Cyber threat intelligence

This article is about cyber threat intelligence. For computer telephony integration, see Computer telephony integration.

Cyber threat intelligence (CTI) is a subfield of cybersecurity that focuses on the structured collection, analysis, and dissemination of data regarding potential or existing cyber threats.^[1][2] It provides organizations with the insights necessary to anticipate, prevent, and respond to cyberattacks by understanding the behavior of threat actors, their tactics, and the vulnerabilities they exploit.^{[3][4] [5]} Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

In recent years, threat intelligence has become a crucial part of companies' cyber security strategy since it allows companies to be more proactive in their approach and determine which threats represent the greatest risks to a business. This puts companies on a more proactive front, actively trying to find their vulnerabilities and preventing hacks before they happen.^[6] This method is gaining importance in recent years since, as IBM estimates, the most common method companies are hack is via threat exploitation (47% of all attacks).^[7]

Threat vulnerabilities have risen in recent years also due to the COVID-19 pandemic and more people working from home - which makes companies' data more vulnerable. Due to the growing threats on one hand, and the growing sophistication needed for threat intelligence, many companies have opted in recent years to outsource their threat intelligence activities to a managed security provider (MSSP).^[8]

Process - intelligence cycle

The process of developing cyber threat intelligence is a circular and continuous process, known as the intelligence cycle, which is composed of five phases,^{[9][10][11][12]} carried out by intelligence teams to provide to leadership relevant and convenient intelligence to reduce danger and uncertainty.^[11]

The five phases are: 1) planning and direction; 2) collection; 3) processing; 4) analysis; 5) dissemination.^{[9][10][11][12]}

In planning and directing, the customer of the intelligence product requests intelligence on a specific topic or objective. Then, once directed by the client, the second phase begins, collection, which involves accessing the raw information that will be required to produce the finished intelligence product. Since information is not intelligence, it must be transformed and therefore must go through the processing and analysis phases: in the processing (or pre-analytical phase) the raw information is filtered and prepared for analysis through a series of techniques (decryption, language translation, data reduction, etc.); In the analysis phase, organized information is transformed into intelligence. Finally, the dissemination phase, in which the newly selected threat intelligence is sent to the various users for their use.^[10][12]

Types

There are three overarching, but not categorical - classes of cyber threat intelligence:^[4] 1) tactical; 2) operational; 3) strategic.^{[4][9][12][13][14]} These classes are fundamental to building a comprehensive threat assessment.^[9]

• Tactical: Typically used to help identify threat actors. Indicators of compromise (such as IP addresses, Internet domains or hashes) are used and the analysis of tactics, techniques, and procedures (TTP) used by cybercriminals is beginning to be deepened. Insights generated at the tactical level will help security teams predict upcoming attacks and identify them at the earliest possible stages.^{[4][9][11][12][14]}
• Operational: This is the most technical level of threat intelligence. It shares hard and specific details about attacks, motivation, threat actor capabilities, and individual campaigns. Insights provided by threat intelligence experts at this level include the nature, intent, and timing of emerging threats. This type of information is more difficult to obtain and is most often collected through deep, obscure web forums that internal teams cannot access. Security and attack response teams are the ones that use this type of operational intelligence.^{[4][9][12][14]}
• Strategic: Usually tailored to non-technical audiences, intelligence on general risks associated with cyberthreats. The goal is to deliver, in the form of white papers and reports, a detailed analysis of current and projected future risks to the business, as well as the potential consequences of threats to help leaders prioritize their responses.^{[4][9][12][14]}

Benefits of cyber threat intelligence

Cyber threat intelligence provides a number of benefits, which include:

• Gives organizations, agencies or other entities, the ability to develop a proactive and robust cybersecurity posture and to bolster overall risk management and cyber security policies and responses.^[15]
• Drives momentum toward a proactive cybersecurity posture that is predictive, not simply reactive after a cyber attack.^[6]
• It provides context and insights about active attacks and potential threats to aid decision making.^[9]
• It prevents data breaches from releasing sensitive information, thus preventing data loss.^[14]
• Reduce costs. Since data breaches are costs, reducing the risk of data breaches helps save money.^[14]
• It helps and provides instructions to institutions on how to implement security measures to protect against future attacks.^[14]
• Enables sharing of knowledge, skills and experiences among the cyber security community of practice and systems stakeholders.^[14]
• It helps to more easily and better identify risks and threats, as well as delivery mechanisms, indicators of compromise across the infrastructure, and potential specific actors and motivators.^[16]
• Helps in the detection of attacks during and before these stages.^[16]
• Provides indicators of actions taken during each stage of the attack.^[16]
• Communicates threat surfaces, attack vectors and malicious activities directed to both information technology and operational technology platforms.
• Serve as fact-based repository for evidence of both successful and unsuccessful cyber attacks.
• Provide indicators for computer emergency response teams and incident response groups.

Key elements

There are three key elements that must be present for information or data to be considered threat intelligence:^[12]

• Evidence-based: For any intelligence product to be useful, it must first be obtained through proper evidence-gathering methods.^[17] Through other processes, such as malware analysis, threat intelligence can be produced.
• Utility: For threat intelligence to have a positive impact on the outcome of a security event, it must have some utility. Intelligence must provide clarity, in terms of context and data, about specific behaviours and methods.^[18]
• Actionable: Action is the key element that separates information or data from threat intelligence. Intelligence must drive action.^[19]

Attribution

Main article: Cyberattribution

Cyber threats involve the use of computers, storage devices, software networks and cloud-based repositories. Prior to, during or after a cyber attack technical information about the information and operational technology, devices, network and computers between the attacker(s) and the victim(s) can be collected, stored and analyzed. However, identifying the person(s) behind an attack, their motivations, or the ultimate sponsor of the attack, - termed attribution is sometimes difficult,^[20] as attackers can use deceptive tactics to evade detection or mislead analysts into drawing incorrect conclusions.^[21] Multiple efforts^[22][23][24] in threat intelligence emphasize understanding adversary TTPs to tackle these issues.^[25]

A number of recent ^[when?] cyber threat intelligence analytical reports have been released by public and private sector organizations which attribute cyber attacks. This includes Mandiant's APT1 and APT28 reports,^[26][27] US CERT's APT29 report,^[28] and Symantec's Dragonfly, Waterbug Group and Seedworm reports.^[29][30][31]

CTI sharing

In 2015 U.S. government legislation in the form of the Cybersecurity Information Sharing Act encouraged the sharing of CTI indicators between government and private organizations. This act required the U.S. federal government to facilitate and promote four CTI objectives:^[32]

1. Sharing of "classified and declassified cyber threat indicators in possession of the federal government with private entities, nonfederal government agencies, or state, tribal, or local governments";
2. Sharing of "unclassified indicators with the public";
3. Sharing of "information with entities under cybersecurity threats to prevent or mitigate adverse effects";
4. Sharing of "cybersecurity best practices with attention to the challenges faced by small businesses.

In 2016, the U.S. government agency National Institute of Standards and Technology (NIST) issued a publication (NIST SP 800-150) which further outlined the necessity for Cyber Threat Information Sharing as well as a framework for implementation.^[33]

See also

• Cyber Intelligence Sharing and Protection Act
• Denial-of-service attack
• Indicator of compromise
• Malware
• Malware analysis
• Ransomware
• Zero-day (computing)

References

1. Schlette, Daniel; Böhm, Fabian; Caselli, Marco; Pernul, Günther (2020). "Measuring and visualizing cyber threat intelligence quality". International Journal of Information Security. 20 (1): 21–38. doi:10.1007/s10207-020-00490-y. ISSN 1615-5262.
2. Kant, Neelima (2024). "Cyber Threat Intelligence (CTI): An Analysis on the Use of Artificial Intelligence and Machine Learning to Identify Cyber Hazards". Cyber Security and Digital Forensics. Lecture Notes in Networks and Systems. Vol. 36. pp. 449–462. doi:10.1007/978-981-99-9811-1_36. ISBN 978-981-99-9810-4.
3. Dalziel, Henry (2014). How to Define and Build an Effective Cyber Threat Intelligence Capability. Syngress. ISBN 9780128027301.
4. Bank of England (2016). CBEST Intelligence-Led Testing: Understanding Cyber Threat Intelligence Operations (PDF) (Report). Bank of England.
5. Saeed, Saqib (2023). "A Systematic Literature Review on Cyber Threat Intelligence for Organizational Cybersecurity Resilience". Sensors. 23 (16): 7273. Bibcode:2023Senso..23.7273S. doi:10.3390/s23167273. PMC 10459806. PMID 37631808.
6. CyberProof Inc. (n.d.). Managed Threat Intelligence. CyberProof. Retrieved on April 03, 2023 from https://www.cyberproof.com/cyber-101/managed-threat-intelligence/
7. IBM (2022-02-23). "IBM Security X-Force Threat Intelligence Index". www.ibm.com. Retrieved 2022-05-29.
8. "MSSP - What is a Managed Security Service Provider?". Check Point Software. Retrieved 2022-05-29.
9. "What is Cyber Threat Intelligence used for and how is it used?". blog.softtek.com. Retrieved 2023-04-12.
10. Phythian, Mark (2013). Understanding the Intelligence Cycle (PDF) (1st ed.). Routledge. pp. 17–23.
11. Kime, Brian (March 29, 2016). "Threat Intelligence: Planning and Direction". SANS Institute.
12. Gerard, Johansen (2020). Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats (2nd ed.). Packt Publishing Ltd.
13. Trifonov, Roumen; Nakov, Ognyan; Mladenov, Valeri (2018). "Artificial Intelligence in Cyber Threats Intelligence". 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC). IEEE. pp. 1–4. doi:10.1109/ICONIC.2018.8601235. ISBN 978-1-5386-6477-3. S2CID 57755206.
14. Kaspersky. (n.d.). What is threat intelligence? Definition and explanation. Retrieved on April 03, 2023 from https://www.kaspersky.com/resource-center/definitions/threat-intelligence
15. Berndt, Anzel; Ophoff, Jacques (2020). "Exploring the Value of a Cyber Threat Intelligence Function in an Organization". In Drevin, Lynette; Von Solms, Suné; Theocharidou, Marianthi (eds.). Information Security Education. Information Security in Action. IFIP Advances in Information and Communication Technology. Vol. 579. Cham: Springer International Publishing. pp. 96–109. doi:10.1007/978-3-030-59291-2_7. ISBN 978-3-030-59291-2. S2CID 221766741.
16. Shackleford, D. (2015). Who’s Using Cyberthreat Intelligence and How?. SANS Institute. https://cdn-cybersecurity.att.com/docs/SANS-Cyber-Threat-Intelligence-Survey-2015.pdf
17. Nguyen, Quoc Phong; Lim, Kar Wai; Divakaran, Dinil Mon; Low, Kian Hsiang; Chan, Mun Choon (June 2019). "GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection". 2019 IEEE Conference on Communications and Network Security (CNS). IEEE. pp. 91–99. arXiv:1903.06661. doi:10.1109/cns.2019.8802833. ISBN 978-1-5386-7117-7.
18. Marino, Daniel L.; Wickramasinghe, Chathurika S.; Manic, Milos (October 2018). "An Adversarial Approach for Explainable AI in Intrusion Detection Systems". IECON 2018 - 44th Annual Conference of the IEEE Industrial Electronics Society. IEEE: 3237–3243. arXiv:1811.11705. doi:10.1109/iecon.2018.8591457. ISBN 978-1-5090-6684-1.
19. Leite, Cristoffer; den Hartog, Jerry; Ricardo dos Santos, Daniel; Costante, Elisa (2022), Reiser, Hans P.; Kyas, Marcel (eds.), "Actionable Cyber Threat Intelligence for Automated Incident Response", Secure IT Systems, vol. 13700, Cham: Springer International Publishing, pp. 368–385, doi:10.1007/978-3-031-22295-5_20, ISBN 978-3-031-22294-8, retrieved 2024-11-11
20. Leite, Cristoffer; Den Hartog, Jerry; dos Santos, Daniel Ricardo (2024-07-30). "Using DNS Patterns for Automated Cyber Threat Attribution". Proceedings of the 19th International Conference on Availability, Reliability and Security. ACM. pp. 1–11. doi:10.1145/3664476.3670870. ISBN 979-8-4007-1718-5.
21. Skopik, Florian; Pahi, Timea (2020-03-20). "Under false flag: using technical artifacts for cyber attack attribution". Cybersecurity. 3 (1): 8. doi:10.1186/s42400-020-00048-4. ISSN 2523-3246.
22. Leite, Cristoffer; Den Hartog, Jerry; Dos Santos, Daniel R.; Costante, Elisa (2023-12-15). "Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents". 2023 IEEE International Conference on Big Data (BigData). IEEE. pp. 2999–3008. doi:10.1109/BigData59044.2023.10386324. ISBN 979-8-3503-2445-7.
23. Navarro, Julio; Legrand, Véronique; Lagraa, Sofiane; François, Jérôme; Lahmadi, Abdelkader; De Santis, Giulia; Festor, Olivier; Lammari, Nadira; Hamdi, Fayçal (2018), Imine, Abdessamad; Fernandez, José M.; Marion, Jean-Yves; Logrippo, Luigi (eds.), "HuMa: A Multi-layer Framework for Threat Analysis in a Heterogeneous Log Environment", Foundations and Practice of Security, vol. 10723, Cham: Springer International Publishing, pp. 144–159, doi:10.1007/978-3-319-75650-9_10, ISBN 978-3-319-75649-3, retrieved 2024-11-11
24. Landauer, Max; Wurzenberger, Markus; Skopik, Florian; Settanni, Giuseppe; Filzmoser, Peter (2018-11-01). "Dynamic log file analysis: An unsupervised cluster evolution approach for anomaly detection". Computers & Security. 79: 94–116. doi:10.1016/j.cose.2018.08.009. hdl:20.500.12708/6096. ISSN 0167-4048.
25. Levi Gundert, How to Identify Threat Actor TTPs
26. "APT1: Exposing One of China's Cyber Espionage Units | Mandiant" (PDF).
27. "APT28: A Window Into Russia's Cyber Espionage Operations" (PDF). FireEye, Inc. 2014. Retrieved 3 December 2023.
28. "Grizzly Steppe - Russian Malicious Cyber Activity" (PDF). NCCIC. 29 December 2016. Retrieved 3 December 2023.
29. "Dragonfly: Western energy sector targeted by sophisticated attack group".
30. "Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments".
31. "Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms".
32. Burr, Richard (2015-10-28). "S.754 - 114th Congress (2015-2016): To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". www.congress.gov. Retrieved 2021-06-09.
33. Johnson, C.S.; Badger, M.L.; Waltermire, D.A.; Snyder, J.; Skorupka, C. (4 October 2016). "Guide to Cyber Threat Information Sharing". National Institute of Standards and Technology. doi:10.6028/nist.sp.800-150. Retrieved 3 December 2023.

Further reading

• Boris Giannetto - Pierluigi Paganini (2020). Mastering Communication in Cyber Intelligence Activities: A Concise User Guide. Cyber Defense Magazine.
• Anca Dinicu, "Nicolae Bălcescu" Land Forces Academy, Sibiu, Romania, Cyber Threats to National Security. Specific Features and Actors Involved - Bulletin Ştiinţific No 2(38)/2014
• Zero Day: Nuclear Cyber Sabotage, BBC Four - the Documentary thriller about warfare in a world without rules - the world of cyberwar. It tells the story of Stuxnet, self-replicating computer malware, known as a 'worm' for its ability to burrow from computer
• What is threat intelligence? - Blog post providing context and adding to the discussion of defining threat intelligence.
• Threat hunting explained - Short article explaining cyber threat intelligence.
• Cyber Threat Intelligence - What is Cyber Threat Intelligence? - Definitive guide for beginners.