Cyber Threat Intelligence (CTI) can be defined as evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them[^1].

  • Data
    • Indicators associated with adversaries.
  • Information
    • Combination of multiple data points.
  • Intelligence
    • Contextual analysis of data and information.

The main goal of CTI is to understand the goals of an adversary and how to protect your environment against them.

Threat Intelligence Classifications

  • Strategic Intelligence:
    • High-level intelligence that looks into the organization’s threat landscape and maps out the risk areas based on trends, patterns, and emerging threats that may impact business decisions.
  • Technical Intelligence:
    • Evidence and artifacts of attacks used by an adversary. Incident response teams can use this intelligence to create a baseline attack surface for analysis and develop defense mechanisms.
  • Tactical Intelligence:
    • Adversaries’ tactics, techniques, and procedures (TTPs).
    • Can strengthen security controls and address vulnerabilities through real-time investigations.
  • Operational Intelligence:
    • Looks into an adversary’s specific motives and intent to perform an attack.
    • Use this intelligence to understand the critical assets available in the organization (people, processes, and technologies) that may be targeted.

Cyber Threat Intelligence Lifecycle

  1. Direction and Planning
    • Identify information assets and business processes that require defending.
    • Assess potential impact on losing the assets or through process interruptions.
    • Determine sources of data and intelligence to be used towards protection.
    • Identify tools and resources required to defend the assets.
  2. Collection
    • Security analysts gather the required data.
  3. Processing
    • Make the collected data usable.
  4. Analysis
    • Analyze the data to derive actionable intelligence.
  5. Dissemination
    • Bring the correlated data to the stakeholders.
  6. Feedback
    • Improve CTI through feedback.

Frameworks

  • MITRE ATT&CK:
    • A globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
  • TAXII (Trusted Automated eXchange of Indicator Information):
    • A protocol for exchanging cyber threat intelligence in a structured and automated manner.
  • STIX (Structured Threat Information Expression):
    • A standardized language for representing structured cyber threat information.
  • The Cyber Kill Chain:
    • A framework that describes the stages of a cyber attack, from reconnaissance to achieving objectives.
  • The Diamond Model of Intrusion Analysis:
    • A framework that provides a structured approach to analyze cyber intrusions by considering the adversary, victim, infrastructure, and event meta-features.

References

tryhackme: Cyber Threat Intel Understanding the Cyber Threat Intelligence Cycle

You may also enjoy