WHAT IS CYBER THREAT INTELLIGENCE?

Cyber threat intelligence starts off by collecting, analysing and filtering through information which can then be turned into threat intelligence. The information is turned into intelligence by evaluating its source, reliability and context to make it valuable and evidence based; along with filtering out any false positives.

Here is a quick breakdown which explains the difference between the two.

Information is…
Raw, unfiltered feed
Unevaluated when delivered
Aggregated from virtually every source
May be true, false, misleading, incomplete, relevant or irrelevant
Not actionable

Intelligence is…
Processed, sorted information
Evaluated and interpreted by trained Intelligence Analysts
Aggregated from reliable sources and cross- correlated for accuracy
Accurate, timely, complete (as possible), assessed for relevancy
Actionable

Information is turned into Intelligence using an ‘Intelligence cycle’, with the following steps.

• Planning and Requirements – Define clearly the goals of the program and the requirements to get there.
• Collections and Processing – Decide what information needs to be collected and how you are going to collect it.
• Analysis – Analyse, evaluate and interpret the information you collect to ensure it meets requirements. Assess any gaps in your collection.
• Production – At this stage, begin to produce threat intelligence briefings and reports. These should be on time, relevant, actionable and relate to the needs of your company.
• Dissemination and Feedback – Deliver finished products to internal or external recipients which match initial requirements.

WHO IS CYBER INTELLIGENCE FOR, HOW IS IT USED AND WHY IS IT IMPORTANT?

WHO IS IT FOR AND HOW IS IT USED?

Cyber Intelligence can be split into three areas and groups of interest -Tactical, Operational and Strategic.

Tactical is used in the short term and can be used by SOC teams to detect, find and block threats. These are most commonly known as TTPs – tools, techniques and procedures used by attackers. This information can be from something such as a free blacklist and may just be blocking some IP addresses on the firewalls or checking for them in your logs. Another example could be a recently released exploit and checking for examples of this in your logs.

Operational is monitoring adversaries and understanding how they work and operate. This information will be more detailed and mid-long term making it more valuable including more context, enrichment and understanding. Knowing who is behind an attack, how they are performing the attacks and why they are doing so can be invaluable to various teams within a SOC. This will show them potential risks in their environment, learn how attackers act and how to defend against them.

Strategic is information given to management and decision makers to help them make decisions. This type of intelligence may take into account geopolitical and business factors along with past, current and future trends to help aid long term decision making for the business as a whole. This can take longer to be collated as a large number of employees from different sectors may be involved in its creation.

WHY IS IT IMPORTANT?

There are a number of reasons why Cyber Threat Intelligence is important, lets go through them.

Cost Savings – This is important to any business in any industry. Including CTI in your defense strategy can help to improve defenses and reduce costs by having proper strategies and defenses in place. This recent report shows exactly that – https://threatconnect.com/wp-content/uploads/ThreatConnect-Building-a-Threat-Intelligence-Program.pdf

Efficiency – The use of threat intelligence can make security teams more efficient. Integrating threat intelligence helps to identify risks, false positives and can help pinpoint critical issues. Using high quality intelligence properly can make dealing with alerts quicker, and minimize workload.

Sharing – Sharing threat intelligence between your business and other makes everyone stronger against adversaries. The more high quality data you share, the more you work towards protecting yourself and others. This works the other way too obviously, as being part of threat sharing programs (such as MISP communities) means you get valuable intel back too.

Data Protection / Lower Risk – The better intelligence you have, the better you can protect your business. Through a knowledge of TTPs, proper defense and detection methods can be put into place. This in turn helps to protect your business from data breaches, ransomware attacks and various other attacks. If not defended against correctly, this can prove costly in both reputational and financial terms to a business.

HOW TO LEARN CYBER THREAT INTELLIGENCE FOR FREE!

I firmly believe that anyone working in cyber security should have a good understanding of cyber threat intelligence. Here are some of my favourite resources to learn cyber threat intelligence yourself.

Cybrary Introduction to Cyber Threat Intelligence – https://www.cybrary.it/course/intro-cyber-threat-intelligence/

Cybrary Advanced Cyber Threat Intelligence – https://www.cybrary.it/course/advanced-cyber-threat-intelligence/

Cybrary Open Source Intelligence Fundamentals – https://www.cybrary.it/course/osint-fundamentals/

Udemy Cyber Security Threat Intelligence Researcher Preview – https://www.udemy.com/course/cyber-security-threat-intelligence-researcher-preview/

Pluralsight Threat Intelligence : The Big Picture – https://www.pluralsight.com/courses/threat-intelligence-big-picture

Awesome Threat Intelligence List Github – https://github.com/hslatman/awesome-threat-intelligence

Thanks for reading the blog post, I hope it helps you to learn incident response. If you would like to discuss this post further, or just have a chat; contact me at https://twitter.com/blueteamblog