Cyber Threat Intelligence (C.T.I)
Cyber Threat Intelligence is an area that is not well known outside of the cybersecurity industry, but is quickly growing in both popularity and importance. Cyber attacks are becoming more potent and frequent, and skilled individuals are needed to make sense of these events and be able to deliver information in a form that enables action and pre-emption.
What is Cyber Threat Intelligence?
Cyber Threat Intelligence is the art, or science (depending on how you look at it) of collecting and analysing information, using context to turn said information into actionable intelligence which businesses can then use to make decisions around their security. This includes understanding prevalent threats, their impact and also preventing and pre-empting them.
Let’s start with the formula for intelligence as mentioned above — information + context = intelligence. The parts that make it up are (examples):
- Information — Data, names, places
- Context — Dates, times, assets, infrastructure, locations, employees, behaviour, targets
- Intelligence — Combining information with context allows a threat intelligence analyst to piece together a narrative that directs, or guides a business to action.
Cyber security is becoming an increasingly hot topic, mainly due to the growing number of data breaches, cyber attacks and theft from organised criminal groups, nation state groups and hackers. These malicious entities innovate and develop new tools and techniques at a crazy rate and force cyber defenders to constantly keep up by trying to understand what they’re defending against. It is a CTI analysts’ job to monitor and understand the playing field, see who is attacking and what tools and methods they are using. In most cases, internally, Cyber Threat Intelligence teams work alongside the Security Operations Center (SOC), who monitor and protect the business on a daily basis.
Businesses are very quickly seeing the appeal of developing cyber threat intelligence units. Professionals who can help to give a heads up to the organisation and tell them what malware can target their industry or their suppliers/vendors are highly valued. Especially ones who can then use this information to not only pre-empt attacks but also to help with incidents from cyber incursions.
This is, of course, a very high level overview and a great deal of knowledge in other areas is very beneficial. Areas such as networking, penetration testing (also called pentesting) and wider information security all help to understanding the intricacies of cyber attacks in depth.
Big assets to an intelligence analyst are reading and research. It is an effective way of understanding the threat landscape and what the biggest threats are. Staying up to date on industry events, its key players and technical developments is vital.
Being an analyst in threat intelligence requires a knowledge base, analysis skills to correlate and link information and probably the most under-valued skill…writing well. Most of the time, the final deliverable is a written report of some kind whether short or long, or even if conclusions need to be made within more visual media, the ability to create a narrative, draw conclusions, make judgements and deliver them to the client is paramount
Who is it for?
Cyber threat intelligence is based on fundamental intelligence practices which have been alive for centuries, dating back to the first attempts at espionage by rival clans and nations. The aim was to provide a target individual or group with information that could help to plan or conduct actions. In the past this was done with scouts, spies and secret documents. Even though these elements still exist today, a lot of the intelligence gathering is now done with computers and electronic assets.
The history of intelligence lies in the military. If an army or government had better intelligence than its rivals, for example knowledge of supply lines, positioning, number of troops, it would have the advantage (here’s where we would insert quotes from Sun Tzu, and if you don’t know who it is read The Art of War). Intelligence evolved on a global scale and soon governments made intelligence gathering a top priority, creating groups such as the CIA and the FSB who would report to their governments in order to achieve certain goals.
The very act of conducting intelligence analysis in itself is an entire discipline and existed before CTI came into being…The CIA have some great resources on intelligence which are worth reading if you’re interested. A big read for anyone heading into this line of work is Richard Heuer’s Psychology of Intelligence Analysis
So, let’s answer the question ‘who is it for?’. Intelligence is split into three areas, each with its own objectives:
This is the domain of short term, quickly digestible intelligence that can supply an internal SOC and arm them with basic indicators that they can use to monitor and hunt for threats internally and externally. These indicators go by the name Indicators of Compromise (IOCs) and there are a number of ways this information can be attained. Methods include data feeds, security research, and intelligence platforms.
This level of intelligence is the domain of observing adversaries and understanding how cyber criminals and groups operate. Using this more detailed level of information, an Intelligence Analyst applies human analysis (most often augmented by technology) to create context from data and tactical intelligence and feed this into a number of different teams that can benefit from this information:
- Vulnerability Management
- Incident Response
- Threat Monitoring
By explaining who is behind attacks, why they’re doing it and how they do it is vital to defending against cyber attacks.
This level of intelligence is reserved for the upper echelons of management and the decision makers within the organization. Strategic intelligence is wider in its breadth and requires an intimate understanding of how cybersecurity risk ties into wider, global business and geopolitical risk to be able to paint a picture of events for senior leaders. Strategic intelligence is usually the last to be implemented within an intelligence function as it requires more resources, experience and time from experts and Subject Matter Experts (SME’s). This can then be condensed into a digestible form by those in the organization with little time to read lengthy reports — those who need visuals, graphs, charts,descriptions and explanations.
Key Point: Being able to explain the scale of cyber threat intelligence and who you would be potentially providing intelligence to is a great way to show you understand the role of intelligence within a business environment.
I hope this gives a general overview of what cyber threat intelligence is and how it fits in to business and cybersecurity operations.Make sure to follow me on this Platform to stay updated with more such informative articles on Cyber Security - Zeus