WHAT IS CYBER THREAT INTELLIGENCE?
Cyber Threat Intelligence (CTI) also known as Security Intelligence is a combination of information security and intelligence studies. Threat intelligence is evidence-based knowledge about existing or emerging threats. Data is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the defend against threat actors.
WHY CYBER THREAT INTELLIGENCE IS IMPORTANT IN THIS MODERN CYBER WORLD?
CTI will reveals the unknown threats & enable security teams to make better decisions, reveals adversaries motives and their tactics, techniques, and procedures (TTPs), and make CISOs, CIOs and CTOs; to invest wisely, mitigate risk, become more efficient and to make faster decisions.
THE INTELLIGENCE LIFECYCLE
The CTI lifecycle is a process to transform raw data into finished intelligence.
The CTI lifecycle can broadly be identified under the following domains, each with specific objectives:
- Requirements
- Collection
- Processing
- Analysis
- Dissemination
- Feedback
- Requirements
The requirements stage is crucial to the threat intelligence lifecycle because it sets the roadmap for a specific threat intelligence operation. During this planning stage, the team deside on the goals and methodology of their intelligence program based on the needs of the stakeholders. The CTI team identifies:
- who the attackers are and their motivations
- what is the attack surface
- what specific actions should be taken to strengthen their defenses against a future attack
- Collection
Once the requirements are defined, the CTI team then collect the information required to satisfy those objectives. Depending on the goals, they will usually seek out traffic logs, publicly available data sources, relevant forums, social media, and industry or subject matter experts. - Processing
After the raw data has been collected, it will have to be processed into a format suitable for analysis. Most of the time, this entails organizing data points into spreadsheets, decrypting files, translating information from foreign sources, and evaluating the data for relevance and reliability. - Analysis
Once the dataset has been processed, the team must then conduct a thorough analysis to find answers to the questions posed in the requirements phase. During the analysis phase, the team also works to decipher the dataset into action items and valuable recommendations for the stakeholders. - Dissemination
The dissemination phase requires the CTI team to translate their analysis into a digestible format and present the results to the stakeholders, in Layman’s language. - Feedback
The final stage of the CTI lifecycle involves getting feedback on the provided report to determine whether adjustments need to be made for future threat intelligence operations. Stakeholders may have changes to their priorities, the cadence at which they wish to receive intelligence reports, or how data should be disseminated or presented.
LEVELS OF CYBER THREAT INTELLIGENCE
1. Tactical CTI
Tactical CTI deals with the what (IoCs, TTPs); the low-level, technical details of individual attacks and attackers. It focuses on the short term.
Tactical CTI is usually produced for the incident response (IR) team, SOC analysts, risk analysts, IT, and IT tools (e.g., SIEM, firewalls, IDS/IPS, endpoints).
2. Operational CTI
Operational CTI deals with the how and where (TTPs); the mid-level details of attack campaigns and attackers. It’s the middle level between tactical and strategic CTI. It’s less technical than the tactical level, but more technical than the tactical level. It focuses on the medium term.
It helps mid-level decision-makers better understand vulnerabilities, threats, and attacks, to make more informed decisions about defending the organization against specific threats.
Operational CTI is usually produced for the incident response (IR) team, network security team, SOC analysts, threat hunters, vulnerability management team, risk analysts, and managers in IT (e.g., CISO, CIO) and other areas (e.g., PR, HR, legal).
3.Strategic CTI
Strategic CTI deals with the who (attribution) and why (motive, intent). It deals with the high-level, big-picture details about attack trends and the threat landscape. It’s the least technical level. It focuses on the long term.
It helps senior decision-makers make more informed decisions about mitigating risks and defending the organization against general threats.
Strategic CTI is usually produced for organizational leaders (e.g., CEO, CIO, CTO, CFO, other executives) and GRC (governance, risk, and compliance) analysts.
