some form of human weaknesses (social engineering) as an alternative to vulnerabilities in technical controls.
The risk assessment process relies on actionable CTI so that vulnerabilities in high value assets can be identified. Impact assessments can then be used to calculate the level of risk to these assets, from which appropriate remediation steps can follow.
There is of course no one-size-fits all approach to CTI, however understanding which assets can be targets and how they can be targeted provides the enterprise a greater level of understanding around the factors which lead to attacks and also leads to increased cyber preparedness.