While an adventure into the great unknown does sound extremely appealing, it does not necessarily trigger that same emotion in the cybersecurity industry, where ‘unknown’ most often equals ‘unsecured.’ This is where cyber threat intelligence comes in.
Threat intelligence is the knowledge that helps an organization prevent or mitigate future attacks by understanding who is going to attack you, their motive, capabilities, and how it could be carried out. It equips organizations with predictive capabilities to make informed decisions about their security.
If threat intelligence is new to you or if you are interested in pursuing a career in it, then here are a few things you should know.
Threat Intelligence Defined
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.” — Gartner
The Importance of Threat Intelligence
The objective of cyber threat intelligence is to keep organizations informed of future threats like advanced persistent threats and zero-day threats and take countermeasures against them. To do so, threat intelligence analysts gather data about emerging or existing threats from various sources. This data is then processed, analyzed, and refined to produce threat intelligence reports that can be used by security leaders to deploy security controls.
In this process, threat data is collected, processed, and analyzed to produce actionable intelligence in the form of reports and disseminated to respective stakeholders to make quick, informed, and data-backed security decisions. The defense based on actionable intelligence is proactive rather than just reactive.
4 Types of Threat intelligence
There are four types of threat intelligence and this breakdown into subcategories helps us to understand their different functions.
1. Strategic Threat intelligence
This type of threat intelligence is commonly used by board and C-level stakeholders. It consists of high-level analysis for informed decision-making. This heavily focuses on determining targets of interest, the motive behind the attacks, and end goals of the attackers. This helps organizations keep their cyber defense strategies aligned with the attackers’ end goals.
2. Tactical Threat intelligence
Intelligence related to tactics, techniques, and procedures (TTPs) of the threat actors often allows organizations to plan well or enhance their cyber defense capabilities. This is more focused on determining the attackers’ approach to cause intrusion, attack vectors used, tools and technology platforms leveraged, vulnerabilities exploited in the attack chain, obfuscation technique used, etc.
3. Technical Threat intelligence
This type is heavily based on the indicators of compromise (IOCs), which includes reported attributes such as IP addresses, phishing email’s content, malware samples, and fraudulent URLs. Technical threat intelligence is mainly used for malware research and threat detection.
4. Operational Threat intelligence
Operational intelligence gives insights to threat actors and campaign details on current attacks. The context for security events and incidents helps defenders pursue past undiscovered malicious activity for faster and thorough investigations.
8 Steps to Creating a Threat Intelligence Program
A well-defined threat intelligence program is iterative and becomes more advanced as time goes on. Here are eight steps to follow when creating an effective TI program.
Step 1: Cyber intelligence requirement and planning
The cyber intelligence program starts with understanding the requirement of cyber intelligence and who is going to consume and in what format. Identifying critical threats to the organization and assessing the current security posture gives more clarity on the requirement.
Step 2: Planning a threat intelligence program
This involves people, process, and technology to develop a plan within a defined budget and creating metrics to keep stakeholders informed. This also requires management support to create policies and charter a project plan.
Step 3: Building a threat intelligence team
Skilled threat intelligence analysts must collect and analyze threat data to generate actionable intelligence for different stakeholders. Identifying skilled professionals is a bit tricky, but the certifications they hold is one of the ways to identify and validate their skill set. Hence, it’s important to have certified analysts in a threat intelligence team.
Step 4: Data collection
This involves threat data collection through various internal and external sources like network logs, records on past incidents, data from technical sources, open and dark web. The intelligence analysts need to have clarity on the type of data they want to collect, tools and methods to deploy, and operational security for data collection. To ensure the data collected will produce actionable data, the analyst validates the quality and reliability of data sources.
Step 5: Data processing
Once the data is collected, it needs to be structured and normalized in a format for further analysis. Data processing includes decrypting, sorting, translating, sampling, and sorting collected data. Since there are millions of logs and IOCs, data collection and processing can also be automated with Machine Learning solutions.
Step 6: Threat analysis
Processed data is analyzed to determine the components of the system that needs to be protected and what are the threats they should be protected from. At this stage, insights into the trends and the patterns are identified with the help of data analysis tools and techniques. Threat modeling is also a part of this process to identify potential threats, vulnerabilities, or the absence of safeguards in the system and prioritize mitigations.
Step 7: Reporting and dissemination
The intelligence produced must be shared with appropriate stakeholders in the form of reports that are easily understandable and actionable for that audience. Additionally, it is shared in a timely manner to identify future attacks and take preventive measures. Cyber threat intelligence is actionable only if it is timely, provides context, concise, and is understandable by the audience and stakeholders in charge of making decisions.
Step 8: Feedback
Upon receiving and consuming cyber intelligence, the stakeholders or the security team should provide feedback to help fine-tune the intelligence in the next cycle. Feedback helps analysts improve the threat intelligence program in the next cycle by providing more clarity on what type of data to collect, how to enrich and process the data into information, improve the analysis of information to produce actionable intelligence and timely disseminate the intelligence to the appropriate stakeholders.
How to Become a Threat intelligence Analyst?
The Certified Threat intelligence Analyst (CTIA) Program offered by EC-Council is a method-driven course that follows a holistic approach, including concepts from planning the threat intelligence program to building reports for threat intelligence dissemination. CTIA is 40% hands-on with report writing and have library of tools, platforms & frameworks.
To learn more about EC-Council’s Threat Intelligence training and certification program, visit https://www.eccouncil.org/programs/certified-threat-intelligence-analyst-ctia/
Rahil Karedia is a global thought leader with more than 5 years of experience in the cybersecurity Industry. He is currently leading Threat Intelligence & Security Advisory services at Network Intelligence (I) Pvt. Ltd., and serving EC-Council’s Global Advisory Board for CTIA. He is closely engaged with Intelligence-Driven Threat Detection & Hunting, Incident Handling, and Incident Response & Investigation, Cyber Risk Management, Threat Landscape Analysis & Prediction, Attack Surface Analysis, Threat Profiling, Cyber Intelligence, Cyberspace Operations, and Telecommunication & Internet Surveillance.