“Cyber threat intelligence”, or “cybersecurity threat intelligence” has been a popularising term. Yet very few can say with confidence that they know what the term entails. How does it contribute to the wider cybersecurity space? What do cyber threat intelligence analysts do in their day-to-day assignments? CTRL Group are here to provide a better understanding of the fundamentals of cyber threat intelligence, what cyber threat analysts do on the ground and how the benefits of grasping and scrutinising threat intel across the globe may contribute to your organisation’s security.
Most people, when they hear the term cyber threat intelligence, think about cyber-attacks, risks, information gathering and threat hunting. While cyber threat intelligence is all of the above and so much more.
Primarily, cybersecurity threat intelligence is meant to facilitate cybersecurity teams and relevant businesses units, so that they remain aware in the world of security. Cyber threat intelligence is to provide contextualised content to enable businesses to remain proactive on their cybersecurity journeys and stay ahead of malicious actors.
Sometimes cybersecurity threat intelligence may also include supplying indicators of compromise (IOCs) such as hashes, URLs or IP addresses to block or scan for on internal networks, but at the same time, it can also mean delivering tailored intelligence to relevant stakeholders, around a new emerging advanced threat or a vulnerability that might cause a breach in the company’s infrastructure. For some organisations, it can even include gathering information about adversaries, successful exploitations or proactive hunting for an existing threat already within their network. With so many different options to utilise, no wonder many executives consider cyber threat intelligence as the pivot for all their cyber security operations – it can be the difference between acting in the dark to having a flashlight for unknown threats, enabling both the security and leadership teams to make informed decisions.
Different Types of Cyber Threat Intelligence Sources
Cyber threat intelligence can come from various sources. Many organisations rely on commercial or government-created feeds that hold data collected against monitored threats. Such sources are generally industry-specific and/or region-specific. Threat intel from such sources tends to come through as an IOC list for the recipients to monitor or block in their internal networks using their security tools.
However, threat intelligence analysts can utilise many other sources to acquire information, such as the Internet (also known as OSINT – Open-Source Intelligence), or the Darknet, where cybercriminals exchange or sell data. In most cases, information gathered on these sources is much more specific and relevant to their organisation. You would be surprised how easy it is to gather the information that you thought is proprietary just by conducting a search on Google or other publicly available resources.
Cyber threat intelligence analysts can also make use of the intelligence gathered in their organisation’s own security tools, such as suspicious emails and logs. Most organisations have troves of logs, and often a lot of them is not treated due to overload on the Security Operations Centre (SOC) analysts. Cyber threat intelligence can help give context, making sure the notable events are not overlooked, and aid in understanding
who is targeting the organisation, what are their tools, techniques and procedures (TTPs) and what can be done to thwart the attack and
minimise the risk.
Getting Proactive with Cyber Threat Intelligence
After understanding what cyber threat intelligence is and the various sources that feed it, it is time to discuss its benefits. The main one is the ability to transform your organisations’ cybersecurity from reactive to proactive. With a proactive approach to gathering and understanding cybersecurity threat intelligence, your organisation no longer waits for attacks to occur. Rather, the organisation may utilise the information at its disposal to anticipate incidents, prepare adequate security tools and prime the defences. It may even be possible to create honeypots to learn more about the threat actors that are targeting you and their tactics, techniques and procedures (TTPs).
Data collected from security tools, when enriched with other sources of information such as OSINT, commercial or government based cyber threat intelligence and the Dark Web, can greatly help you in achieving that. A capable cyber threat intelligence analyst can use these to create different attack scenarios to build a variety of different threat scenarios to test the resiliency of the corporate network. For example, using a technical report about a successful attack against an organisation of the same sector and building a tabletop exercise based on it, that is tailor-made based on his knowledge of the network and security posture. These exercises, if performed correctly, can greatly assist relevant stakeholders – the cyber security team, IT and business units – prepare for a cyber-attack against the business, not just in improving defences but also around dividing responsibilities, preparing playbooks to act on in real-time and mostly gaining confidence handling an attack in all aspects.
Sharing Is Caring
Most importantly, cyber threat intelligence is all about sharing information. When it comes to protecting your network, information is key. The more you know – whether from IOCs, TTPs or any other relevant data, channelling threat intelligence into security tools to block and/or to monitor is relatively cost-effective and can be extremely valuable against common attacks.
As mentioned before, it is wise to join community-based threat intelligence feeds. Yet, it is also recommended to tap into personal networks. That is, creating a trusting relationship with peers from similar organisations, sectors, and/or regions and thereby, share cyber threat intel with them. Crowdsourcing in this instance is incredibly valuable and mutually beneficial. Many regulators around the world approve sharing of this type of information even in cases of competition law. Therefore, it is highly recommended for organisations to establish a trusted group with peers when the government- and/or commercial-based feeds are not available.
Overall, cyber threat intelligence is a relatively new field in cyber security. Not everyone knows how to utilise it in the best way, and much is still vague around definitions and scope. However, several frameworks that will soon be binding, such as CORIE, have already stressed the need for certain organisations to employ threat intelligence analysts and set the relevant certifications they must have.
At CTRL Group’s BlueNode – Risk Operations Centre, dedicated security specialists analyse a vast base of cyber threat intelligence, to oversee and protect businesses’ critical infrastructure in real-time, elevating the organisation’s cyber maturity and defences. Get in touch today to find out how CTRL can support you on your cybersecurity journey.