Security Operations Centre – part 5

Security Operations Centre

What is Cyber Threat Intelligence?

According to Gartner, Threat Intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.

Putting it into a less technical language, Cyber Threat Intelligence (CTI) is the data collected, processed, and analysed with the view to comprehend a malicious actor’s motives, targets, and attack practices. CTI allows for faster, more informed, data-backed decisions allowing for a shift from a reactive to a proactive approach in the fight against bad actors. As such it can be, and these days in most cases is an indispensable component of a Security Operations Centre.

What is the role of Cyber Threat Intelligence?

With the increasing activity and severity of rouge players’ impact on the online reality, knowledge of existent and current threats plays a crucial role in managing the enterprise’s cyber defense system allowing to proactively pre-empt future attacks and thus reduce the risk of a cyber-attack.

It goes without saying that organisations and institutions of all sizes can benefit from Cyber Threat Intelligence on all levels of the cybersecurity structure from the IT Analyst, to SOC team members to the Executive Management. CTI allows cyber security professionals to anticipate possible unwanted events enabling them to make better decisions. It brings to light adversary’s tactics, techniques, and procedures (TTPs), reveals their motives, and allows to better understand their decision-making process.

The three levels of Cyber Threat Intelligence

Strategical Cyber Threat intelligence

Strategical CTI is the most overarching level which provides the big picture of how adversaries operate within the framework of geopolitical conditions, global events, and foreign policies showing how threats and attacks are changing over time. Strategic intelligence answers the questions of ‘Who is behind the attack?’ and ‘Why did they do it?’ from which the attacker’s future operations and tactics can be inferred.

Strategical CTI is particularly useful for decision-makers such as CISOs and executive leadership to help them understand the risks cyber threats pose to their organisations. They can use this knowledge to make better-informed cybersecurity investment decisions that will protect their organisations more effectively and be aligned with the organisations’ strategic priorities.

This type of intelligence is build using a vast body of knowledge requiring an intimate insight into the world of cybersecurity and the ins and outs of the world’s geopolitics.

Operational Cyber Threat Intelligence

Operational CTI answers two questions of ‘How?’ and ‘Where?’ offering an understanding of the bad actor’s methodologies and exposing possible threats. It allows for the deployment of more relevant detection, incident response, and hunting programs. Often used by cyber forensic investigators and incident responders usually includes:

– Tools for a specific Advanced Persistent Threat group (utilities, backdoors, common infrastructure)
– Tactics, Techniques, and Procedures (TTPs) for a specific Advanced Persistent Threat group (staging directories, file naming conventions, ports, protocols, favourite file types)
– Emerging TTPs (new persistence methods, exploits, phishing schemes)

This type of intelligence is usually obtained from collecting and analysing details of known attacks. It is most useful for Security Operations Centre’s staff and those cybersecurity professionals responsible for day-to-day infosec operations.

Data obtained through operational CTI enhances the proficiency and effectiveness of deployed threat monitoring, vulnerability management, and incident response techniques.

Tactical Cyber Threat Intelligence

Tactical CTI is the most fundamental form of threat intelligence, focused on the immediate future, technical in its nature, and identifies Indicators of Compromise (IOCs). IOCs can come in form of bad IP addresses, URLs, file hashes, or known malicious domain names. It serves both as evidence for cyber forensics, compliance, and legal purposes as well as reference material for analysts to interpret and extract context for us in defensive operations.

Tactical CTI is almost always automated and can be ingested through feeds. It usually has a very short lifespan as some IOCs can become outdated in days or even hours.

This type of intelligence answers the question of ‘What?’ pointing for example to particular malware samples or malware family.

Do you require a Threat Intelligence solution to counteract cyber threats?

SEQRED offers a Zero Day Live threat intelligence system that will notify you of upcoming threats.

To discuss your requirements, contact SEQRED at biuro@seqred.pl.

About this guide

The idea for this article was inspired by an in-house presentation by Józef Sulwiński which you can watch here.

Another source is an article on Threat Intelligence by Crowdstrike accessible here as well as an article by Anomali available here.

 

 

Dodaj komentarz

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *