Blog A3Sec

Inteligencia de Amenazas Cibernéticas o CTI-Cyber Threat Intelligence

Written by Edgar Daniel Sánchez Rangel | 10 August, 2022

Currently it has become a cliché that technology is booming, that it is evolving exponentially and that it is everywhere, this is already the reality in which we have been living for years, in which there are countless possibilities to use technology at our total convenience, as long as it is used properly.

Technology, being practically everywhere, is also taken advantage of by actors who do not have the best intentions and try to harm third parties, taking advantage of the anonymity that gives them to commit cybercrimes, where most of them do not need a physical presence to be carried out.

As high-level athletes, the cybercriminals improve their skills every day to commit this type of crime, which complicates a defense strategy for organizations and all vulnerable entities that are exposed to these threats, where they are at a total disadvantage by not knowing how the cybercriminals will act, waiting for any anomaly in the organizational systems.

These types of threats have been occurring for a long time, becoming increasingly sophisticated and difficult to identify, which is why the concept of Cyber Threat Intelligence (CTI) was created, which the Center for Internet Security (CIS) defines as follows:

"Cyber threat intelligence is what cyber threat information becomes once it has been collected, assessed in the context of its source and reliability, and analyzed through rigorous and structured business techniques by people with substantial experience and access to all-source information, all to reduce uncertainty for the consumer, while helping them identify threats and opportunities, similarities and differences in large amounts of information, and detect deception to produce accurate, timely, and relevant intelligence."

Being at a disadvantage with cybercriminals, it is important to have techniques to understand adversary behavior, patterns and indicators that can help identify attacks even before they are carried out. 

 

What does CTI bring to cybersecurity?

In the world of cybersecurity, cybercriminals and their defenders are constantly trying to outdo each other. Data about a threat actor's next move is crucial to adapting defenses and preventing future attacks.

According to data from Crowdstrike, organizations are increasingly recognizing the value of CTI, where 72% plan to increase spending on threat intelligence in the coming quarters.

Most organizations focus only on the most basic applications, such as the integration of data sources, IPS and/or firewalls, complemented by the use of a SIEM, which enhances the generation of data correlations that provide alerts, reports and/or dashboards with the information they have, but without taking full advantage of the knowledge that intelligence can offer, losing real advantages that could significantly strengthen security postures.

 

CTI is important in the cybersecurity process because it provides the following:

  • It yields information about known and unknown emerging threats, enabling security teams to take better response actions.
  • It reveals adversaries' motives and their tactics, techniques and procedures (TTPs).
  • Helps gain insight into the behavior of cybercriminals.
  • It helps to better understand the threats and events they may face, making them more efficient in making more informed decisions, the vulnerabilities they present and the business impact they entail.

 

How is it implemented?

A series of steps are required to implement a CTI lifecycle in an organization, which are as follows:

  1. Requirements
    The requirements stage is crucial to the threat intelligence lifecycle because it establishes the roadmap for a specific threat intelligence operation. During this planning stage, the team will agree on the objectives and methodology of its intelligence program based on the needs of the parties involved. The team may set out to discover:
    • Who the attackers are and their motivations.
    • What is the attack surface.
    • What specific actions should be taken to strengthen their defenses against a future attack.
  2.  Collection
    Once the requirements are defined, the information needed to satisfy those objectives will be collected. Depending on the objectives, traffic logs, publicly available data sources, relevant forums, social networks and industry or subject matter experts will be sought.

  3. Processing
    Once the data is collected, it must be processed into a format suitable for analysis. Most often this involves organizing data points into spreadsheets, deciphering files, translating information from foreign sources, and assessing the relevance and reliability of the data.

  4. Produce Intelligence
    Once the data set has been processed, the team must perform a thorough analysis to find answers to the questions posed in the requirements phase. During the analysis phase, the team also works to decipher the dataset into actionable items and valuable recommendations for stakeholders.

    Image from the Information Security Forum. The steps of the CTI cycle and its purpose.

  5. Release
    The dissemination phase requires the threat intelligence team to translate its analysis into a digestible format and present the results to interested parties. How the analysis is presented depends on the audience. In most cases, recommendations should be presented in a concise manner, without confusing technical jargon, either in a one-page report or a short slide presentation.

  6. Making decisions
    This is where threat intelligence is incorporated into decision making. When CTI is combined with real actions, it marks a point where the value of threat intelligence becomes real. Once CTI has been assessed, a decision must be made on whether and how to respond to an attack.

  7. Actions
    The ECI should lead to actions on the results obtained, otherwise it becomes idle information. This last step is nothing more than carrying out the decisions made in the previous step. The actions required will vary according to the nature of the attacks and the decisions made.

 

Who participates in CTI?

CTI benefits organizations of all shapes and sizes by helping to process threat data in order to better understand their attackers, respond faster to incidents, and proactively get ahead of a cybercriminal's next move. For SMBs, this data helps them achieve a level of protection that would otherwise be out of reach. On the other hand, companies with large security teams can reduce the cost and skills required by leveraging external threat intelligence and making their analysts more effective.

From top to bottom, threat intel offers unique advantages to each member of a security team, including:

  • Security Analyst/IT
  • SOC
  • CSIRT
  • Intel Analyst
  • Executive Management

Here's how you can benefit each position and the specific use cases that apply to each:

 

Function

Benefits

Security/IT Analyst

Optimize prevention and detection capabilities and strengthen defenses

SOC

Prioritize incidents based on risk and business impact

CSIRT

Accelerate incident investigations, management and prioritization

Intel Analyst

Descubrir y rastrear a los actores de amenazas que apuntan a la organización

Executive Management

Understand the risks facing the organization and what are the options to address their impact

 

What is the difference between a TIP and an Intelligence Feed?

Threat Intelligence Platforms (TIPs) are critical security tools that use global security data to help proactively identify, mitigate and remediate security threats. New and evolving threats emerge every day.

While security analysts know that the key to staying ahead of these threats is to analyze threat data, the problem that arises is how to efficiently collect large volumes of data and, consequently, gain actionable insights to proactively thwart future attacks.

TIPs aggregate security intelligence from vendors, analysts and other reputable sources about threats and suspicious activity detected worldwide through these platforms. This data can come in the form of malicious IP addresses, domains, file hashes and more. TIPs then turn these advanced analytics into actionable intelligence to detect malicious activity within your network. These feeds are often integrated into other security products, such as EDR, SIEM and next-generation firewalls.

On the contrary, threat intelligence feeds are continuous data streams filled with threat information gathered by artificial intelligence. These feeds provide real-time threat information and cybersecurity trends, enabling organizations to proactively defend against attacks. Security teams can also use this information to better understand the tactics, techniques and procedures of potential hackers and improve their security posture accordingly.

A multitude of open source threat intelligence sources exist, including the following:

Integrating these sources into a security platform also makes it possible to leverage threat intelligence and turn it into actionable information.

To make smart security-related decisions, organizations must have adequate threat intelligence. That starts with the use of technical indicators and matures by developing an understanding of who is attacking, how they are attacking and why. It culminates in implementing security decisions guided by strategic intelligence. Getting the right level of intelligence and using it effectively can greatly optimize prevention capabilities, shorten threat detection time, accelerate incidents, respond and help teams make better security decisions.