Cyber Threat Intelligence

Introduction

For cybersecurity measures to remain effective by the people who use make to protect systems and networks requires knowledge and awareness of threats and attacks potential or current. This is where cyber threat intelligence defined as the organisation, analysis and refinement of  information about potential or current attacks that threaten an organisation comes into play. This post aims to serve as an introduction and brief overview of cyber threat intelligence. 

The primary purpose of threat intelligence is helping organisations understand the risks of the most common and severe external threats, such as zero-day threats, advanced persistent threats (APTs) and exploits. Although threat actors also include internal (or insider) and partner threats, the emphasis is on the types that are most likely to affect a particular organisation's environment. Threat intelligence reports often include in-depth information about specific threats in different business or service areas to help an organisation protect itself from the types of attacks that could do them the most damage.


Use Areas

The application of cyber threat intelligence within an organisation can be summarised in four main categories:
  • Predict: Strategic threat intelligence can help organisations forecast evolving threats before they materialise, and plan accordingly to avoid them.
  • Prevent: Threat intelligence that can stop incidents occurring in the first place, such as malware signatures that can be used to update signature-based detection mechanisms.
  • Detect: Intelligence that helps identify threats as they arise, or those that may already be present within a network, such as techniques, tactics and procedures that threat actors use (TTPs) that can be used for threat hunting exercises.
  • Respond: Material that can inform a response to an existing incident with a view to mitigating its extent or impact, such as TTPs used by a threat actor once its presence has been discovered on a network which will provide guidance on likely adversary next steps and how the victim should act.
The degree to which an organisation can consume threat intelligence across multiple business functions will depend on the nature of the material provided and the maturity of the consumer organisation.


 Purpose of Cyber Threat Intelligence

Threat intelligence solutions gather raw data about emerging or existing threat actors and threats from a number of sources. This data is then analysed and filtered to produce threat intel feeds and management reports that contain information that can be used by automated security control solutions. The primary purpose of this type of security is to keep organisations informed of the risks of advanced persistent threats, zero-day threats and exploits, and how to protect against them.

When implemented well, threat intelligence can help to achieve the following objectives:


  1. Ensure organisations stay up to date with the often overwhelming volume of threats, including methods, vulnerabilities, targets and bad actors.
  2. Help organisations become more proactive about future cybersecurity threats.
  3. Keep leaders, stakeholders and users informed about the latest threats and repercussions that could have an effect on their businesses.
Organisations are under increasing pressure to manage security vulnerabilities, and the threat landscape is constantly evolving. Threat intelligence feeds can assist in this process by identifying common indicators of compromise (IOC), the evidence that a cyber-attack has taken place, and recommending necessary steps to prevent an attack or infection. Some of the most common indicators of compromise include:


  • IP addresses, URLs and Domain names: An example would be malware targeting an internal host that is communicating with a known threat actor.
  • Email addresses, email subject, links and attachments: An example would be a phishing attempt that relies on an unsuspecting user clicking on a link or attachment and initiating a malicious command.
  • Registry keys, filenames and file hashes and DLLs: An example would be an attack from an external host that has already been flagged for nefarious behaviour or that is already infected.

Conclusion

The great unknown; it can be exciting in many situations, but in a world where any number of cyber threats could bring an organisation to its knees, it can be downright terrifying. Threat intelligence can help organisations gain valuable knowledge about these threats, build effective defence mechanisms and mitigate the risks that could damage their ability to carry out their business and reputation. After all, targeted threats require targeted defence, and cyber threat intelligence delivers the capability to defend more proactively.
While the promise of cyber threat intel is alluring in itself, it is important to understand how it works organisations can choose the right cybersecurity tools and solutions to protect their business.
Hopefully, this post serves gives an introduction and overview of cyber threat intelligence  for more information about this area it is worth reading the cyber threat hardback by Thales which gives a good global perspective of the importance of it while also outlining the different attack profiles that organisations would be aware of.  https://www.thalesgroup.com/en/group/journalist/press-release/cyberthreat-handbook-thales-and-verint-release-their-whos-who

Comments

Popular posts

Personal Interest - Unbuilt fleets of the Royal Navy

Balancing functionality, usability and security in design

A personal interest post - Replacing the Tornado in the RAF