Cyber Threat Intelligence
Cyber threat intelligence (CTI) aims to develop timely, relevant, and actionable intelligence about emerging threats and key threat actors to enable effective cybersecurity decisions.1 CTI is a data-driven four-phase process. CTI professionals can be expected to proceed through the following general CTI lifecycle:
Phase 1: Intelligence planning/strategy. Organizations will first define their intelligence needs by assessing the threat landscape, monitoring their electronic assets, and modelling possible attack vectors.
Phase 2: Data collection and aggregation. The intelligence from phase one guides data collection from Intrusion Detection and Prevention Systems (IDS/IPS), log files from databases, firewalls, and servers.
Phase 3: Threat analytics. Analytics such as malware analysis, event correlation, and forensics are used to develop relevant, timely, and actionable intelligence.
Phase 4: Intelligence usage and dissemination. The threat analytics from phase three are utilized to obtain intelligence needed for CTI professionals to deploy appropriate security measures such as two-factor authentication and malware signatures for antiviruses to develop robust cybersecurity defenses.
Five major categories of CTI data sources exist:
- Open Source Intelligence (OSINT). Data collected from the internet or from other CTI companies. Data sources include both traditional social media sites like Facebook at Twitter, as well as Darknet sources such as hacker forums, Darknet Marketplaces, Internet-Relay-Chat, and carding shops.
- Internal Intelligence. Data collected from an organization’s internal cyber assets. Most common and traditional data source. Data is collected from network logs generated from IDS/IPS, databases, servers, routers, switches, and other network devices on an organization’s network.
- Human Intelligence (HUMINT). Manual research and data collection. Uses methods such as direct hacker interactions and ethnographies to gain precise and deep knowledge about particular threats.
- Counter Intelligence. Providing false information to deceive hackers. This is a safer approach to identify tools and methods used by hackers with engaging with them directly.
- Finished Intelligence (FINTEL). Finished intelligence ready for dissemination.
The most common CTI analytics procedures used:
- Summary statistics. High-level summary of collected data.
- Event correlation. Analyzes relationships between events.
- IP reputation services. Identifying the quality of an IP.
- Malware analysis. Analyzing (statistically and /or dynamically) malicious files on a network or a system.
- Anomaly detection. Detecting abnormal behaviors and activities.
- Forensics. Identifying and preserving digital evidence.
- Machine learning. Algorithms that can learn from and make predictions/describe data.
Cyber threat intelligence has been proven to be beneficial in organizations of all sizes, and to every level of state, local, tribal, and territorial governmental organizations. Properly applied CTI can provide greater insight into cyber threats, providing a faster and more targeted response. Additionally, resource development and allocation can be bolstered through CTI methodologies by assisting decision-making regarding acceptable business risks, control and budget development, equipment, staffing, incident response and post-incident activities. CTI is becoming increasingly important as employees at every level must be have awareness of cyber threats and be educated about how to avoid and respond to them.
1 Samtani, et al., 2018, “Cybersecurity as an Industry: A Cyber Threat Intelligence Perspective”