Introduction To Cyber Threat Intelligence
Cyber Threat Intelligence (CTI) is still considered a relatively new field in cybersecurity; however, the practice of intelligence is regarded as an old and mature discipline. There are multiple definitions of intelligence; however, the essence of intelligence is collecting information to support the decision-making process.
According to the UK National Crime Agency (NCA): “Intelligence is information that is received or collected to answer specific questions on who, what, where, when, how and why…”. While the US Central Intelligence Agency (CIA) defines it as: “Intelligence is knowledge and foreknowledge of the world around us – the prelude to decision and action.”
Cyber threats are increasing at an unexpected rate. To counter attacks originated from cyberspace, organizations of all types and sizes must use intelligence in their protective strategy to prevent attacks before their valuable IT resources are exploited.
Cyber Threat Intelligence is the act of collecting threat information and correlating it based on many criteria, such as source and reliability, to understand the threats an organization may face. Such info is vital for an organization to gain valuable knowledge about these threats to prepare and deploy necessary defenses to prevent cyber threats from infiltrating its IT systems and networks.
This article will define CTI, see why it is so important for today's organizations, differentiate between the three terms: data, information, and intelligence, and end by talking about the general intelligence life cycle.
Why is Threat Intelligence Important?
Threat intelligence solutions gather threat information from a variety of sources about threat actors and emerging threats. This information is then filtered and organized to create an intelligence feed that can be used by automated solutions to capture and stop advanced cyber threats such as zero-day exploits and advanced persistent threats (APT).
There are numerous sources to get threat data; however, the volume of threat data is so much that no security solution can practically handle it. Before considering any source, it is important to check if it meets the following two primary conditions:
- Is this information related to my organization's work, industry, geographical area, or IT infrastructure?
- Is this information useful to include in the organization threat intelligence knowledge base and incorporate it into its future defense strategy?
Data v/s Information v/s Intelligence
When talking about Cyber Threat Intelligence, people mix between the three terms: threat data, information, and intelligence and use them interchangeably.
- Data: is available in large volumes, and it is of limited usability in its current, raw state. An example of raw data includes IP addresses, endpoint logs, and network devices logs.
- Information: is created when a set of raw data are analyzed to answer a specific question. For example, analyzing a server log can show a spike in suspicious activities over a specific period.
- Intelligence: comes from analyzing information and linking facts with previous information to produce actionable intelligence that can be used to inform decision making. For example, after analyzing the server log, we found suspicious activity similar to what happened in the previous month, when there was an attempt to gain unauthorized access to some protected resources. Based on this information, an organization can develop a strategy to mitigate and stop similar incidents.
The Intelligence Lifecycle
The intelligence lifecycle is a methodology, or model, used to process threat data and convert it from raw data into finished intelligence, ready for decision-makers. The intelligence lifecycle (see Figure 1) comprises four main phases and is used to convert raw data into actionable intelligence.
Phase ONE: Planning and direction
When collecting threat intelligence, we can differentiate between two parties: the requester (or consumer) and the collector (or producer) responsible for collecting threat information. In the first phase, the consumer's intelligence requirements (IRs) are defined accurately, and the producer defines the methods to use when collecting the information.
Phase TWO: Collection
In this phase, the producer will begin collecting threat data from a wide range of sources (e.g., vendor threat intelligence feeds or government and private sources). The producer must follow a strict methodology to collect only useful and reliable data/information, which is strongly related to consumer intelligence needs that can be exploited in a timely manner.
Phase THREE: Processing and Analysis
In this phase, the collected raw data is correlated with other sources and turned into intelligence. The producer will use human capabilities (different quantitative and qualitative analytical techniques) and computation software to analyze the harvested data within the scope of the consumer's intelligence requirements. During this phase, the producer will assess the collected information's reliability and discard any unreliable or biased information from the final report or product.
Phase FOUR: Dissemination and Feedback
In this phase, the finished intelligence product is delivered to the appropriate stakeholders who will, in return, provide feedback about collected information to help shape future intelligence collection operations.
Having a Cyber Threat Intelligence program capability will reinforce an organization's security risk posture. This program should be aligned with the organization's predefined CTI process that guides an organization to achieve its goal. By following a CTI process to gather and analyze data, the program will achieve its objectives in providing accurate and timely intelligence that helps decision-making processes mitigate and reduce cyber risks.
Cyber threat intelligence has proved benefits for all organization types working in any industry. The inclusion of cyber threat intelligence to stop and mitigate cyber threats becomes a must for any organization to survive in today’s information age.