Cyber Threat Intelligence

What is Cyber Threat Intelligence (CTI)?

Cyber Threat Intelligence (CTI) is threat data or information that has been "aggregated, transformed, analysed, interpreted, or enriched to provide the necessary context for decision-making processes".  

National Institute of Standards and Technology (NIST)  

Threat intelligence (TI) is evidence-based knowledge — including context, mechanisms, indicators, implications and actionable advice — about an existing or emerging menace or hazard to IT or information assets. It can be used to inform decisions regarding the subject's response to that menace or hazard.  

Gartner  

‍

Types of threat intelligence

Strategic Threat Intelligence

Strategic TI is information that provides a broad, high-level view of current attack trends, risks and attacker motives. It helps decision makers prioritise resource allocation and security spending, and is usually consumed in the form of reports.  

Tactical Threat Intelligence

Tactical TI is intelligence on how threat actors are executing attacks and how incident responders can prepare for & mitigate threats. It includes attacker Tactics, Techniques and Procedures (TTPs), vectors and indicators.  

Operational Threat Intelligence

Operational TI is information about possible attacks against an organisation, and the infrastructure, resources and capabilities of attackers. It is usually externally sourced through OSINT (Open Source Intelligence) feeds & dedicated CTI providers with access to closed chat forums.  

‍

CTI may also be classified as qualitative and quantitative intelligence.

Qualitative

Qualitative TI focuses on a limited set of subjects but covers these subjects in great detail. It involves the in-depth investigation of specific attack campaigns, threat actors or malware families, and is oriented towards enriching an organisation's existing knowledgebase.  

Quantitative

Quantitative TI has a wider area of focus and covers a large number of subjects that may include threats, techniques and malware targeting a certain sector or region. It involves bringing together information from a range of sources much of which may be available publicly.  

‍

Sources of threat intelligence

Internal

Internal TI includes everything that is collected from various network and endpoint monitoring and security tools used within the organization, an addition to internal processes, reports and other documentation, such as:  

• Internal telemetry (Endpoint, Network, Cloud)  
• Data from past incidents (techniques used, assets targeted, vulnerabilities exploited, attacker motives)
• Sandboxing and analysis of blocked malware  
• Analysis of organisational risks (people, processes and technology)  

External

External TI comes from external sources like public TI feeds, blogs, news sites, commercial TI vendors or industry-specific TI communities and groups dedicated to information sharing. These may include:  

• Threat intelligence feeds (both open-source and paid subscriptions)  
• Security news, advisories, ISACs  
• Attacker group chat forums (access through dedicated CTI providers)  
• Community sharing groups for industry or sector-specific attack trends; brand mentions online  
• Knowledgebases (eg. MITRE ATT&CK)  

Why is threat intelligence important?

Threat intelligence is an important component of all stages of cyber defence.  

• It enhances security practitioners' ability to prevent, detect, investigate and effectively respond to all kinds of cyber threats by enriching and adding context to alerts and artifacts.  
• It turns threat information into relevant and actionable data that can be integrated into detection and response tools & processes.  
• Strategic, high-level threat intelligence helps business leaders and executives make better security-related decisions.  

Threat Intelligence uses

• Vulnerability management – prioritising patches  
• Alert triaging; risk and threat rating; indicator correlation  
• Threat hunt planning and hypothesis building  
• Incident Response (IR) plan building  
• Faster, more thorough investigations with added context  
• Faster threat detection - knowing the enemy and what to look for  
• Faster and more effective incident response  
• Better attack preparedness and predictive security  

Ultimately, actionable threat intelligence helps with proactive defence and overall better decision making. Integrating relevant CTI into your security tool stack improves all areas of your cyber defence.  

‍

Threat intelligence and SOAR

While threat intelligence is critical to the success of any cyberdefence program and the data it is culled from is sometimes widely and readily available, it can be challenging to turn raw data into useful, relevant intelligence. Some of the issues the cyber security community has had to deal with over the years are:  

• Making sure data from multiple sources can be translated into a single language, format and structure  
• Filtering out or combining information that is repeated in different forms in various sources and feeds  
• Adding context to individual pieces of information that may not make sense unless seen as part of a bigger picture  
• Minimising the need to process data manually  

Security Orchestration, Automation and Response (SOAR) technologies have helped solve many of these challenges by enabling organisations and security teams to ingest & automatically correlate data from various internal and external CTI sources. This makes data usable for different security functions.  

The automatic correlation and enrichment of different indicators and artifacts facilitates the integration of relevant threat intelligence into detection and response tools to operationalise it.    

‍

Threat intelligence as part of MDR

Managed Detection and Response (MDR) providers like LinearStack leverage a variety of tools, processes and human expertise to derive actionable threat intelligence out of threat data. Relevant CTI is  built into detection tools for speedier investigations and deeper, more thorough root-cause analysis.  

MDR services also use orchestration and automation technology with streamlined, playbook-driven processes to ingest, analyse, correlate and filter threat data, and add context to alerts and artifacts. This automated enrichment of threat indicators with additional context, which is a feature built into most modern XDR platforms, allows incident responders to reduce response time significantly.  

‍

LINEARSTACK'S MDR SERVICE AND CTI

As your MDR provider, we work closely with your internal teams to understand your business priorities, IT infrastructure and critical assets so we can deliver relevant CTI collated specifically to meet your unique needs. We ensure that you get actionable, timely threat intelligence that can be integrated into your detection and response tools & processes for faster detection, streamlined investigation, and more effective response.  

Our follow-the-sun MDR service is designed to augment your cyber defence capabilities with best-in-class detection and response technology and skilled security professionals who protect you from threats 24/7.  

GET IN TOUCH WITH US TO KNOW MORE ABOUT OUR MDR OFFERING.  

Call us at 0800 008 795 or email us at info@linearstack.co.nz to book a free consultation with one of our security experts. We can walk you through our Managed Detection and Response process and demonstrate how our analysts stop advanced threats every day to help organisations like yours stay protected.  

Read more here https://www.linearstack.co.nz/managed-services/managed-detection-response