Cyber Threat Intelligence (CTI) is becoming a critical component in an organization’s overall risk mitigation strategy. In recent years, the use of threat intelligence has gained popularity as the value of threat prediction and proactive defense building has proven itself effective at mitigating threat activities. CTI provides information that links the probability and impact of a cyber-attack by providing a framework for timely analysis and prioritization of potential threats and vulnerabilities given an industry’s threat landscape. CTI can assist in providing organizations with the information needed to direct resources to address threats.
“CTI products provide the information necessary for decision makers to direct resources to address well-defined threats to an organization”
The Carnegie Mellon Software Engineering Institute (SEI) defines Cyber Intelligence as “the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities to offer courses of action that enhance decision making.” More specifically, Cyber Threat Intelligence (CTI) can be thought of as applying intelligence techniques to the aggregation and analysis of contextual and situational risks and that are tailored to the organization’s specific threat landscape. The goal of CTI is to provide the ability to recognize and take corrective action upon indicators of attack and exploit scenarios in a timely manner to avoid impact to assets or services. CTI takes into account many sources of information including: the organization’s threat landscape, threat actor capabilities, attack surface, as well as data provided by security systems.
CTI has a direct and powerful benefit for organizations in terms of risk management. CTI products provide the information necessary for decision makers to direct resources to address well-defined threats to an organization and better understand the potential impact of a successful breach through knowledge of their own threat landscape and attack surface. Meaningful intelligence can be produced through the correlation and analysis of massive amounts of data that would otherwise be problematic if not impossible for cyber security specialists to examine manually. Similarly, managers at the executive level benefit from CTI products as they impart concise knowledge that may be acted upon to steer strategic investments in organizational policies, processes, and technology. CTI allows an organization to strategically prioritize risk counter-measures, focusing efforts on what potential breach may cause the most damage. By integrating CTI into various security operations, the resulting intelligence can be used to map out the threat landscape and put historical data into context that is easy to understand and take action upon.
Organizations may generate CTI through in-house resources. These products are often created by a cyber security team to provide intelligence to senior management, the general user community or to other partner organizations in a human-readable format. Organizations with limited resources, that may not have dedicated cyber security teams, may leverage intelligence products produced through contracted services such as the Multi-State Information Sharing & Analysis Center (MS-ISAC) or through a private security firm.
Many industry technologies provide proprietary report information. Operational security systems such as Intrusion Detection Systems (IDS), Security Information, and Event Management (SIEM) systems do generate CTI at a basic level. According to a 2015 SANS survey of organizations, to obtain that visibility, 55 percent of organizations are currently using SIEM, and 54 percentare using intrusion-monitoring platforms to aggregate, analyze, and present CTI. Automated instructions flow from the SIEM or IDS to the operational security systems such as instructions for blocking a particular threat via network firewalls or host countermeasures.In 2013, MITRE introduced a CTI format standard, known as Structured Threat Information eXpression (STIX). The STIX language articulates the full range of potential cyber threat information and provides data that is fully expressive, flexible, extensible, automatable, and human-readable. This format is recognized by the industry as many vendors have adopted connectors to interpret and process STIX feeds. Transporting STIX feeds across organizations requires another protocol created by the MITRE Corporation, known as Trusted Automated eXchange of Indicator Information (TAXII). TAXII messages carry the payload of cyber threat data in STIX format. TAXII is defined as, “the protocols and data formats for securely exchanging cyber threat information for the detection, prevention, and mitigation of cyber threats in real time.” These protocols enable machine-to-machine exchange of real-time cyber threat intelligence, allowing rapid and automated counter-measures to be created when another organization identifies a new attack.
Perhaps the most powerful benefit of CTI is the ability to break the Cyber Attack Lifecycle. Most of the major breeches, allegedly perpetrated by nation states, occurred via a threat concept known as Advanced Persistent Threat (APT). Organizations that are highly motivated and have the technical resources to carry out cyber-attacks will often follow a similar pattern. For instance, a nation state may perform a scan on an organization’s network then develop malicious tools for specifically targeting assets found during the reconnaissance scan. The attacker will then exploit a target’s weakness through zero-day attacks, which will then allow entry for more sophisticated tools to be delivered, gaining further access within an organization’s infrastructure to the eventual valued information such as a sensitive database. The key to developing a strong defense is to understand the threat actor’s Tactics Techniques and Procedures (TTPs). Through the use of advanced threat modeling, organizations can characterize their attack surface and use benign threat penetration testing to expose vulnerabilities in likely attack scenarios. Modeling results will provide the organization with instructions on where to deploy counter-measures to block APT attack channels, remediate system vulnerabilities, and detect abnormal system behavior.
Managing risk through the application of CTI at the organization level is beneficial. However, the value of CTI is enhanced greatly through the sharing of information among organizations and through partnerships between the government and private sector shipping companies/tenants. Smaller organizations in particular benefit greatly from the ingestion of CTI material from larger more prominent entities that have larger attack surface areas. This collaboration empowers small organizations that may lack the budget or expertise to internally generate CTI. To make a comparison, the effectiveness of anti-virus technology relies on the ability to identify and deliver known attack signatures of malicious code such as the famous “BLASTER” and “NIMDA” worms. In prior years, if anti-virus signature databases were up-to-date, organizations had little to fear. With the advent of zero-day attacks, the effectiveness of anti-virus signatures is almost neutralized. Attacks are more coordinated and occurring across multiple systems before anti-virus vendors can identify and deploy signatures. This is where the sharing of CTI can help mitigate that issue. CTI examines the attack patterns, heuristics, and TTPs of threats. The sharing of this information can position organizations in a protective manner prior to a zero-day attack commencing. Taking a step further, CTI sharing among friendly nations dramatically increases the ability to defend against hostile nation states through the immediate sharing of observed threat TTPs.
There is much to gain from adopting a CTI program as the resulting intelligence provides insight to the specific threats that pose a risk to the organization. In turn, this leads to the establishment of better policies and processes that can be used to strategically allocate resources to safeguards and focus efforts on what threats may have the greatest impact. CTI helps to ensure mission readiness, resiliency, and ultimately the success of the organization.