Cyber threat intelligence (CTI) considers the full context of a cyber threat to inform the design of highly-targeted defensive actions. CTI combines multiple factors, including the motivations of cybercriminals and Indicators of Compromise (IOC), to help security teams understand and prepare for the challenges of an anticipated cyber threat.
By giving security teams advanced awareness of impending cyber threats, Cyber Threat Intelligence encourages a proactive approach to cybersecurity - the most effective type of cyber defense.
What is the Difference Between Cyber Threat Intelligence and Other Types of Cyber Intelligence?
Conventional cyber intelligence initiatives take a broad approach to cybersecurity. Their objective is to improve the security posture of an IT network to increase its resilience to all types of cyber threats. This could include addressing software vulnerabilities, deploying security controls across the threat landscape, and monitoring attack vectors.
The primary objective of cyber threat intelligence, on the other hand, is to help security teams tailor defenses to each specific cyber threat. Cyber threat intelligence is not a standalone cyberattack defense policy.
The dynamic nature of this defense strategy compliments the more static approach of attack surface management. When used in concert, the resulting methodology is a comprehensive cybersecurity program that conforms to the changing threat landscape.
To understand how cyber threat intelligence relates to threat detection, read our post on cyber threat detection and response.
Why is Cyber Threat Intelligence Important?
Cyber threat intelligence is crucial because it's one of the best approaches to defending against Advanced Persistent Threats (APTs).
An Advanced Persistent Threat is a long-term cyberattack campaign where cybercriminals hide inside a breached network to continuously monitor and steal sensitive data.
APT malware is more complicated than other malware strains, such as ransomware. Also, unlike phishing campaigns, APT attacks are not primarily automated. They're managed by organized and sophisticated cybercriminal groups.
To contend with these problem-solving, strategizing, and defense evading cyber threats, you need to be one step ahead of them, and that's only possible with operational threat intelligence revealing their tactics and probable next steps.
Organizations are beginning to recognize the breadth of cyber resilience that's possible with strategic threat intelligence. Around 72% of enterprises plan to increase their threat intelligence program budgets.
Even though a growing number of organizations recognize the benefits of threat data, few understand how to take full advantage of its insights and instead only use threat intelligence data feeds to support firewall and SIEM functionality.
When the potential of threat intelligence tools is understood and leveraged, security professionals can:
- Make informed incident response decisions
- Understand a hacker's decision-making process
- Prove the effectiveness of security operations to CISOs, stakeholders, and decision-makers with intelligence reports
- Understand the tactics, techniques, and procedures (TTPs) of impending cyberattacks
The Threat Intelligence Framework
The threat intelligence framework is comprised of three pillars representing the three different types of threat intelligence:
- Tactical intelligence
- Operational intelligence
- Strategic intelligence
Instead of implementing the complete scope of a threat intelligence program in a single effort, start by focusing on each individual type of threat intelligence. Not only will this simplify the overall implementation process, it will naturally result in the development of the most comprehensive threat intelligence program.
Pillar 1: Tactical Threat Intelligence
The tactical intelligence component enforces consideration of the broader context of each threat instead of just treating each threat as a stand-alone event.
Tactical intelligence considers Indicators of Compromise (IOC) and Indicators of Attack (IOAs) to create threat scenarios in the immediate future. This includes:
- Suspicious IP addresses
- File hashes
- Malicious domain names
Because data collection in this threat intelligence category is so easy, it should ideally be automated with machine learning security solutions.
Aim to identify as many automation opportunities as possible. This will establish a cyber threat intelligence foundation that's scalable and, therefore, optimized for future success.
Tactical threat intelligence data feeds should:
- Consider the lifecycle of each data category to minimize false positives. Data such as malicious IP addresses and domain names constantly change because hackers continuously update them to evade detection.
- Automate malware detection.
- Keep security teams informed of the latest threats.
- Include a continuously updated IOC feed.
Pillar 2: Operational Cyber Threat Intelligence
If a tactical threat intelligence feed is the only data set supporting response teams, future attacks are unlikely to be intercepted. This is because the specific IOCs likely to be exploited are still unknown.
The operational component of cyber threat intelligence solves this problem by profiling known cybercriminals to identify their likely attack methods.
This component cannot be entrusted entirely to open-source feeds and machine learning. Human intuition is required to aggregate tactical threat intelligence with threat actor profiles to predict likely threat actor movements in real-time.
Cyber threat intelligence aims to answer the following questions:
- Who is behind the likely cyberattack?
- Why are they planning to target us?
- How will they target us?
Security teams responsible for regulatory compliance benefit the most from operational intelligence as it helps them prioritize risks that have the most significant impacts on security postures.
Risk prioritization, such as Vendor Tiering, supports smarter vulnerability management for all endpoints and exposures, including zero-day exploits.
Pillar 3: Strategic Threat Intelligence
Strategic threat intel further broadens the context of threat actor motivations to include potential connections with global cybercriminal networks.
Large-scale cyberattacks, such as the ubiquitous SolarWinds supply chain attack, are highly-complex operations motivated by specific geopolitical events.
Advanced awareness of rising geopolitical tensions could reveal potential cyberattack intentions, especially if your country is allied with an involved nation.
The Cyber Threat Intelligence Lifecycle
Raw data needs to be transformed into actionable intelligence to produce data useful for cybersecurity strategies. This is achieved through a process known as the threat intelligence lifecycle.
This is a challenging problem given the ongoing evolution of the threat landscape. To maintain its relevance, the threat intelligence lifecycle includes a feedback loop that encourages continuous improvements to data quality.
The six stages of the threat intelligence lifecycle are outlined below.
1. Specify your Goals
Before a potential cyber threat is addressed, a sensible action plan needs to be formulated.
This roadmap should be based on your specific cybersecurity objections. Your security objections are dependent on your unique attack surface, so make sure you have confident awareness of your entire attack surface. This should ideally include dark web exposures.
An attack surface monitoring solution will identify your most critical vulnerabilities, most likely to be targeted by cybercriminals.
This intelligence should be included in your cyber resilience roadmap.
2. Data Collection
With your objections clearly defined, your security teams can then design a complementary data collection strategy.
This process will involve referencing the three sub-categories of threat intelligence:
- Tactical threat intelligence
- Operational threat intelligence
- Strategic threat intelligence
3. Data Processing
After relevant threat intelligence data is collected, it needs to be processed into a format conducive to analysis.
4. Data Analysis
During the analysis stage, security teams identify potential response efforts that support the overall security objections specified in step 1.
5. Dissemination
With threat intelligence data analyzed and the necessary response efforts identified, security teams can now inform stakeholders of their plans to intercept impending cyberattacks.
This correspondence is usually in the form of a concise single-page report free of cybersecurity esoterics to encourage the trust and approval of stakeholders.
6. Feedback
The threat intelligence cycle isn't complete until it's rounded off with the feedback stage. A feedback loop is crucial as it ensures threat intelligence data remains updated and relevant.
A feedback mechanism will also ensure your threat intelligence program remains sensitive to any impromptu direction changes from stakeholders and decision-makers.
Cyber Threat Intelligence and the APT Attack Lifecycle
During an APT attack, threat actors cycle between infiltration, expansion, and data extraction as they bury deeper into a network towards sensitive resources.
Cyber threat intelligence is an invaluable resource in APT defense because it's one of the few security controls that moulds to hackers' movements.
Integrating multiple cyber threat intelligence feeds into the APT attack lifecycle makes it possible to anticipate and block an APT hacker's progression into the next stage of their attack sequence.