Over the past decade, we have seen a significant increase in cyberattacks. Criminals use an ever-growing set of techniques, tactics, and tools to compromise their victims’ systems. To address this problem, every defender must know about Cyber Threat Intelligence (CTI).
In this series of articles, our goal is to share the foundations of Cyber Threat Intelligence effective management and then guide you to convert threat information into threat intelligence – actionable information to improve your organization’s security posture significantly.
Understanding the adversaries’ motivation, tactics, and techniques have become a fundamental strategy of many organizations, especially for the teams entrusted with their defense, better known as blue teams. So, in this first article, we will talk about fundamental concepts. We will define a threat, threat actors, threat information, deep dive into intelligence, and clarify the difference between threat intelligence and cyber threat intelligence.
In terms of information security, a threat is a possible adverse action or event facilitated due to a vulnerability that can rise to an unwanted impact on a computer system or application.
A threat can be an “intentional” adverse event (for example, hacking: an individual cracker or a criminal organization) or an “accidental” adverse event (for example, the possibility of a computer malfunction.
An individual or group can take the action of the threat, such as exploiting a vulnerability to make a negative impact. Examples of actors are cyberterrorists, government/state-sponsored actors, organized crime/cybercrime, hacktivists, script kiddies, or “insiders.” In one of our following articles, we will define each actor, their motivations.
Threat information from external sources, AKA “Threat Feeds,” often consist of curated lists of URLs, IP addresses, and domains known to be suspicious. These lists typically have known compromised hosts/applications or used by the actors of the threat. They have almost no derived context. To go deeper into this topic, we recommend reading about the pyramid of pain by David Bianco. In one of our following articles, we will detail the sources to learn more about this topic.
When we speak of intelligence, we generally refer to information enriched with data from other sources which is actionable and a cybersecurity professional can analyze. Our future articles will detail the following types of intelligence: HUMINT, SIGINT, FININT, GEOINT, CYBINT, and OSINT.
Threat intelligence vs Cyber Threat Intelligence
Threat intelligence analyzes adversaries, their motivations, tactics, and techniques, and how they carry out crimes that could be replicated in your organization. This intelligence becomes valuable when it can inform and assist defenders in taking actions to defend against these threats.
Cyber Threat intelligence is the analysis of how adversaries or cybercriminals use their strategies to perpetrate their attacks on vulnerable information assets. Like threat intelligence, whose value is to convert information about threats into actions to strengthen the security posture, CTI includes a set of atomic compromise indicators and learns from external and internal information sources and strategies to on implementing effective controls.
Organizations increasingly recognize the value of threat intelligence. However, there is a difference between acknowledging the value and receiving the value. Today, most organizations focus their efforts on the most basic use cases, such as integrating threat data with the existing network at the firewall level without taking full advantage of the insights that intelligence can provide.
This first article covered the fundamentals to start our journey on this exciting and fascinating topic. In the next installment, we will talk about the benefits that a company obtains when it adopts a threat intelligence process, suggestions about where the function of threat intelligence should sit within organizations, and the type of companies that are rapidly moving to this model, which is gaining greater relevance as cyber-attacks grow in sophistication.