Threat Intelligence
Liên Phạm
Threat intelligence: Powerful tool for defense against cyberattacks
TL;DR
- Threat intelligence is the action of gathering and analyzing information concerning cyberattacks.
- The 6 steps of threat intelligence are requirements, collection, processing, dissemination, analysis, and feedback.
- There are 4 types of intelligence: Tactical threat intelligence, technical threat intelligence, operational threat intelligence, and strategic threat intelligence.
What is threat intelligence?
Cyber threat intelligence is the examination of the organization’s cybers threats | Source: ImmuniWeb
Threat intelligence is the practice of collecting, processing and assessing data to identify and understand cyberattacks. The collected data will then be refined and organized in order to deal with cyber threats.
The purpose of threat intelligence is to have an overview of risks from external sources. Threat intelligence provides in-depth data and context about suspicious sources of threats, their capabilities, and the indicators of compromise (IoCs). With this kind of information, organizations can actively protect themselves when there is an event of cyberattack.
The importance of threat intelligence
Threat intelligence is a powerful practice for any organization because it can help you to:
- See what is coming: know about the emerging threats, attack methods, and sources of attacks beforehand.
- Know your enemy: threat intelligence reveals attacker motives, tactics, and procedures. Consequently, your organization is better prepared to deal with malware and attacks.
- Prevent data breaches: threat intelligence helps to monitor suspicious activities and block malicious malware and attacks that steal your organization’s sensitive data.
- Keep the stakeholders informed: threat intelligence provides insightful data about threats that you can share with other teams and stakeholders to invest in cyber security measures effectively and timely.
Indicators of Compromise (IoCs)
Indicators of Compromise (IoCs) provide data regarding a cyber attack, including the consequences of the attack and its sources. Threat intelligence can use IoCs to map cyber attacks with known threat details and activities. These are the most common types of IoCs:
- Unusual HTML response sizes: If the number of HTML responses increases sharply all of a sudden, then it may be an indicator that the data has been transmitted to the attacker.
- Unusual outbound network traffic: outbound network traffic can be used as a metric to identify potential issues.
- Anomalies in Privileged User Account Activity: privileged accounts typically have access to highly sensitive data. A user attempting to do more than what a privileged account can do could be a sign of someone trying to get access to sensitive data.
- DNS Request Anomalies: If there are abnormal Domain Name System (DNS) requests coming from a particular host, it is something you need to look out for because hackers can send these requests to interrupt web activities, send out malware, and steal sensitive data.
- Login red flags: If the system records an unusually high number of unsuccessful login attempts, this can indicate the attempts to penetrate the system with illicit access.
- Geographical Irregularities: If there are activities from countries to which your organization does not relate, this can be evidence of a hacker in a foreign country attempting to penetrate the system.
- Surging frequency of database reads: If an attacker attempts to extract data from your site, their actions can result in an unusual volume of database reads.
- Changes to registry or system files: Malware often attempts to make changes to the registry or system files.
- Mismatched Port-application Traffic: Applications exchange data through ports. Attackers may use an unfamiliar port to hack the system and execute an attack.
- A large number of requests for the same resource: Hackers often try to request the files they want to steal many times in order to test out different ways to get access to the resources.
The process of threat intelligence
6 steps of threat intelligence cycle | Source: Crowdstrike
The threat intelligence lifecycle is a full process of collecting raw data and turning it into insightful security intelligence. The 6 stages make the process of threat intelligence become more refined and efficient over time.
- Requirements
This is considered one of the most important steps because it sets the objectives, roadmap, direction, and everything an organization needs for its threat intelligence. During this stage, the team can discover the following factors:
- The most impactful types of threat
- Who are the attackers?
- What are the attackers’ motives?
- What measures can be taken to protect the system in the event of cyberattacks?
2. Collection
After the first step, the team can figure out ways to collect the data to fulfill the requirements. The information can be retrieved and gathered from multiple sources, such as:
- Existing data feeds
- Past interview results with expertise regarding cyberattacks
- Hacker groups and communities
- Datalog from the databases
- Research about security and cyber threats
3. Processing
After the raw data has been collected, you need to sort, clean, and organize the data. Following the previous step, the data will need to be transformed into a suitable format for cybersecurity analysis.
4. Analysis
After having the processed data, the team must conduct a thorough analysis to fulfill the requirements in the first step. The analysis should provide actionable insights and valuable recommendations for the stakeholders to investigate and mitigate the attacks.
5. Dissemination
In this stage, the threat intelligence is delivered to end users or to a security tool which uses the data to identify and defend against threats. Besides the analysis is also presented to stakeholders in the form of reports, alerts, or data files.
6. Feedback
The feedback stage involves gathering reviews and feedback from the stakeholders to assess the effectiveness of the threat intelligence. This feedback can be a valuable source to decide how threat intelligence should be improved in the future.
4 types of threat intelligence
There are 4 levels of threat intelligence. Each level requires a different context, analysis, stakeholders, and investment costs.
Tactical threat intelligence
This level of intelligence focuses on the near future and identifies simple IoCs. Simple IoCs can be bad IP addresses, unusual traffic and requests, and malicious domain names,… Tactical threat intelligence is the most straightforward kind of intelligence and is usually automated. It has a short lifespan because IoCs, such as bad IP addresses, can become obsolete quickly.
Tactical intelligence is technical in nature, so the stakeholders are usually people who work at the forefront of the IT team, including:
- Security Architects
- IT Analysts
- Security Operations Center Analysts
- Vulnerability Management Teams
Technical threat intelligence
Technical threat intelligence provides details on signs indicating a cyberattack is taking place. Indicators of Compromise will be monitored closely with AI tools to detect the cyberattacks timely. Technical intelligence plays a vital role in detecting and mitigating social engineering attacks. Moreover, this type of intelligence can be updated quickly to track the attackers’ tactics.
Operational threat intelligence
Operational threat intelligence studies all the aspects in regard to the adversaries. This level of intelligence provides the ”who”, ”why”, “when”, and “how” of the cyberattacks. The “who” is the profile and the source of the attack. The “why” refers to the motives or the purpose of the attack. The “when” is the timing of the attack. The “how” is made up of the tactics, techniques, and procedures (TTPs) of the attacker.
Operational threat intelligence requires more effort and resources to build than tactical intelligence and has a longer lifespan. The reason for this is attackers can’t change their TTPs as easily and quickly as they change their tools (for example, a type of malware).
Operational threat intelligence can serve as a reliable and valuable information source for:
- Security Operations Center Managers
- Cyber Threat Intelligence Teams
- Security Leaders
- Threat Hunters
- Incident Responders
Strategic threat intelligence
Strategic threat intelligence outlines an overview of a company’s threat landscape. This type of intelligence analyses potential cyberattacks and possible consequences for high-level and non-technical decision makers in an organization. Strategic intelligence is the most complex intelligence compared to the types mentioned above since it requires more expertise in broader areas such as sociopolitical and business concepts.
An excellent strategic intelligence should provide insights into risks, movements in threat actor tactics and targets, and geopolitical trends in order for high-level executives to make wise cybersecurity investments that effectively protect the organization’s systems. Strategic intelligence is often presented in a report or research format.
Stakeholders find strategic threat intelligence useful can include:
- C-Suite (CISO, CIO, CSO, CTO)
- Board Members
- Intelligence Leaders
- Senior VPs
Final thoughts
Threat intelligence provides insights into the threat source, tactics, techniques and procedures, which help the organization to proactively take security measures to detect and block cyberattacks. A thorough threat intelligence system can save a business thousands of dollars by not compensating for operational disruptions and cyberattacks.
Reference
https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/
https://www.kaspersky.com/resource-center/definitions/threat-intelligence
https://www.recordedfuture.com/threat-intelligence
https://www.vmware.com/topics/glossary/content/threat-intelligence.html