Over recent years, the cyber threat landscape has been evolving with increased sophisticated cyber attacks. As a result of this, there has been a growth in the adoption of cyber threat intelligence(CTI) globally.
What is Cyber Threat Intelligence?
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
CTI is a knowledge platform that is the outcome of an analytic process using hypothesis led and evidence-based analysis from a variety of data sources.
Definitive Terms commonly used in CTI
An Adversary synonymous with a Threat Actor is an individual, group, or organisation that conducts or has the intent to conduct detrimental or Malicious cyber activities which compromises the Confidentiality, Integrity, and Availability of assets.
Advance Persistent Threat
Advance Persistent Threat denoted as APT is a cyber-attack or campaign that involves an adversary that possesses sophisticated levels of expertise and significant resources to stealthy to infiltrate computer networks and remain undetected over a long period.
Indicator of Compromise
An indicator of compromise denoted as IOC is an artefact or evidence that indicates the security that is its confidentiality, integrity, and availability of an asset has been exploited or breached.
Some examples of IOC include a hash value, a Command and control (C2) domain, IP address, suspicious registry or system file changes.
Indicator of Attack
An Indicator of Attack denoted as (IOA) is a series of data sets that reveal an impending or an active cyber attack. Examples of IOA are beaconing attempts, port scans, or multiple alarms from single a host.
Tactics, Techniques and Procedures
Tactics, Techniques, and Procedures, denoted as (TTP) describes an approach of analysing adversary operations or behaviour in performing a cyber attack.
Tactics outline the way an adversary chooses to carry out his attack from the beginning to the end. These are goals an adversary achieves during each phase of an attack. An example of a tactic is persistence.
Techniques describe how adversaries achieve tactical goals. These are the technological approach for achieving intermediate results during the campaign. Use of Scheduled tasks is an example of a technique to achieve persistence.
Procedures define detailed information on how an adversary would implement a technique to achieve an objective. Creating a scheduled task to execute a malicious payload on a given interval to maintain persistence is an example of a procedure.
What are the characteristics of Cyber Threat Intelligence?
CTI involves the analysis of raw data to information with a knowledge context. Intelligence is the process of consuming this knowledge for decision making. Threat Intelligence must have the following characteristics:
- Timely: Threat intelligence has to be in time for translation into actions.
- Relevant: Threat intelligence needs to apply to the target environment. Threat Intelligence generated for a state or government may not be actionable in the telecommunications industry.
- Accurate: The efficacy of threat intelligence depends on its accuracy. Threat intelligence should be complete with a fewer number of false positives.
- Specific: More detailed and more specific threat intelligence can allow defenders to choose suitable countermeasures.
- Actionable: Actions are needed to be identified by threat intelligence to ensure necessary data for the response against threats.
The Cyber Threat Intelligence Lifecycle
Cyber threat intelligence is the finished product of a six-step cycle from planning and direction to dissemination and feedback. This process is iterative and dynamic because new questions and gaps in knowledge are identified during the intelligence lifecycle leading to a collection of new requirements.
Step 1: Planning & Direction
This phase defines the purpose and objective of threat intelligence. It involves gathering of intelligence requirements that reflect unknown unknowns which Threat intelligence teams don’t know but will need to find out to satisfy the purpose of the operation.
Step 2: Collection & Processing
Raw data is the building block of Threat Intelligence. This phase involves identifying relevant data sources that satisfy intelligence requirements. Raw Data can be collected from a wide range of sources such as internal sources, like network event logs and records of past incident responses, and external sources from the open web, the dark web, and other sources.
Once all the raw data is collected, it is sorted with metadata tags, and redundant information or false positives and negatives is filtered out to make it suitable for analysis.
Data processing is usually an automated task due to the large volumes of raw data. Solutions like SIEMs are an excellent place to start because they make it relatively easy to structure data with correlation rules that can be set up for a few different use cases. These intuitive searches go beyond bare keywords and simple correlation rules.
Step 3: Analysis and Production
This phase involves making sense of processed data based on different analytical models such analysis of competing hypothesis and frameworks such as The Lockheed Martin Cyber Kill Chain(CKC), Diamond Model of Intrusion Analysis and MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). These frameworks promote abroad understanding of how attackers think, the methods they use, and wherein an attack lifecycle specific events occur.
Once processed data is analysed, it becomes threat-related information depending on the initial objectives and the intended audience. Still, the idea is to get the data into a format that the audience will understand.
Threat information is produced as threat intelligence reports which communicate vital findings and address the extent to which they satisfy the set intelligence requirements. These threat intelligence reports inform an appropriate course of action for decision-makers.
Step 4: Dissemination and feedback
For threat intelligence to be actionable, it is disseminated, timely to the right target audience or appropriate stakeholders as captured from the intelligence requirements.
Threat intelligence platforms organise threat information in a structured format that can be shared as threat feeds.
To effectively share threat intelligence, a set of common models and standards are used, such as:
- Traffic Light Protocol (TLP) which ensures sensitivity or confidentiality of threat-related data is maintained as it is shared with the appropriate audience.
- STIX and TAXII, which is an open-source language, transport mechanism and serialisation format used to exchange threat intelligence.
Once stakeholders receive threat intelligence, they provide feedback to help fine-tune future iterations of the intelligence distribution and inform future intelligence operations.
What are the categories of Cyber Threat Intelligence?
The following are sub-categories of threat intelligence.
Strategic intelligence is generally less technical and provides a broad overview of an organisation’s threat landscape. It’s intended to inform high-level decisions made by executives and other decision-makers at an organisation.
This is the most basic form of threat intelligence which describes indicators associated with known attacks. Tactical intelligence is mostly automated and unique to specific environments since indicators of compromise vary depending on threats.
Tactical intelligence is used to improve the efficacy of real-time security monitoring solutions in an organisation.
Operational intelligence provides context on adversarial campaign, motivation, capabilities or observed behaviour.
Operational intelligence enables defender access potential risks based on adversary methodologies, thus improving the efficiency to respond to threat actors and attacks.
Threat intelligence is a process, which turns raw data into actionable information (intelligence) which is tailored to a specific target audience or environment and shared via various threat intelligence solutions or platforms.
It is important to note that as much as threat intelligence can be automated, it requires skilled human intervention in identifying intelligence requirements and improving it all through the intelligence life cycle.