Cyber Threat Intelligence (CTI) is the precise and contextualized information about emerging or existing cyber threats that have been refined and analyzed to provide actionable advice which allows the organizations to take informed decision to proactively defend or mitigate any cyber threats. Cyber Threat Intelligence (CTI) provides valuable knowledge with context about the adversaries and their motivations, capabilities, goals, including the tools and methods that adversaries use to conduct cyber-attacks.
In a nutshell, Cyber Threat Intelligence (CTI) is the information that is collected, relevant, fully contextualized, filtered and analyzed to answer core questions regarding any cyber threats that an organization can face, such as who is likely to attack what assets, where, when, how and why. Note that just information is not intelligence! but the information is raw material to produce intelligence through extensive analysis. Producing Intelligence involves a comprehensive process of collecting, processing, and analyzing data. The main difference between information and true intelligence is the analysis.
CYBER THREAT INTELLIGENCE (CTI) LIFECYCLE PROCESS:
Cyber Threat intelligence cycle is an iterative and adaptable process by which raw data and information is identified, collected, and then developed into finished intelligence. The traditional intelligence cycle focuses on six distinct phases. 1. Planning and Direction. 2. Collection. 3. Processing. 4. Analysis. 5. Dissemination. 6. Feedback.
PLANNING AND DIRECTION:
Planning and Direction involve management of the entire cyber threat intelligence operation. This phase defines the purposes and objectives of the cyber threat intelligence program. In this phase, the CTI team identifies what issues need to be addressed to protect the organization and what information must be gathered to produce threat intelligence products that satisfy the organization’s requirements.
The Planning and Direction phase determines the exact requirements of consumers (organization) through Intelligence Requirements (IRs) or Priority Intelligence Requirements (PIRs) and ensures that those requirements are met to deliver the cyber threat intelligence product to the organization as they needed. From these IRs and PIRs, the CTI team determines what data and information are required and how those should be collected.
The planning and direction phase establishes the question that cyber threat intelligence is meant to answer. These questions are given to the CTI team in the name of Intelligence Requirements (IRs) by the organization’s decision-makers or head of the cybersecurity program such as CISO (Chief Information Security Officer). Intelligence Requirements (IRs) is the request of what information an organization needs from a CTI team through cyber threat intelligence operation.
For example, an Intelligence Requirement (IR) could be “Which types of adversaries are deploying attacks in our organization, and what are their motivations?” This question will lead to further collections effort and help guide CTI analyst to the answers. Answering intelligence requirements requires data collection, analysis and reporting and feedback. In the planning and direction phase, the CTI analyst develops a collection management framework. This collection plan maps all sources (both internal and external) of intelligence collection to ensure they can provide the data to answer the intelligence requirements.
THREE KEY FUNDAMENTALS OF PLANNING AND DIRECTION PHASE:
1. Intelligence Requirements.
Intelligence Requirements (IRs) is the request for what information an organization needs from a CTI team through cyber threat intelligence operation. IRs is the request for information about threats, risks, and opportunities to protect the organization. These are objectives that CTI analyst tries to accomplish through the cyber threat intelligence process. IRs reflect senior leadership (CISO) and board concerns about threats and risks to the organization’s environment, operations, revenue, bottom line, and reputation. Intelligence Requirements (IRs) are generated from the intelligence gap and describe the information that an organization wants to collect. An intelligence gap is an unanswered question about a cyber threat or security issue. Requirements can be divided into three categories:
Intelligence Requirements (IRs)
Priority Intelligence Requirements (PIRs)
Specific Intelligence Requirements (SIRs)
Intelligence Requirements (IRs) are for the general threat environment.
Priority Intelligence Requirements (PIRs) are those that are most critical to be answered for the organization, PIRs are more detailed and operationally focused also aligned to IRs.
Specific Intelligence Requirements (SIRs) are operational, tactical plus technical and focus on particular facts, entities, or activities.
Identifying the Intelligence Requirements for the organization means identifying the policy and security issues in which cyber threat intelligence is expected to contribute.
Intelligence Requirements (IRs) Examples:
Identify notable threats to the organization
Identify internal and external cyber threats targeting the organization
Identify cyber threats targeting related industries
Priority Intelligence Requirements (PIRs) Examples:
Identify threat actors targeting our organization’s critical assets or new technologies
Identify the threat actors’ motives
Identify the person, group, entity or asset in the organization that is being targeted
Specific Intelligence Requirements (SIRs) Example:
Describe threat reconnaissance activity that occurred today
Identify changes observed in a specific threat actor tactics, techniques, and procedures (TTPs) today
Identify C&C server infrastructure a specific threat actor is using
2. Threat Modeling.
Threat modeling is a structured process to identify, assess, and address any potential threats and vulnerabilities of a system. Threat modeling typically involves identifying the valuable assets that an organization wants to protect, then identifying as well as prioritizing the vulnerability and attack vectors associated with those assets to address the most likely threats. Threat modeling is used to generate an abstraction of the system; profiles of the potential adversary, including adversary’s capabilities, goals, motivations, and methods; and a list of potential threats that may arise in the future. Threat modeling helps to define valuable assets and the possible attacks that they are likely to face. The purpose of threat modeling is to determine where the most effort should be applied to keep a system secure.
Three main elements of threat modeling:
After inventorying and categorizing the valuable assets that an adversary may be able to attack, the organization tries to find out all vulnerabilities inherent in their systems that could lead to the compromise of their confidentiality, integrity, or availability. Organization then asks the question, “Who would want to exploit this vulnerability, and why?” This question leads the cyber threat intelligence team to a deliberate analysis of their potential adversaries, their motivations, and their capabilities.
3. Collection Management Framework.
Collection management framework (CMF) is a systematic process for identifying data sources and determining what information can be gathered from those sources to satisfy the Intelligence Requirements (IRs). The collection management framework validates whether the data source is feasible for collection by evaluating the relevance, reliability, accuracy, and completeness of the data; as it relates to accumulating data and producing threat intelligence from it.
The collection management framework has two core aspects:
Collection Requirements Management (CRM)
Collection Operations Management (COM)
Collection Requirements Management (CRM) defines the data sets and sources required to collect the right information to answer the intelligence requirement (IRs). Collection Operations Management (COM) operationalizes collection resources and activities as well as develops and tracks the rationale for each data source used and regularly checks for new data sources available to assist the collection effort.
The core questions driving a collection management framework are:
What data is obtained and from where?
What is available in the data?
How long is the data stored?
What types of questions can the data answer?
The collection phase of cyber threat intelligence involves collecting the necessary data from various sources that will likely satisfy the intelligence requirements. This phase is the execution of the collection plan determined during the planning and direction phase. The data can be collected from a large variety of sources, including internal sources and external sources. Internal data sources are typically any generated logs from organizational hardware and software regarding device usage. The internal source may include indicators of compromise (IOC), network event logs, firewall logs, router logs, IDS, records of past incident responses, vulnerability scans, etc.
The external sources include threat data feeds, code repositories, malware analysis, dark web, hacking forum, social media, paste sites, human intelligence, information sharing platforms, etc. After accumulating data from these sources, the cyber threat intelligence team would then process those data and make them ready for analysis.
The processing phase of the cyber threat intelligence involves processing the collected raw data into a suitable format for the analysis. Collected data is not usable in the format in which it was collected as it comes from different sources with a variety of formats like XML, JSON, CSV, even plain text. Hence, the raw data is processed and converted into a uniform file format. Finally, the data is sorted, organized, filtered, and then prepared for analysis.
Here are some of the most common ways to process data related to cyber threat intelligence:
Normalization (Normalizing collected data into uniform formats.)
Indexing (Make searchable data list.)
Translation (Translating the data as it may be collected from foreign sources.)
Enrichment (Providing additional metadata and context in the data.)
Filtering (Filtering for false and redundant information.)
Prioritization (Data prioritization.)
Visualization (Visualization of sorted and organized data based on what analysts need.)
The analysis phase of cyber threat intelligence is very crucial. The analysis phase involves integrating, interpreting, evaluating, and analyzing the processed raw data to transform those data into finished intelligence. The goal of the analysis phase is to develop a finished cyber threat intelligence product that answers the intelligence requirements (IRs) outlined in the planning and direction phase.
In the analysis phase, the CTI analyst synthesizes disparate pieces of processed data and interprets those data to identify patterns, uncover threats, determines its meaning, and enrich data with contextual information. Besides, the data is evaluated through various analytical techniques to assess the importance and implications of processed data. Tactical analysis answers what/where/when/how questions regarding threats, attacks, vulnerabilities, etc. outlined in the intelligence requirements by analyzing technical telemetry data such as network activity, malware samples, hash values, malicious domains, IPs, logs. Operational analysis analyzes specific threats, campaigns, adversaries, and their capabilities (TTP) to answer who is behind the threats, why, and how. Strategic analysis holistically assesses threats, risks, emerging technologies, and geopolitics that may impact/provide opportunities for the organization now and in the future. Strategic Analysis answers who is attacking and why?
Cognitive biases, perceptual biases, and reasoning errors can cause inaccurate evaluation. Therefore Structured Analytic Techniques (SATs) are leveraged to reduce biases. Through integration, evaluation, and analysis, CTI analyst produces the final intelligence products on time. Finished intelligence provides actionable advice regarding Intelligence Requirements (IRs) questions like what is happening, why it is happening, what might occur next, adversaries TTP (Tactics, Techniques, and Procedures), motivations, goals, etc.
The output of the analysis phase should enable action, whether that action is updating a threat profile, patching systems, or creating rules for threat detection. Actionable threat intelligence should be timely, accurate, contextual, and coherent. An interplay between collection and analysis often occurs, when cyber threat intelligence analyst realizes that the collected data is not providing the required raw material and perhaps different data needs to be collected for the appropriate analysis.
The dissemination phase of cyber threat intelligence involves distributing the finished intelligence products to relevant consumers in a digestible format. The dissemination phase ensures the delivery of different intelligence reports for strategic, operational, tactical levels. These wide-ranging consumers need to be able to understand the intelligence information, digest its content, and understand what action needs to be taken. Dissemination enables organizations to operationalize intelligence work. Dissemination also determines how often intelligence reports should be distributed and with what format etc. Proper dissemination of actionable threat intelligence provides the most value and applicability to intelligence consumers.
The feedback phase of cyber threat intelligence involves getting feedback on the finished intelligence from the intelligence consumers. The feedback determines whether the produced intelligence successfully answers the intelligence requirements or not. Depending on the feedback, the intelligence cycle may start from the beginning until the intelligence satisfies the requirements. However, the intelligence cycle will be over if the intelligence process satisfies the requirements. If the intelligence process fails to answer the requirements, then adjustments need to be made for future iterations of the intelligence distribution.