When discussing cybersecurity, talk invariably turns to technical controls (e.g., firewalls, permissions, and cameras). But having all the tools in the world will not matter if your organization does not know from what it is trying to protect its network. How do I know what to be on the lookout for? Threat intelligence is the key to fully developing and utilizing our security architecture. It is quality threat intelligence that helps analysts like me know what (and who!) might be lurking in your systems and networks.
Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Examples of threat intelligence includes advanced persistent threat (APT) attack patterns, reports of attack trends (i.e., what public/private sectors are currently under attack), new vulnerabilities being attacked in the wild, and indicators of compromise (IoCs).
Threat intelligence can be broken down into 3 different types: 1) Strategic; 2) Tactical; and 3) Operational. Strategic threat intelligence typically provides high-level analysis ideal for a non-technical audience, such as stakeholders, board members, and the news media. Meanwhile, tactical threat intelligence, which includes IoCs, is designed to outline the various techniques and procedures threat actors use to help security professionals understand how their organization is most likely to be targeted. Finally, operational intelligence details threat actors’ motivations and capabilities, including their tools, techniques, and procedures.
You might ask: How can I defend my network if I do not know anything about my attacker or their methods? Threat intelligence is used for proactive and reactive defensive postures. Threat Intel also can help manage your blue team more efficiently as it enables team members to focus on likely attack avenues rather than trying to have them cover every single possible attack vector. This intelligence can also be useful when negotiating a security budget as it helps indicate potential risk during risk cost analysis.
Below, are a few examples of how organizations can leverage threat intelligence.
1. Ingest threat intelligence feeds into other security applications to strengthen monitoring and protection.
2. Use the intelligence to tune newly deployed security controls.
3. Incident response teams can use the intelligence to determine potential threat actors, which then leads to looking for specific IoCs.
4. Develop a security road map for your organization.
Threat intelligence feeds can be categorized in two ways: private and open source. Both categories have their pros and cons. Private sources tend to cost money taking a piece of your security budget, but they offer the benefit a third-party vendor that can help you determine the reliability of the intelligence. Meanwhile, open-source intelligence is free, but you are more likely to have to judge the reliability of the intelligence on your own.
There are numerous tools you and your organization can use to import, export, and manage threat intelligence. The list below is not exhaustive, but it does provide a sampling of available tools. I recommend researching and testing various tools (including ones not on this list) to find what works best for you and your organization.
• OpenCTI – Ingests threat intelligence for analysis and review.
• MISP – Platform to assist in the automation of sharing threat intelligence with partners, organizations, etc.
• Feedly – News aggregator that assists in not having to manually search various news feeds for potential threat intelligence.
Threat intelligence is an important tool in developing a mature security infrastructure. There are a lot of open-source and private sources and tools out there designed to help you in leveraging threat intelligence. Hopefully this blog will provide your organization with a starting point to begin developing a plan for bringing threat intelligence into your environment.
Crowd Strike - https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/
Fortinet - https://www.fortinet.com/resources/cyberglossary/cyber-threat-intelligence
Webroot - https://www.webroot.com/us/en/resources/glossary/what-is-cyber-threat-intelligence