Cyber Threat Intelligence – The Next Big Thing

Cyber-Threat-Intelligence-ThreatRavens

Cyber Threat Intelligence has been the hottest buzzword in the recent times in cyber security space. Be it any security conference or a podcast or a launch of a new security product/ service, or even in your daily meetings, Threat Intel has become the topic of discussions now.

With breaknecking increase in the number of cyber threats launching against people, governments and private sector organizations across the continents, it is high time for us to understand the importance and capabilities of a well structured Threat Intelligence program.

Threat Intelligence is relatively new and evolving domain in cyber security industry and it isn’t pragmatic to cover everything in a single blog post. In today’s article, I will primarily be focusing on what CTI brings to your company, what are its key objectives followed by a bootstrap model to launch your own CTI program.

What is Cyber Threat Intelligence?

Threat Intelligence at its very basic can be termed as a program which can help organizations gain valuable knowledge about cyber threats, build effective defense mechanisms and mitigate the risks that would otherwise damage their bottom line and reputation.

Targeted attacks require targeted defenses and cyber threat intelligence brings the capability to defend more proactively.

Threat Intelligence solutions gather raw data about emerging or existing threat actors from number of sources. This data is then analyzed and filtered to produce threat intelligence feeds and management reports that contain information that can be used by automated security control solutions. Primary purpose of this type of security is to keep organizations informed of the risks of advanced persistent threats, zero-day threats and exploits and how to protect against them.

Key Objectives of CTI Program:

  1. To ensure you stay up-to-date with the overwhelming volume of threats including vulnerabilities, targets, bad actors and their methods.
  2. Help you become more proactive about potential cyber security threats to your organization.
  3. Keep leaders, stakeholders and users informed about the latest threats that would potentially damage businesses financially or the reputational loss that may incur.

What are Cyber Threat Intelligence Feeds?

As threat landscape is constantly evolving, threat intelligence feeds can assist in this process by identifying common IOCs (Indicators of Compromise) and recommending necessary steps to prevent attacks.

Common Indicators of Compromise are:

IP Addresses, URLs/ Domains, Email Addresses, File Hashes, DLLs, File Names, Registry Keys etc.

Collection of Data/ Information from Multiple Sources in not ‘Intelligence’

  • Tools do not provide intelligence — Data feeds do not give threat intelligence. Intelligence of anything requires analysis and analysis is performed by humans. Furthermore, combined use of automation, analytics and various tools can substantially increase the effectiveness of analysts.
  • Knowing your infrastructure — No matter how much access you have to intelligence, it will be worthless without your ability to identify what is applicable to your organization. Knowing your network, infrastructure, assets, processes are important. For example, there is a threat actively targeting XYZ software vulnerabilities. So blocking those IOCs doesn’t make any sense if your organization do not use XYZ software.

How to Start with a Threat Intelligence Program?

  1. Budget — Your organization have to have a budget to pay for people, tools and subscriptions.
  2. Access to System, Network and Application Data — The data that is needed to verify threat intelligence information already exists in your network. Data from firewalls, proxy servers, IDS, IPS, WAF, application logs, Anti Virus systems gives you valuable information about what’s going inside your network.
  3. Essential IT Processes — It doesn’t make sense to spend time on providing threat intelligence information to other IT departments if they are not able to act on the information. Having intelligence without a followup action is as useless as not having intelligence at all.
  4. Access to OSINT — It is vital to build relationships with other communities and organizations. e.g. ISACs (Information Sharing and Analysis Centre), Threat information sharing communities and CERTs.

Build Your Team

Building a team is like a chicken and egg problem. You need tools and data to support the team while on the other hand, you need a team to look after an increasing amount of data. Bootstrapping is essential while building a threat intelligence program.

  • Find people with different backgrounds with demonstrated skills in security operations, technical expertise, hands on experience with tools and technologies.
  • Team members should be able to talk to different audiences and write concise, understandable reports, executive communication skills and excellence writing and presentation skills are necessary.
  • Measuring your success — When you begin with your program, you have to define the stakeholders and goals. There should be good understanding of reports, frequency of reports, who receives them, who should act on them and who would provide feedback on them.
  • Measuring success is difficult without defining Key Performance Indicators KPIs. You have to make sure that these KPIs are relevant to your organization and team.
  1. How many threat intelligence reports have you produced?
  2. What was the feedback on those reports?
  3. How many attacks you successfully prevented from happening?
  4. Total number of IOCs you observed in your network? etc.
  • Threat intelligence is a repeating process and your team should be able to work consistently on the new information coming in from different set of sources. Once your program is set, you should focus further on automating the things.

Final thoughts…

As cyber attacks grow more complicated and targeted, organizations should take every possible opportunity to learn more about the potential attacks being targeted against them. Threat Intelligence Program equips you with valuable insights and knowledge which leads you to a more effective security program. So, Cyber Threat Intelligence is definitely a next big thing for cyber security professionals as well as for every single organization around the globe in this connected world.