Making the right decision requires an understanding of the problem at hand. Without information on that problem, you cannot hope to come up with a reasoned response: this is true in business, and it is true in cybersecurity.
As cybersecurity events continue to challenge every organization across the globe, a more intelligent and empirical approach must be used. Cyber Threat Intelligence (CTI) provides a framework to generate the actionable intelligence that tackles the onslaught of cyber threats banging on the door of the industry.
“CTI is used by organizations to enhance their defensive posture by understanding threats in relation to their Cyber Operating Environment (COE)” - zvelo, January 2022
Cybersecurity events and operations generate a lot of information. This information takes many forms including unauthorized access, exfiltration of data, and identified vulnerabilities. This information can often be subtle and nuanced and finding threats and potential breaches can be like looking for a needle in a haystack.
Cyber Threat Intelligence or CTI is a discipline used to collate and analyze data based on cybersecurity intelligence that then helps to identify threats. However, context is everything in CTI deployment, and to be effective, CTI data must be tailored to an individual organization.
Effective deployment of CTI depends on using a process that comprises six core steps.
Effective use of Cyber Threat Intelligence relies on a six-part process comprising:
|1. Planning & Direction||2. Collection||3. Processing|
|4. Analysis||5. Dissemination||6. Feedback|
Each part of the process works towards building up the profile of a threat. This then delivers actionable information to deal with that threat. Here is a deeper dive into each of the six process components:
A robust plan makes for a successful project. The CTI process begins with collaboration around planning and establishing the direction of the project. It is important at this first stage, that the CTI process reflects the needs of the organization; these needs vary across industry sectors.
The Planning and Direction of a CTI project should be a collaboration between external expert sources to help inform your cybersecurity strategy. From this, a tailored strategy can be developed to understand Malicious Cyber Actor (MCA) targets, attacks, and motives.
Some of the key questions that should be answered at this early stage are:
Once you have your plans outlined, the next stage is to collect data across the COE. These data are collected using various disciplines such as Signals Intelligence, Open-Source Intelligence, Geospatial Intelligence, etc.
There are three ways to collect CTI data:
An organization can buy data from third parties. This may be free or at cost, but data quality is important to avoid false positive noise.
Internal data provides more control over the data collected and can come from a variety of internal sources.
Combination of third-party and self-sourced
This method employs a mix of internally sourced and procured data. Research from zvelo shows that whilst this combined approach to data sources is unlikely to result in 100% CTI coverage, organizations should “maximize sources as much as possible.”
Zvelo researchers suggest that a tripartite of the following data rules produces the best results:
Processing is about taking raw data and turning it into useful information that, in this case, reveals cybersecurity threats. The first stage of the CTI process defined what the organization's cybersecurity priorities were. These priorities now inform this next stage.
Processing of CTI data requires that the data is aggregated and normalized. This normalization follows a common schema that helps accuracy during the analysis stage of the CTI process.
There are three common methods used to process data:
Data validation is a crucial part of robust processing in CTI. Using a zero-trust approach to validating data helps to ensure data quality.
Sign up for a FREE Demo of WebTitan DNS Filter to learn we can reduce the risk of cyber threats for your business.Book Free Demo
The root of CTI is in military intelligence. This discipline sets out three areas as core to understanding a situation or, in the case of enterprise security, the Operating Environment (OE): Priority Intelligence Requirements (PIR), what you need to know to complete the mission; Friendly Force Information Requirements (FFIR), what you need to know about your own forces; and, Commander’s Critical Information Requirements (CCIR), the key information needed to support decision making.
The analysis stage uses the processed data from stage three and prepares it for dissemination.
The data determined to meet the three core requirements is used. A best practice for any data deemed as not required (at this point) is to store it for possible later use.
There are three key types of analysis:
Manual: a human being uses their own experience alongside analysis tools to analyze the data. This technique is less used because of the potential for bias and the time and resources needed to complete an analysis task.
Fully-automated: this uses a rules-driven or AI/ML approach to data analysis.
Hybrid analysis: most organizations use this mix of manual and automated analysis as it provides a best of both worlds approach.
Once analysis is complete the next task in the CTI process is to disseminate the results. The scope of dissemination and timelines must reflect the needs of the consumer. The format is also an important consideration in CTI dissemination.
There are three format delivery types to choose from:
Expedient dissemination of CTI data to consumers is important.
To ensure this is done in a timely manner, there are three types of delivery available:
Flat File Downloads: customers can download files in formats such as text files and JSON.
API: allows the customer to create pull requests.
Feeds: pushes CTI data to the customer in an agreed format.
This final stage is important as it allows the CTI process to be optimized.
Feedback is between the intelligence producer and the intelligence consumer. Feedback must be a collaborative, push-and-pull process for it to generate actionable updates. Feedback offers valuable assessments that can improve product performance and effectiveness.
Sign up for a FREE Trial of TitanHQ's leading cloud security solutions and learn how we can protect your organisation from advanced threats.Book Free Trial