Cyber threat intelligence explained

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace.[1] Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

In recent years, threat intelligence has become a crucial part of companies' cyber security strategy since it allows companies to be more proactive in their approach and determine which threats represent the greatest risks to a business. This puts companies on a more proactive front, actively trying to find their vulnerabilities and preventing hacks before they happen.[2] This method is gaining importance in recent years since, as IBM estimates, the most common method companies are hack is via threat exploitation (47% of all attacks).[3]

Threat vulnerabilities have risen in recent years also due to the COVID-19 pandemic and more people working from home - which makes companies' data more vulnerable. Due to the growing threats on one hand, and the growing sophistication needed for threat intelligence, many companies have opted in recent years to outsource their threat intelligence activities to a managed security provider (MSSP).[4]

Process - intelligence cycle

The process of developing cyber threat intelligence is a circular and continuous process, known as the intelligence cycle, which is composed of five phases,[5] [6] [7] [8] carried out by intelligence teams to provide to leadership relevant and convenient intelligence to reduce danger and uncertainty.

The five phases are: 1) planning and direction; 2) collection; 3) processing; 4) analysis; 5) dissemination.

In planning and directing, the customer of the intelligence product requests intelligence on a specific topic or objective. Then, once directed by the client, the second phase begins, collection, which involves accessing the raw information that will be required to produce the finished intelligence product. Since information is not intelligence, it must be transformed and therefore must go through the processing and analysis phases: in the processing (or pre-analytical phase) the raw information is filtered and prepared for analysis through a series of techniques (decryption, language translation, data reduction, etc.); In the analysis phase, organized information is transformed into intelligence. Finally, the dissemination phase, in which the newly selected threat intelligence is sent to the various users for their use.

Types

There are three overarching, but not categorical - classes of cyber threat intelligence: 1) tactical; 2) operational; 3) strategic.[9] [10] These classes are fundamental to building a comprehensive threat assessment.

Benefits of cyber threat intelligence

Cyber threat intelligence provides a number of benefits, which include:

Key elements

There are three key elements that must be present for information or data to be considered threat intelligence:

Attribution

Cyber threats involve the use of computers, storage devices, software networks and cloud-based repositories. Prior to, during or after a cyber attack technical information about the information and operational technology, devices, network and computers between the attacker(s) and the victim(s) can be collected, stored and analyzed. However, identifying the person(s) behind an attack, their motivations, or the ultimate sponsor of the attack, - termed attribution is sometimes difficult. Recent efforts in threat intelligence emphasize understanding adversary TTPs.[13]

A number of recent cyber threat intelligence analytical reports have been released by public and private sector organizations which attribute cyber attacks. This includes Mandiant's APT1 and APT28 reports,[14] [15] US CERT's APT29 report,[16] and Symantec's Dragonfly, Waterbug Group and Seedworm reports.[17] [18] [19]

CTI sharing

In 2015 U.S. government legislation in the form of the Cybersecurity Information Sharing Act encouraged the sharing of CTI indicators between government and private organizations. This act required the U.S. federal government to facilitate and promote four CTI objectives:[20]

  1. Sharing of "classified and declassified cyber threat indicators in possession of the federal government with private entities, nonfederal government agencies, or state, tribal, or local governments";
  2. Sharing of "unclassified indicators with the public";
  3. Sharing of "information with entities under cybersecurity threats to prevent or mitigate adverse effects";
  4. Sharing of "cybersecurity best practices with attention to the challenges faced by small businesses.

In 2016, the U.S. government agency National Institute of Standards and Technology (NIST) issued a publication (NIST SP 800-150) which further outlined the necessity for Cyber Threat Information Sharing as well as a framework for implementation.[21]

See also

Further reading

Notes and References

  1. Bank of England. (2016). CBEST Intelligence-Led Testing: Understanding Cyber Threat Intelligence Operations. https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/understanding-cyber-threat-intelligence-operations.pdf
  2. CyberProof Inc. (n.d.). Managed Threat Intelligence. CyberProof. Retrieved on April 03, 2023 from https://www.cyberproof.com/cyber-101/managed-threat-intelligence/
  3. Web site: IBM . 2022-02-23 . IBM Security X-Force Threat Intelligence Index . 2022-05-29 . www.ibm.com . en.
  4. Web site: MSSP - What is a Managed Security Service Provider? . 2022-05-29 . Check Point Software . en-US.
  5. Web site: What is Cyber Threat Intelligence used for and how is it used? . 2023-04-12 . blog.softtek.com . en-us.
  6. Book: Phythian, Mark . Understanding the Intelligence Cycle . Routledge . 2013 . 1st . 17–23 . English.
  7. Kime . Brian . March 29, 2016 . Threat Intelligence: Planning and Direction . SANS Institute .
  8. Book: Gerard, Johansen . Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats. . Packt Publishing Ltd . 2020 . 2nd . English.
  9. Book: Trifonov . Roumen . https://doi.org/10.1109/ICONIC.2018.8601235 . Artificial Intelligence in Cyber Threats Intelligence . Nakov . Ognyan . Mladenov . Valeri . 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC) . IEEE . 2018 . 1–4 . 10.1109/ICONIC.2018.8601235 . 978-1-5386-6477-3 . 57755206 . English.
  10. Kaspersky. (n.d.). What is threat intelligence? Definition and explanation. Retrieved on April 03, 2023 from https://www.kaspersky.com/resource-center/definitions/threat-intelligence
  11. Book: Berndt . Anzel . Ophoff . Jacques . Exploring the Value of a Cyber Threat Intelligence Function in an Organization . 2020 . Drevin . Lynette . Von Solms . Suné . Theocharidou . Marianthi . Information Security Education. Information Security in Action . https://rke.abertay.ac.uk/en/publications/53cb5bbf-9129-4479-acc9-ce02854542ce . IFIP Advances in Information and Communication Technology . 579 . en . Cham . Springer International Publishing . 96–109 . 10.1007/978-3-030-59291-2_7 . 978-3-030-59291-2. 221766741 .
  12. Shackleford, D. (2015). Who’s Using Cyberthreat Intelligence and How?. SANS Institute. https://cdn-cybersecurity.att.com/docs/SANS-Cyber-Threat-Intelligence-Survey-2015.pdf
  13. http://go.recordedfuture.com/hubfs/white-papers/identifying-ttps.pdf Levi Gundert, How to Identify Threat Actor TTPs
  14. Web site: APT1: Exposing One of China's Cyber Espionage Units | Mandiant.
  15. Web site: APT28: A Window Into Russia's Cyber Espionage Operations. FireEye, Inc.. 2014. 3 December 2023.
  16. Web site: Grizzly Steppe - Russian Malicious Cyber Activity. NCCIC. 29 December 2016. 3 December 2023.
  17. Web site: Dragonfly: Western energy sector targeted by sophisticated attack group.
  18. Web site: Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments.
  19. Web site: Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms.
  20. Web site: Burr. Richard. 2015-10-28. S.754 - 114th Congress (2015-2016): To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.. 2021-06-09. www.congress.gov.
  21. Guide to Cyber Threat Information Sharing. Johnson. C.S.. Badger. M.L.. Waltermire. D.A.. Snyder. J.. Skorupka. C.. National Institute of Standards and Technology. 4 October 2016. 3 December 2023. 10.6028/nist.sp.800-150. free.