Cyber threat intelligence starts off by collecting, analysing and filtering through information which can then be turned into threat intelligence. The information is turned into intelligence by evaluating its source, reliability and context to make it valuable and evidence based; along with filtering out any false positives. Researchers around the world are constantly reverse engineering malware to build blueprints of the bad guys handwork and lucky for us these kind researchers share their findings for free in threat intelligence feeds.
Cyber threat intelligence can help your organisation clean up malicious activity earlier in the kill chain by identifying network activity bound for known command and control servers or dynamically block the latest phishing domains on your email gateway. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behaviour from reactive to proactive in the fight against threat actors. Threat intelligence is evidence-based knowledge; context, mechanisms, indicators, implications and action-oriented advice; about existing or emerging menaces or hazards to assets.
Benefits of Cyber Threat Intelligence
In the world of cybersecurity, advanced persistent threats , known as APTs, and defenders are constantly trying to outmanoeuvre each other. Data on a threat actor’s next move is crucial to proactively tailoring your defences and pre-empting future attacks. Many organisations today are still focusing their efforts on only the most basic use cases, such as integrating threat data feeds with existing network, IPS, firewalls, and SIEMs, this focus does not take full advantage of the insights that cyber threat intelligence can offer. Organisations with only this basic level of threat intelligence are missing out on the advantages that could significantly strengthen their security postures.
Cyber threat intelligence gives us an insight into the unknown, enabling cyber security teams to make better decisions. It reveals the motives, tactics, techniques, and procedures of threat actors also giving us a better understanding of their decision making process. For business leaders cyber threat intelligence empowers them to make investment decisions faster and more efficiently to mitigate risk. Organisations of all sizes can benefit from threat intelligence by helping process threat data to better understand their attackers, respond faster to incidents, and proactively get ahead of a threat actor’s next move.
Cyber Threat Intelligence Lifecycle
It’s important to view threat intelligence production as a multi-step, cyclical process. The goals of the intelligence cycle must be defined by key stakeholders. Data will then be gathered from a range of sources, internal, technical, and human, to develop a complete picture of potential and actual threats. This data will then be processed and turned into actual intelligence that is timely, clear, and actionable for everyone. This finished intelligence output then goes back to key stakeholders, who can use it to continuously improve future intelligence cycles and improve their decision-making process.
The lifecycle focuses on six distinct phases that make up what is called the “intelligence cycle”: direction, collection, processing, analysis, dissemination, and feedback.
During the direction phase of the lifecycle you set goals for the cyber threat intelligence program. This involves clearly documenting and understanding:
- The business processes and data assets that need to be protected
- The possible impacts of losing those data assets or the interruption of business processes
- The types of threat intelligence that the security organisation requires to protect the assets and processes and respond to threats
- Priorities about what to protect.
The team will agree on the goals and methodology of their intelligence program based on the needs of the stakeholders involved. The team may set out to discover:
- Who the attackers are, and their motivations
- What is the entire network and software environment that is exposed to remote or local attacks
- What actions should be taken to strengthen the organisations’ defences against a future attack.
Once high-level intelligence needs are determined. an organisation can formulate requirements establishing guidelines about what you’re trying to achieve at the onset.
This is the process of collecting the information required to address the most important intelligence requirements determined in the Direction phase. Information gathering can occur through a variety of means, including:
- Metadata and logs from internal networks and security devices
- Threat data feeds from organisations and cybersecurity company’s
- From knowledgeable sources
- Reading open source blogs
- Scraping data from websites and forums, using web harvesting tools
- Closed Source and Dark Web Monitoring.
The data collected will be a combination of finished information, such as cyber threat intelligence reports from cybersecurity experts and vendors, and raw data, like malware signatures or leaking breached data and other sensitive information on ‘paste’ sites.
The collected information must be processed and transformed into a suitable format for analysis. Most raw data collected will need to be processed in some manner, by humans or machines. This may entail organising data points into spreadsheets, decrypting files, translating information from foreign sources, and evaluating the data for relevance and reliability.
Analysis will turn the processed information into intelligence that can inform decisions. The decisions might involve whether to investigate a potential threat, what actions to take immediately to block an attack, how to strengthen security controls, or how much investment in additional security resources is justified. A thorough analysis will find answers to the questions posed in the Direction phase.
Dissemination involves getting the finished intelligence output to the teams that can benefit from threat intelligence. The cyber threat intelligence team will translate their analysis into a suitable format and present the results to the stakeholders in a concise format.
The final stage of the threat intelligence lifecycle involves getting feedback on the provided report to determine whether adjustments need to be made for future threat intelligence operations. You need regular feedback to make sure you understand the requirements of each group, and to make adjustments as their requirements and priorities change.
Have a question? We’re here to help.
You can reach us through our contact form, by email, or by phone. We will get back to you within 1 business day.
Contact Makarov Intelligence Cyber & Risk Management