After gaining a little traction and releasing a tool review for AutoRecon, I decided I wanted to share my greatest passion and interest in cybersecurity and release a series of articles on Cyber Threat Intelligence (CTI). Even though it is still a fairly new field only emerging in 2011, it is based on the well-established intelligence concepts and methods.
In this series of articles, I will go through how intelligence and threat intelligence are defined and implemented, as well as different aspects of threat intelligence and the tools, methods, and procedures used.
First, I think it is important to define intelligence and how it works to get a better understanding of CTI. Intelligence can be hard to define since it has various purposes and can be used in various industries. However, for our purposes, we can think of intelligence as information that has been collected, analyzed, and shared to support a client or customer in making an actionable informed decision. There are various forms of intelligence that implement different collection methods and procedures in the process, otherwise known as the intelligence cycle. Yet, the overall definition provided always remains true.
Now that we have a basic understanding of intelligence and its purpose, let’s look at CTI and see what makes it different from traditional intelligence.
CTI keeps to the core definition of intelligence in that it is defined as actionable information that is collected, analyzed, and shared to support decision making. However, CTI is tailored to the specific purpose of preventing cyberattacks by focusing on developing intelligence on adversaries and risks. This intelligence is used to influence the security and policy decisions that help protect the critical infrastructure and assets of an enterprise.
As we break down CTI further, we see that the intelligence focuses on the motivations, intentions, and techniques of adversaries in order to develop a proactive defense strategy against these threat actors. In this way, it can be adapted to fit any organization and used to combat various adversaries and risks.
Lastly, I would like to mention the types of CTI, operational/technical, tactical, and strategic. Operational intelligence focuses on ongoing cyberattacks and active threat actors. This type of intelligence is more concerned with the technical information from an attack such as the malware used, domain names, IP addresses, and other details relevant to how an attack was carried out. Since threat actors typically switch up their tactics, this is more time sensitive information that is processed and analyzed quickly so that it can be delivered to a Security Operations Center (SOC). Then, the SOC can quickly implement the necessary security controls to combat these tactics in real time and hopefully prevent an attack.
Tactical Intelligence focuses on the Tactics, Techniques, and Procedures (TTPs) a concept that we will go into much further later when we discuss frameworks and threat intelligence. This type of intelligence helps an organization understand exactly how they were attacked by identifying the techniques and procedures used at each stage of the attack such as the initial access, execution, persistence, and exfiltration. Yet another type of intelligence that would be more useful to be disseminated to a SOC where it can be implemented in order to improve security controls and processes and/or incident response.
Finally, Strategic CTI is more of a broad overview of an organization’s threat landscape. This is typically intelligence that is composed of risks associated with a certain organization and is delivered to the high level executives. This type of intelligence is more business related and is more focused towards business continuity and takes into account threat actor patterns, geopolitical events, and other topics that would be relevant to the enterprise.
This is a deep topic and there is a lot more to digest. In this series of articles, we will be going through CTI in more detail and dive into the intelligence cycle, collection methods, IOCs, TTPs, APTs, CTI frameworks, and much more.
I hope you enjoyed this introduction and come back for more!
Lou Dell’Italia
Hackchouse.net
https://www.linkedin.com/in/lou-dell-italia-43745a82/
Suggested Resources:
Mark Lowenthal – Intelligence: From Secrets to Policy https://www.amazon.com/gp/product/B07YHZMBYB/ref=dbs_a_def_rwt_bibl_vppi_i0
John Friedman & Mark Bouchard – Definitive Guide to Cyber threat Intelligence
Recorded Future – Threat Intelligence Handbook
Recorded Future – Threat Intelligence
https://www.recordedfuture.com/threat-intelligence/
James Dietle – Effective Threat Intelligence