Deep Inside Cyber Threat Intelligence: Make Informed Decisions About Your Security

What is Threat Intelligence?

Digital technologies facilitate automation and greater connectivity in nearly every industry today. This is a great boon, undoubtedly. However, they have also brought risks in the form of cyberattacks. Threat intelligence can provide data-backed knowledge so that you can prevent or at least mitigate such attacks.

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.” — Gartner

Importance of Threat Intelligence

The cybersecurity industry faces a multitude of challenges these days:

ü Ever-increasing threat landscape from devious threat actors.

ü Data flood with extraneous information

ü False alarms across unconnected security systems due to unstructured data

ü A severe shortage of skilled cybersecurity professionals.

The good news is, organizations have already started to realize the value of threat intelligence. Around 72% are planning to increase their threat intelligence budget in the upcoming months. Some other organizations are trying to incorporate threat data feeds into their existing network, IPS, firewalls and SIEMs. However, their data analysts may not have the right tools to get the full benefits from the insight.

Cyber threat intelligence, when applied correctly, can address all of the above issues. Solutions that are equipped with AI and ML can

i) Process unstructured data from disparate sources to identify IoCs and the tactics, techniques and procedures (TTPs) of threat actors.

ii) Enable security teams to make better decisions by shedding light on the unknown.

iii) Empower business stakeholders i.e. CISOs, executive boards and CTOs to invest wisely, mitigate risk and take faster decisions in a more efficient way.

Who Benefits from Threat Intelligence?

Cyber threat intelligence is widely imagined to be the domain of elite analysts. It adds value across organizations of all sizes by helping process threat data to better understand the attackers, their motives and proactively gets ahead of the threat actor’s next move!

Threat intelligence provides several unique benefits to every member of a security team. Below is a chart of how it can benefit each security team member.

Lifecycle of Threat Intelligence

The goal of threat intelligence is to transform raw and unstructured data into structured outcomes for decision-making. The intelligence cycle guides the cybersecurity team through the development and execution of an effective threat intelligence program.

The intelligence cycle sets a framework that facilitates teams to optimize their available resources thus responding effectively to the constantly evolving threat landscape. An effective intelligence program is iterative and becomes more refined over time.

There are 6 steps and we are going to explore them below:

1. Requirements

Ask the right question! That’s the first step to producing actionable threat intelligence. The objectives of the intelligence should adhere to your organization’s core values. Besides, the taken decision should be time sensitive with a significant impact on the security outcome.

The guiding factor here is to determine the end-user who will get the ultimate benefit from the intelligence, the attackers’ motives and the attack surface.

2. Collection

In this second step, the security team has to collect the information required to satisfy the above objectives and requirements. Your data source should be as wide as possible — encompassing internal ones like event logs, network & records of past incident responses and external ones like the dark web, the open web as well as technical sources.

Malicious IP addresses, IoCs, domains and file hashes are often considered as threat data. However, your security team must consider customers’ personal information, raw code from past sites, vulnerability information, text from news sources & social media as threat data.

3. Processing

As soon as all raw and unstructured data have been collected the security team needs to sort it with metadata tags. Redundant information should be excluded to eliminate possibility of false positives or false negatives. Traditional methods of data organization include coded spreadsheets, decrypting files and translating information from foreign sources.

However, these days even small organizations collect tons of data from a multitude of internal & external sources. Likewise, it becomes difficult for human analysts to process such voluminous unstructured data to something digestible. Automated data collection and processing tools can serve the purpose in a better way.

4. Analysis

Now that all data are processed, the analyst team will make a drive to hunt potential security issues. The team will also decipher the dataset into actionable items and prepare it for stakeholders with valuable recommendations.

Admittedly, depending on the intended audience and objectives, threat intelligence can take many forms — from simple threat lists to peer-reviewed reports. Nevertheless, the goal of the analysis should be to make it understandable to the audience.

5. Dissemination

The outcome of the analysis should now be distributed to its intended customers at the right time. Depending on the audience understanding level, the presentation of the analysis may vary but it should be concise & without too much technical jargon — ideally in a one-page report or a brief slide deck.

6. Feedback

The final stage involves receiving feedback on the disseminated report from the stakeholders. Stakeholders will review the report and identify if their objectives are fulfilled. They may suggest changes to their priorities or the cadence at which they want to receive the intelligence report.

Types of Threat Intelligence

There are 3 types of threat intelligence:

i) Tactical — Focuses on analysis of threat actors for a more technically sound audiences

ii) Operational — Technical details i.e. TTPs about specific attacks and campaigns.

iii) Strategic — High level trends typically meant for a non-technical audience.

Tactical Threat Intelligence

Tactical intelligence is focused on the immediate future, obtain a broader perspective of threats, technical in nature and identifies singular threats. Singular threats are things like bad IP addresses, URLs, file hashes and malicious domain names. Tactical intelligence is used by personnel who are directly working or involved in the defense team of an organization.

This intelligence is the easiest to generate as it is always automated and can be found via open source or free data feeds. However, you must be aware of the authenticity of the data source because if it is not timely or of high fidelity it may give you false-positive results.

Tactical threat intelligence is very useful to suggest improvements in the existing security controls and speed up incident response. Most of the issues addressed by tactical intelligence are unique to your organization.

Operational Threat Intelligence

Operational intelligence gives insight into cyberattacks, events or campaigns. This specialized insight gives the incident response team a better understanding of the nature, extent and timing of an attack. In short, operational threat intelligence tracks the ‘who’, ‘why’ and ‘how’ behind every attack.

Operational intelligence consumes more resources compared to tactical intelligence but it has a longer useful life as cybercriminals can’t change their TTPs as fast as they can change their tools or infrastructure. It is noted that machines alone can’t create a viable operational threat intelligence. Human intelligence is inevitable to convert data into a readily usable format. However, machines can definitely reduce human efforts in this context.

Professionals working in Security Operations Center (SOC) find operational intelligence most useful. Several cybersecurity disciplines like threat monitoring, vulnerability management and incident response are some of the biggest consumers of operational intelligence.

Strategic Threat Intelligence

Strategic intelligence gives you a broad overview of the threat landscape. It helps executives and decision-makers to take informed decisions thus the nature & content of the intelligence is less technical in the form of reports or briefings.

Common sources of information for strategic intelligence include the following:

— News from local & national media

— Industry-specific publications

— Policy documents from both government & non-government organizations.

— Research reports, white papers and security organization’s published paper.

Executives and the board of directors can determine an effective cybersecurity investment after understanding the strategic intelligence. This intelligence is the hardest form to generate as it considers global events, foreign policies and other international movements.

Although the final report is non-technical strategic intelligence still requires intense human effort including data collection, analysis, research across multiple platforms and deep research. At the same time, the team should have a thorough understanding of the world’s geopolitical situation as well as cybersecurity nuances.

Threat Intelligence Use Cases

Diverse use cases of threat intelligence have made it an essential resource for cross-functional teams across organizations. Here are some of the uses cases of threat intelligence.

Incident Response

The Head of the incident response team probably faces the highest level of stress as the rate of cyber incidents has climbed up steadily over the past 10–15 years. On top of that, a significant percentage of daily alerts turn out to be false positives. And when any genuine incident takes place the analysts must spend time to sort data and assess the problem.

Threat intelligence can ease the burden in several ways:

i) Automatic identification and dismissal of false positives

ii) Comparing information from both internal and external sources

iii) Enriching alerts with real-time context

Security Operations

SOC teams deal with hundreds and thousands of alerts generated by the networks. Dealing with these attacks takes too long and often the team gets tired with ‘alert fatigue’. Threat intelligence can solve the problems by gathering information accurately & quickly, filtering out false alarms and simplifying incident analysis.

Vulnerability Management

Effective vulnerability management means prioritize vulnerabilities based on actual risks. Despite the increasing number, it is evident by research that most threats target a small proportion of vulnerabilities. Moreover, threat actors are fast — it usually takes around 2 weeks starting from announcing the new vulnerability to exploiting the target.

Threat intelligence can help you to identify the actual risk — goes beyond CVE scoring by combining internal vulnerability and additional context about the TTPs of threat actors.

Fraud Prevention

For the safe keeping of your organization, you need to prevent fraudulent uses of your data or brand. Threat intelligence gathered from underground criminal networks provides you a good insight regarding the tactics of threat actors.

You can use threat intelligence to prevent payment fraud, compromised data, typosquatting and many other similar activities.

Security Leadership

Security leaders including CISOs, CTOs, and CIOs have to manage risk with limited available resources. Threat intelligence can help map the threat landscape and calculate risk thereby giving security personnel the required insight to take an informed decision.

There are at least four key areas where threat intelligence can help security leaders:

**Mitigation: Security leaders can prioritize the vulnerabilities with the help of threat intelligence. As a result, mitigation of the threats becomes easier.

**Communication: CISOs often feel the challenge to communicate technical threats & countermeasures to a non-technical audience like business leaders or investors. Threat intelligence provides a good solution to this problem in the form of a report or brief slide deck.

**Supporting leaders: Threat intelligence can provide security leaders with a real-time picture of the latest trends, threats and events, helping them respond to a threat or communicate the potential impact.

**The security skills gap: Threat intelligence automates labor-intensive tasks through faster data collection, risk prioritization and reducing unnecessary alerts. Robust threat intelligence also mitigates the skill gap by offering a good platform to learn new things.

Reducing third-party Risk

Third-party risks are real. Unfortunately, organizations are often reluctant to deploy third-party risk management practices. Financial audits and security certificate verifications are important. However, sometimes they lack context and are not timely.

A real-time context on the actual threat landscape is paramount. Threat intelligence provides transparency into the threat environments of the third parties thus providing real-time alerts on threats & risks. As an organization, you will get the context that’s needed to evaluate the relationship.

There are some other use cases as mentioned briefly in the below image:

Now that you know all about cyber threat intelligence, I hope it will help you to make knowledge-based decisions. You will certainly be in a good position to determine the next cybersecurity budget for your organization. If you want to know more about any specific issue let me know in the comment section.