Cyber threat intelligence (CTI) is the process of collecting information and data, conducted by an organisation, which is then combined and analysed to identify the risks faced by threat actors and the motives behind them. You can use this information to prepare for, identify, prevent, and recover from cyber-attacks. There are various methods of conducting cyber threat intelligence, including strategic, operational, tactical, and technical. Each focuses on a different approach, but good cyber threat intelligence takes aspects from each process to provide a well-rounded view of the current threat landscape.
Cyber threat intelligence isn't something you can 'set and forget' but should be conducted routinely using the cyber threat intelligence Cycle. You can find more information on this below.
Gathering information about existing and new cyber threats from the vast web landscape is vital for an effective defence against attackers. This kind of intel can give you a deeper understanding of what is happening within your threat landscape, giving better visibility of the threats lurking around the corner.
Why is Threat Intelligence Important?
Protecting against cyber attacks is like playing a game of chess. Each move needs to be strategic and well planned. It also helps to know your opponent's previous tactics. With cyber threat intelligence, organisations can build a picture of their threat landscape to make better decisions regarding cybersecurity planning and the technologies used. Changing from reactive to proactive when it comes to cybersecurity can also reduce the impact of any attack on the IT recovery team further down the line.
According to a recent survey, 78% of IT leaders lack confidence in their current cybersecurity posture. Don't let that be you! By focusing on cyber threat intelligence, you can empower your senior management team with clear and relevant reports about the specific threats currently facing your organisation, and ensure your budget reaches the most at-risk areas.
Cyber threat intelligence, though it seems a mammoth task to take on, will help lower your overall costs by focusing the security budget on critical areas and reducing budget wastage.
Who Needs Threat Intelligence?
No matter how big or small, every organisation that uses a computer system (everyone!) can benefit from using cyber threat intelligence.
From top to bottom of the IT chain, the positive impact of threat intelligence can be felt at every level. For the senior management team, knowing they're using their budget strategically and effectively is comforting. Knowing their bases are covered and regularly reviewed for IT managers and supervisors helps them sleep at night. Finally, IT technicians and engineers have less on their plates and can get on with their work on the ground.
Using cyber threat intelligence to block known suspicious IP addresses gathered from intelligence and historical attacks can prevent many more direct attacks - including data leakage and distributed denial-of-service (DDoS).
Combining this intel with your organisation’s specific IPs, ports, and other information, Skurio’s cyber threat intelligence platform provides personalised cyber threat intelligence ensuring you know everything from leaked credentials and discussions about your company to dossiers and recon scripts.
Overall, with cyber threat intelligence, your business benefits from customised and appropriate security applicable to your industry threats, and specific to your business.
Threat Intelligence Lifecycle
Cyber threat intelligence takes many forms and has many approaches, but the lifecycle remains consistent across the board. This loop enables your team to ensure ongoing protection and adapt to the changing threat landscape.
Drawing the same principles as the CIA's 'Intelligence Lifecycle', the Threat Intelligence Lifecycle applies these ideas to cyber threats, ensuring that the intelligence is complete and actionable if every stage of the cycle is completed. Each step is essential for the integrity of the results. Incomplete data can lead to solutions that don’t cover the whole threat vector.
The first step of the Threat Intelligence Lifecycle is to identify which assets and information need to be protected and assess the impact on the business if it were to be compromised. A team formed to carry out the lifecycle actions should establish goals and targets based on the team members and business needs. During this stage, the team must identify:
- What is the threat landscape faced by your business and your industry?
- Where are they most likely to gain access?
- What is the weakest point in the current security chain?
- Why are threat actors initiating these attacks?
- Who will be responsible for managing the threat intelligence and acting appropriately on its receipt?
- How do these objectives align with the business objectives?
Each industry and organisation will face different threats due to software, hardware, and firmware variations. As well as this, the different reasons for being a target may influence the threat landscape for a company. For example, banks and pharmaceutical companies are more likely to be targeted by ‘hacktivists’, or smaller businesses with less sophisticated defence systems than an enterprise could be an easy target for practice or for sport. These differences make it crucial for the questions to be asked and answered by the Security Team along with an appropriate board member.
Searching surface websites is not enough. With assets now identified, and weak links recognised, the next step is to collect information about the threats facing these critical points. The team collects data (IP addresses, domains, chatter about the company, etc.) from multiple sources, including metadata, logs, industry data feeds, news sites, blogs, forums, and Dark Web forums and marketplaces. Pairing this with internal and external analysis of your current information systems can build a complete picture of the current threat landscape.
The information gathered should be organised and processed into a readable format that your business can use. This process may require decryption, organisation, or other manipulation of data, but remember, several types of data may need processing in different ways. For example, extracting malicious IP addresses from a forum reporting threat actors that target the industry may need to be collated into a spreadsheet and imported into a BLOCK firewall rule. In contrast, the titles of confidential documents requiring approval for external use could be collated into an appropriate import file for restriction using Data Leakage Prevention practices.
Analysis and Production
After processing the data into a readable format, the data should be handed to a more specific team. That team should then analyse the data to answer the questions and objectives set in the initial phase. These answers should translate into actionable items and valuable recommendations for the business and business objectives.
The data must be shared in a suitable format with each stakeholder group to communicate the information's severity, priority, and impact. For example, a PowerPoint may be appropriate for board members or a report for the IT team implementing any solutions.
The final active stage of the Threat Intelligence Lifecycle involves distributing the final outputs to the relevant teams. For each receiving audience, you should ensure the following questions have answers:
- What information do they need, and how can you assist with their action?
- Has the information been provided in an easily readable format with actionable recommendations?
- How often should they be updated on the status of their threat intelligence?
- Can teams share your final report with external stakeholders?
- What channels of communication are appropriate for follow-ups and updates?
This information is confidential and could be dangerous to the security of your organisation in the wrong hands. Disseminate with a Principle of Least Privilege (access only to information relevant to the role) and keep the rest under wraps while ensuring teams have enough information to act appropriately.
To close the loop, your team should provide feedback to ensure the right areas are targeted for your business. Feedback is essential for ongoing protection, and its results will directly affect the subsequent cycle input.
Suppose information isn't supplied with the actioning department in mind or is unreadable on presentation. In that case, the cycle will not be beneficial to anyone involved. Stakeholders' priorities and business objectives may change over time, so Threat Intelligence teams should review the process used throughout the cycle before feeding back into the Direction phase.
The work involved in each phase of the lifecycle can feel overwhelming for small or medium-sized businesses that don’t have sufficient resources. Still, with the right help, it can be achievable. Skurio's cyber threat intelligence platform empowers smaller and mid-sized businesses and brings the cycle to them. Real-time monitoring and inputs into the platform ensure the cycle repeats continuously and adapts to the needs of the business.
What are the Different Types of Threat Intelligence?
Cyber threat intelligence styles fall into four categories within a framework of applicable information: strategic, operational, tactical, and technical.
When it comes to information gathering and analysis, the data type and device may require different approaches to Threat Intelligence. As covered in the Threat Intelligence Lifecycle, the various inputs can produce a mixed bag of final products depending on requirements, sources and intended audience.
Organisations can feed each of these styles into the cyber threat intelligence lifecycle.
Strategic Threat Intelligence intends to manage existing cyber threats by providing a high level of information on cybersecurity posture, industry leads, threats, and the financial impact of cyber activities on business decisions.
Sources usually referenced for Strategic cyber threat intelligence can include whitepapers, research reports, content gathered by external organisations focused on cybersecurity, news sources, subject experts, and organisational policy documents.
By focusing on the strategy and the historical trends of cyber-attacks within the industry, you can answer critical questions when feeding into the cyber threat intelligence Cycle, such as:
- Is it worth keeping a legacy system or upgrading to a new one?
- Who may be looking to target the organisation and why?
- Does specific software that claims to help the cybersecurity position tangibly benefit the business?
Nothing scares board members more than technical jargon! Use strategic cyber threat intelligence to generate high-level reports, which help inform stakeholders of relevant risk scenarios without being overly technical. These reports can also help assess the impact and efficacy of the technology products claiming to decrease risk to your environment.
In short, strategic cyber threat intelligence answers the who and the why of threat actors in a broad sense, typically aimed at a non-technical audience.
Tactical Intelligence looks at the Tactics, Techniques, and Procedures (TTPs) of threat actors, along with detailing Indicators of Compromise (IOCs), to provide you with an idea of what needs protection. Taken literally, learning the tactics of an attacker gives an idea of their next move.
Sources can include IP and URL blocklists, log files, credentials, results of phishing campaigns and malware signatures. Use this information to update security system block rules and notification systems.
cyber threat intelligence teams can use Indicators of Compromise to see precisely how a threat actor or malicious code could act inside a network. Knowing this information can assist with prevention and detection at an earlier infiltration stage. Focusing on a specific industry when investigating attacks can give an idea of the threat landscape faced by target organisations in the sector.
Tactical Intelligence usually includes technical references and context within the reports. Defence implementation teams, usually systems administrators or architects, use it to make critical infrastructure decisions and speed up incident response. Information in these reports is unique to your organisation and its industry. Questions usually fed into the Threat Intelligence Cycle include:
- What systems within the sector are threat actors targeting and why?
- Are there any critical vulnerabilities in the systems that you use?
- What are the symptoms of the common attacks, and is my organisation showing any?
- Are there any mitigation strategies for known attacks that we can implement?
In short, Tactical Intelligence can answer the what and why of threat actors while providing a technical context to the results, generally aimed at the technical staff tasked with implementing solutions.
Operational Threat Intelligence
Operational cyber threat intelligence provides actionable information on specific incoming attacks. Due to the specificity of the data provided by this brand of cyber threat intelligence, its results will only be valid for short term solutions.
The idea of operational cyber threat intelligence is to provide information about threats before they become attacks. Sources can include discussions on Dark Web forums, social media, and government/cybersecurity leader predictions.
The specific nature of operational cyber threat intelligence means many barriers stand in the way of retrieving critical data, including:
- Access - Chat rooms and discussions held on privately owned servers make it legally and operationally challenging to gain access.
- Language - With groups of threat actors based in countries all over the world, communication is conducted in their native language. Intelligence services based in other countries will usually need this translated before it is actionable.
- Too much noise - Due to the high volume of posts on the common sources used for operational cyber threat intelligence, sifting through the false positives can be hard.
- Legality - While collecting intelligence, access to information should be legal and relevant to your organisation's intelligence goals. Vicarious access to closed sources can open up legal complaints, especially if the information is not applicable.
- Obfuscation - Due to nefarious activities, obfuscation tactics such as changing usernames or coding messages can make detection more challenging.
Use operational cyber threat intelligence in conjunction with the other types of Threat Intelligence results to create a solid picture of your threat landscape.
In short, the operational cyber threat intelligence can answer the how of threat actors, providing a big-picture answer about specific issues for a non-technical audience.
Technical cyber threat intelligence consists of the technical details of a threat actor's actions, including the vulnerabilities exploited, the attack vector used, and commands executed during an attack. In a similar vein to operational cyber threat intelligence, its specific nature means the output from the Threat Intelligence Cycle will only be usable for a brief period.
Sources for technical cyber threat intelligence include the collection of Indicators of Compromise (IOCs) from active campaigns, cybersecurity company data feeds, information sharing communities and historical attacks. Teams can categorise IOCs during discovery in the following way:
- Network - Dodgy domain names, URLs and malicious code delivering links. Compromised IP addresses from known systems and servers.
- Host-Based - Analysis conducted on an infected computer or host. Evidence can include file fragments, metadata, or registry keys.
- Email - Evidence of social engineering tactics including phishing campaigns, Spearphishing, smishing, or whale phishing.
Technical cyber threat intelligence investigations will usually focus on one type of malware or malicious action. Reports can then be shared within communities to become part of a more extensive investigation.
Cybersecurity teams usually conduct Technical cyber threat intelligence, producing a low-level, informative report. Your security team can block specific compromised traffic, IP addresses, and other usable data using this information.
A good cyber threat intelligence platform will combine aspects of these styles to provide a well-rounded window into the threat landscape. Focusing on one will give incomplete results and may cause a company to take extreme action. Cyber threat intelligence should ensure faster and more informed decisions and reduce mistakes.
Cyber Threat Intelligence Use Cases
Too many alerts without valuable content can cause alert fatigue, meaning the important ones are missed. When considering implementing cyber threat intelligence solutions, you should identify the best use cases that are right for your organisation. Finding out the 'why' can ensure information and reports are accurate and beneficial. Below we have listed some valuable use cases that your organisation can apply to your systems.
Incident Response & SOC
Security teams responsible for Incident Response have a lot on their plates, especially in small or medium-sized businesses. These teams must sift through stacks of data and logs to manually assess the problem when incidents occur, sometimes leading to alert fatigue, and in turn, crucial alerts being missed.
Cyber threat intelligence can reduce the load by identifying and eliminating false positives, providing context for specific alerts, and comparing the information with other sources to establish authenticity. Incorporating this into an already established technology is easy, with most security-focused solutions providing feeds through a dedicated connector or API-based feed.
Ensuring your staff aren't chasing wild geese with irrelevant alerts can save time, money, and resources. With Skurio's cyber threat intelligence platform, users can automatically search multiple sources for threats relevant to the business and filter out those pesky false positives. The automation leaves security teams with only informative and applicable risks, with help not far away from our on-hand analysts, who can provide helpful advice and recommendations.
Vulnerability Management/Risk Management
Traditionally, the approach taken by infrastructure and security teams is to patch everything all the time. Such a high standard means those attempting to follow this approach prioritise the biggest problem rather than focusing on the most significant risk. While a good idea, in theory, this is hard to attain and maintain in practice.
What's not often considered is that threat actors have the same limitations to their time and resources. Naturally, they'll tend to use the easiest and least resource-heavy methods, so long as they continue to produce valuable results.
Zero-day exploits have been hitting news and media hard recently. Still, it's more common for threat actors to target a known vulnerability, making it more risk-efficient to focus on known vulnerabilities than to chase potentials. Plus, they're getting quicker. The speed at which threat actors compile exploitative code is accelerating, taking them on average just over two weeks.
Using cyber threat intelligence to know which vulnerabilities pose a real risk to your organisation can assist with risk management, planning, and modelling. Many standard risk models form vague and unquantified output, hastily put together or based on unfounded assumptions and guesswork. Pairing risk modelling with cyber threat intelligence can provide the context needed to back up beliefs and outcomes. With more valid information in the risk model and fewer assumptions, you can be confident in the security and protection you're extending to your network.
Users can input information derived from vulnerability and risk management plans and from the initial stage of the threat intelligence cycle into Skurio's cyber threat intelligence platform to ensure a reduction in patching and vulnerability exploitation downtime.
Cyber threat intelligence advertisement and promotion usually centres around Information Technology systems and protecting them from exploitation. Alongside this critical aspect of cyber threat intelligence, you can use the same principles to prevent fraud. For example, hacked email accounts sending phishing messages and assuring it's ok to click a link are likely to be trusted, deceiving your customer or supplier. Unauthorised use of your company brand or data or impersonation of its employees can damage your reputation.
Cyber threat intelligence methods gather information about criminal communities from many places on the web, open and closed, providing a view into the tactics, techniques, and motivations of threat actors. Sites on the surface, deep, and Dark Web, can contain attack plans, hacked information, fraud/scam kits, and other criminal information.
Use cyber threat intelligence to prevent certain types of fraud:
- Compromised data - Threat actors regularly use surface and Dark Web sites for advertising stolen, compromised data. Monitoring for credential hacks compromised corporate data, or custom code is beneficial when employing Threat Intelligence.
- Intellectual Property/Digital Content - Businesses invest time and resources into getting their product out on the market. Monitoring for your brand name on the web can ensure you discover name and brand misuse. Threat actors may use your company brand and digital content downloads to manipulate your current or prospective customers.
- Typosquatting - Threat actors can impersonate your company or brand in conjunction with phishing campaigns to extract information using spoofed, fake or similar domains. Closely monitoring newly registered domain names that resemble your brands can protect your reputation.
- Payment - Monitoring card numbers, bank identity numbers, or references to company financial information can warn of upcoming attacks that might affect your organisation.
Use the Skurio cyber threat intelligence platform to generate alerts for any mention of crucial business information and get a jump on any nefarious attacks heading your way.
Within small and medium organisations (SMBs), the limited availability of resources can make managing risk much harder. Cyber threat intelligence helps map the threat landscape and provides the intelligence you need to calculate risk and make informed decisions.
Strategic planning and development involve assessing business and technical risks and using the results to identify the right strategies to mitigate these risks. SMBs don't often have the resources or a dedicated team to focus on cyber threat intelligence or keep updated with cybersecurity trends.
Cyber threat intelligence is crucial to business strategy plans and development to ensure the security practices and technologies implemented appropriately protect your organisation.
Security leaders and your management team can benefit from cyber threat intelligence in the following ways:
- Communication - Threat Intelligence reports can scale up and down the complexity and context, depending on the recipient's experience. Understanding the impact of an impending attack with clearly reported and assessed information can help make critical decisions, justifying any countermeasures.
- Mitigation - The context provided with cyber threat intelligence reports can help prioritise vulnerabilities and weaknesses. This kind of short, sharp reporting can help you make decisions to resolve those targeted weaknesses that are easiest to exploit.
- Security skills gap - Security leaders are under pressure to establish and maintain the cybersecurity of the organisation they protect. Even if they have the staff, illness and unexpected absences can pressure those working. cyber threat intelligence can automate tedious tasks and reduce unnecessary alerts, allowing your remaining staff to upskill their knowledge and perform better.
- Real-time knowledge - A picture of the threat landscape can provide security leaders with the ability to communicate the latest trends, threats, and events currently on the horizon to other board members.
Skurio's cyber threat intelligence platform can provide tangible improvements to your organisation's strategic position.
Knowing you're in a good security position is one thing; having the reports and evidence to back it up is another.
Board members, customers, and partners sometimes require certifications to show your company’s commitment to its cybersecurity goals. Though certifications are by no means necessary, if your business is working towards it, cyber threat intelligence is an excellent way of proving that commitment.
Using Skurio's cyber threat intelligence platform, you can deploy the built-in reporting systems and evidence of alerts as proof of commitment.
How Can Threat Intelligence Manage Third-Party Risks?
Traditional information systems typically sit ‘on-premise’ and behind firewall security systems. In recent years, the cloud has blurred the boundaries of the conventional network. Data is moving between networks and servers, making information harder to protect.
With this flow of data exponentially growing, it's essential to consider the security posture of your partners, vendors, and other third parties. Static data gathering such as questionnaires and financial audits can only provide a point-in-time assessment. The lack of industry context creates a need for a solution to provide you with real-time information on the landscape.
cyber threat intelligence provides a window into the security posture of your company’s third-party suppliers, along with your digital supply chain, giving you the context needed to regularly evaluate those relationships.
Skurio's Cyber Threat Intelligence Platform
Skurio wants to make cyber threat intelligence accessible to everyone, no matter the IT budget. Skurio's cyber threat intelligence platform provides your team with a real-time cyber intelligence solution curating information and data from multiple sources.
Our cyber threat intelligence platform combines extensive experience with data pulled from the surface, deep, and Dark Web, making cyber threat intelligence more straightforward for businesses. Use powerful search tools, analysis, and reporting capabilities to access intelligence enriched with context immediately. Plus, the data visualisation and clear, actionable insights allow for faster research, leading to more rapid protection.
Set alerts through the platform to regularly monitor your company's presence across all mediums. We have experienced and knowledgeable analysts on hand to help interpret the data and assist you with your cybersecurity response.
While real-time monitoring of your reputation and data presence is essential, customers can also access historical reports to improve strategic and tactical cyber threat intelligence investigations.
Break down barriers between teams with centralised intelligence shared across logins. Shared access ensures team collaboration and coordination when implementing preventative solutions.
Intelligence gathered from the Dark Web is right at your fingertips, informing you of any chatter around your business. Analysts regularly review information gathered from invitation-only sites on the Dark Web to keep you informed and empower business security teams.