What is Cyber Threat Intelligence (CTI) and why should you use it?
There is a common misunderstanding as to what Cyber Threat Intelligence is. Many think it‘s a buzzword or just simply raw outputs from data feeds and dark web monitoring. This couldn’t be further from the truth and isolating its use in this area could result in minimal output and value.
What needs to be remembered is that intelligence tradecraft is a tried and tested capability and has been around for a long time. Good actionable and timely intelligence will add value and an edge to an organisation, be it from a security or commercial standpoint. It should be recognised that information is not intelligence and in the realms of Cyber Threat Intelligence, this concept is no different.
In this blog, we educate readers on what Cyber Threat Intelligence is and what it does, when consumed in the right way and at the right levels in an organisation. We will also outline how it can help you with operational and tactical challenges in cybersecurity, and how it can be used to form your overarching information security policies and governance strategies. This includes helping to strengthen and focus your cybersecurity strategy so there is a clear aim and objective that is underpinned by actionable intelligence, helping you make informed decisions.
What is intelligence?
One of the best definitions of what intelligence is comes from the CIA “Intelligence is knowledge and foreknowledge of the world around us – the prelude to decision and action…” Intelligence is only intelligence if it is used to inform the decision-making process. If the 'intelligence' you have received is just read and archived and you have not used it to support your decision-making process, then it is not intelligence. In this case, the 'intelligence' you have received is only information and calling it anything else reduces the impact of further intelligence you might receive.
There is of course a life cycle with generating intelligence and the building blocks that underpin it. It begins by establishing what you want to know. It is fair to say that the intelligence communities understanding of intelligence and the principle that supports its use has been heavily lifted from the military, which is a tried and tested methodology. The skill is in focusing on commercialising its intentions and using it in a way that allows you to make informed decisions in the cybersecurity domain.
Where do you start with Cyber Threat Intelligence?
Begin by understanding what you own as part of your organisation, along with the value of these assets to the organisation. Next, you need to look at the threat landscape and ask what threats are likely to affect these assets, and lastly what you need to do to protect them.
The questions you will have about the landscape will form your Intelligence Collection Plan (ICP). These can be short-term questions concerned with a particular problem you are currently facing, such as 'What are the latest indicators associated with AZORult InfoStealer infections?' or 'What types of Threat Hunting should I be doing against my organisation, as full MITRE coverage is not achievable.' This is often referred to as tactical level intelligence.
Mid to longer-term enduring questions will likely drive your tooling and configuration requirements, such as 'What methods are threat actors using to bypass enterprise EDR solutions?' or 'What are the most common entry methods into corporate environments?' These are more operational issues you are facing. Common products that will address these areas are threat hunting packages with known Tactics, Techniques, and Procedures (TTPs) e.g. latest INTSUMS, latest known vulnerabilities and weaknesses, tech stack monitoring etc.
Lastly, your collection plan is likely to be made up of strategic level security questions for your organisation. These will be focused on horizon scanning and will likely inform your technology procurement drivers e.g. 'Is phishing still the main attack vector affecting our organisation?' With this direction established you can then set about collecting the data needed. Data can be described as discrete facts and statistics for use in the next stage (i.e. processing). Here multiple data points are combined to form information, before then conducting analysis and refining this information into intelligence to support the decisions that need to be made.
Done properly this should answer the questions that were the initial drivers of the collection plan. The cycle then resets, with any improvements from the previous round of directions incorporated into the collection plan. Intelligence should always look to answer one overall enduring question: what is happening in the threat landscape, and what does it mean to me and my organisation? This is the very beginning of a threat-based approach to security.
Why is Cyber Threat Intelligence important?
No matter what industry vertical you work in, there will always be legislative and/or regulatory requirements that need to be adhered to. These arguably drive the need to safeguard your organisation both from a security and operational perspective to provide resilience. This means understanding the cyber threat landscape, to mitigate or reduce the risks to potential threats you face.
In this instance, the first thing you need to fully acknowledge and address is what 'good' looks like (in terms of maintaining a security posture commensurate to the threats you face) you must consume intelligence that allows you to take action and make well-informed decisions to strengthen your security posture.
That intelligence should give you more than just information or known actors; it must provide a conclusion and answer key questions like:
- What is the analysis of the threat?
- What was the target environment?
- What assets are at greater risk?
- Where should cyber defences be focused?
- What are the risk levels?
- What are the impacts?
- What are recommended mitigations?
The above questions can only be answered by looking at other organisations that have been targeted. The answers will then allow you to ask 'how was it done' and 'would that work against our organisation?' Often this information is not always easy to come by, especially at the granular level, which is needed to drive specific decisions. This is often a result of commercial sensitivities around airing failures in public sources, but there are ways if you know where and what to look for.
Information is everywhere. As soon as you start browsing the internet, you are presented with information, be that from news articles, blogs, tweets, Facebook updates, or a funny YouTube clip. One of the most common methods of tracking attacks is looking at victim disclosures, both from an official point of view from company communications to their clients and customers. In the case of ransomware-focused attacks, there are threat actors leaking information on public extortion sites.
You can also use threat intelligence providers, if they are able to understand the common TTPs commonly associated with threat actors and known attacks, to produce an output that is orientated and relevant. This is the 'so what factor' to your organisation. If they cannot, you need to be asking why or working with intelligence analysts who can turn that information into intelligence which is then actionable.
You must be consuming actionable and timely intelligence, it is a valuable commodity that can help you protect your organisation. Information by itself will not.
Questions to ask to further your Cyber Threat Intelligence
So you now know there is a stark difference between information and intelligence. Information is raw, uncorroborated data that appears everywhere. Intelligence is a core capability, which requires process, skill, and experience. To address the risks posed by the various types of threat actors, you need to think like them and consume intelligence that allows you to take action and make informed decisions.
In today’s interconnected world, with the ever-growing complexity of threats, you should be able to answer (or at least know where to get the answers) the following questions:
- What information is out there about our organisation that could be useful in the formative stages of an attack?
- What type of threat actor is likely to target us?
- How are they likely to target us?
- What does the risk from our supply chain look like?
- Could the compromise of a supplier have much of an effect on our organisation meeting its business objectives?
- What would we do if we discovered the above?