Cyber Threat Intelligence (CTI) – Part 1

In today’s dynamic threat environment, CISO’s and their security programs often find themselves triaging a breach after the attack, analyzing digital artifacts as they try to piece together an event that happened in the past. Hopefully, the information they glean from the files, logs, and recovered data provides enough information to remediate any discovered security gaps and provide intelligence on possible future events. Unfortunately, as many CISO’s know, this can be a daunting effort. The adversary’s businesses face today are nimbler and more adept at making changes to side-step attempts in stopping them. It’s this untenable situation that drives organizations and CISO’s to use strategic services, as cyber threat intelligence (CTI), to provide context about the adversaries they face, and the techniques, tools and processes used against them.

To use it as a strategic asset, CISOs and their organizations must first understand CTI, and then know where it can be acquired and why it’s important. The answers to these questions provide insight into why CTI is a valuable service and how organizations can be efficient in using this tool to mature their security programs management of today’s threat.

What is cyber threat intelligence?

This question may seem basic, but I have found many businesses don’t truly understand CTI or its value. CTI is a collection or grouping of information that is gathered from sources both human, electronic, internal and external to the organization. This information is typically processed through some type of evaluation to verify its validity and is used to provide context about conditions necessary for a threat to exploit a vulnerability and if the threat is actively being used by threat actors. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets.” For those new to CTI, this means that for threat intelligence to apply to your organization, i.e. to have “context”, there needs to be deficiencies.

Examples of deficiencies are issues such as immature security controls, unpatched or misconfigured hardware/software assets, or undocumented business processes. These deficiencies are basically vulnerabilities, targeted for a unique exploitation. I am sure many of you know every organization and its networks have deficiencies. However, it is the CISO’s responsibility to understand these concerns, have visibility into the risk they place on the company, and prioritize what needs to be remediated first, using strategic services such as CTI.

Where can CTI be acquired?

For an organizations security program to use CTI, they first need to make some decisions on what sources to use for their threat information. As mentioned, the CISO has access to multiple sources of threat intelligence, these sources are categorized as follows:

Internal threat intelligence

Information that is already within the organization. It is information that an organization’s security and operations teams have from previous experiences with vulnerabilities, malware incidents and data breaches. This information, if properly documented, can provide the business with some meaningful content on how their enterprise networks were compromised and if there were any recurring methodologies that worked against the deployed security program. For most organizations, this information will probably be collected in some type of log management system or SIEM platform. If this information on incidents can be collected and used to properly document a history of attack paths, malware, vulnerabilities etc. it can provide invaluable insight into security gaps that can be remediated. Alternatively, it can help the company identify business processes or legacy issues that need to be addressed to prevent further compromises.

External threat intelligence

Besides internal sources, organizations will typically subscribe to multiple external CTI data sources. Some of these sources are digital data feeds incorporated as a module, or service directly into security endpoint solutions or deployed assets like firewalls and security gateways. Other sources will be in a report format, available through email or a CTI portal. This information provides the CISO with in-depth analysis on threat actors and their tactics, techniques and procedures (TTP) that are currently targeting business operations. Some of these external threat intelligence feeds may be ones that are industry specific to the organization. One example is the Financial Services Information Sharing and Analysis Center (FS-ISAC). It is an industry forum for collaboration on critical security threats that is used by the financial services sector. As a member of such a collaborative forum, a CISO could get alerts on current security issues, access to current threat white papers and peers that can speak about best practices to remediate identified concerns. Another external CTI source is provided by law enforcement or government organizations. Some businesses may operate in industry verticals that are designated as critical. With this designation, CISO’s can request access to threat intelligence feeds and security services not normally available to public companies. (See DHS Enhanced Cybersecurity Services (ECS) for more information).

Now that you know what CTI is and where it can be acquired, stay tuned for my next piece where I will outline use cases for why CTI is important.