Threat intelligence is evidence-based knowledge about existing or potential threats that includes context, mechanisms, indicators, consequences, actionable recommendations and can be used to make response decisions.
Gartner, McMillan (2013) from Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study
What Is Threat Intelligence Used For?
-
Threat intelligence raises awareness of threats and more adequately selects protective measures that are suitable for the landscape of threats relevant to the organization (taking into account the specifics of its activities/sector of the economy, industry).
-
Threat intelligence also improves the quality of detection and response to threats both proactively and reactively.
Today, most organizations focus their efforts only on the installation of technical security tools, such as IPS / IDS, ME, SIEM, but do not fully use the collected data for analytics.
The Analytical Threat Intelligence Life Cycle
-
The Planning Stage of the Threat Intelligence Life Cycle
-
Definition of the list of assets;
-
Definition of the list of threats;
-
Determine the list of sources of information.
Internal: Firewall, IDS, SIEM, AV;
External: Community Information.
-
-
The Collection Stage of the Threat Intelligence Life Cycle
-
The Processing and Analysis Stage of the Threat Intelligence Life Cycle
Once the raw data has been collected, it must be converted into a format suitable for analysis. To what extent the found threats are applicable to a particular organization (region and sector).
-
The Dissemination Stage of the Threat Intelligence Life Cycle
The final step in the threat intelligence life cycle involves determining whether changes to the threat inventory need to be made.
3 Levels of Threat Intelligence
- Tactical intelligence
Goal: To gain a broader understanding of threats.
Tactical intelligence is short-term, technical in nature, and identifies simple indicators of compromise (IOC - Indicators Of Compromise).
IOC: IP addresses, URLs, hashes, domains, filename/path, registry value, usernames, e-mail addresses.
- the process is almost always automated;
- short service life, since IOCs can become obsolete in a few days or even hours.
Questions to ask:
- What are the IOC channels? (SIEM, Firewall, AV, Endpoints, IDS, NGFW)
- Are IOCs relevant?
- Operational intelligence
Goal: Track active APT factions to better understand the opponents behind the attacks.
Behind every attack are questions:
- "Who?" - attribution;
- "Why?" - motivation;
- "How?" - TTP.
Tactics, Techniques, and Procedures (TTPs) - The goal is to define behaviors that can be used to protect against certain strategies and threat vectors used by attackers.
Operational intelligence requires human analysis of information. Operational intelligence requires more resources than tactical intelligence but has a longer lifespan because attackers cannot quickly change their TTPs.
- Strategic intelligence
Attackers don't operate in a vacuum - there are almost always higher-level factors in place to carry out cyberattacks. For example, nation-state attacks are usually tied to geopolitical conditions.
Strategic intelligence shows how global events, foreign policy, and other long-term local and international movements can potentially affect an organization's information security.
How to Incorporate Data from Threat Intelligence
- expand the list of threats;
- use when setting the priority of eliminating vulnerabilities;
- incident response;
- risk assessment;
- raising awareness;
- compliance.