Cyber Threat Intelligence: Learning How to Manage Security Strategically

The threat intelligence market is transforming due to the surge in cyberattacks driven by remote and hybrid work setups and the growth of cloud computing. 

In 2023, the cyber threat intelligence (CTI) market was valued at $11.6 billion, projected to exceed $21 billion by 2027. 

CTI equips organizations with contextual and actionable insights for informed responses to evolving threats. 

By 2033, the United States is expected to lead the CTI market, with an estimated value of nearly $10 billion, constituting one-fifth of the global CTI market.

Let’s have a detailed discussion about threat intelligence and its execution.

Understanding Threat Intelligence

Threat intelligence, also known as ‘cyber threat intelligence,’ is a piece of information that offers comprehensive insights into cybersecurity threats directed at an organization. 

This valuable resource empowers security teams to adopt a proactive stance, enabling them to execute well-informed actions to prevent cyber attacks before they transpire. 

Group-IB’s Threat Intelligence automatically detects new #hacktivist activity, and we’ve seen that threat actor groups are entering the fray and launching attacks on government websites and IT systems amid the escalation in the Israeli-Palestinian conflict. Rest assured, we will… pic.twitter.com/uZeqAOKjoo

— Group-IB Threat Intelligence (@GroupIB_TI) October 8, 2023

Moreover, it equips organizations to enhance their capabilities for detecting and responding to ongoing attacks.

How does an Analyst see?

Security analysts curate threat intelligence by combining raw data and security-related information from diverse sources. 

They engage in data correlation and analysis, aiming to unearth trends, patterns, and relationships that yield profound comprehension of actual or potential threats. 

Three critical resultant threat intelligence are:

1. Organizational

This type of intelligence is tailored to the vulnerabilities within the organization’s attack surface, the attacks these vulnerabilities enable, and the assets they expose. 

Rather than focusing on generalities like lists of commonly encountered malware strains, it focuses on the organization’s unique threat landscape.

2. Detailed and Contextual

It goes into the threats that target the company and provides a comprehensive understanding of the threat actors potentially orchestrating these attacks. 

This includes an analysis of the tactics, techniques, and procedures (TTPs) employed by these threat actors and the indicators of compromise (IoCs) that might signify a specific cyber attack.

3. Actionable

The intelligence offers information that information security teams can directly leverage to address vulnerabilities, prioritize and remediate threats, and assess the efficacy of their current or prospective cybersecurity tools.

6 Basic Steps to Becoming Threat Intelligent

The threat intelligence lifecycle is an ongoing process through which security teams generate, disseminate, and refine their threat intelligence. 

While specific details may vary among organizations, most adhere to a common six-step framework.

Step 1: Planning

In the initial phase, security analysts collaborate with key organizational stakeholders, including executive leaders, department heads, and IT and security team members, to establish intelligence requirements. 

These requirements typically revolve around questions related to cybersecurity that stakeholders seek answers to. 

Step 2: Gathering Threat Data

In this phase, the security team collects raw threat data that can potentially address the stakeholders’ inquiries. 

To illustrate, in investigating a novel ransomware strain, the team may amass data concerning the ransomware gang responsible for the attacks, their historical targets, and the methods they’ve employed to infect previous victims.

We've just published a new report on a Widespread Credential Harvesting Campaign.

Moving forward, all our CTI updates will come from our main account @bridewellsec, so give us a follow to keep up with our latest updates. #ransomware #threatintelligence https://t.co/PBLAofS9Px

— BridewellCTI (@BridewellCTI) October 12, 2023

This threat data can originate from various sources, including:

• Threat intelligence feeds, which provide real-time threat information
• Information-sharing communities encompass forums, professional associations, and platforms where analysts exchange first-hand experiences, insights, and their threat data.
• Internal security logs, derived from security and compliance systems like SIEM, SOAR, EDR, XDR, and attack surface management (ASM) systems, record the organization’s past threats and cyberattacks.

This diverse information is typically consolidated in a central dashboard, such as an SIEM or a threat intelligence platform, to facilitate easier management.

Step 3: Data Processing

During this stage, security analysts aggregate, standardize, and correlate the raw data they’ve collected, streamlining it for analysis. 

Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.

— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023

This may involve filtering out false positives or applying a threat intelligence framework, like MITRE ATT&CK, to enhance the understanding of data related to previous security incidents.

Many threat intelligence tools employ automation, leveraging artificial intelligence (AI) and machine learning to correlate information from multiple sources and initially identify trends or patterns within the data.

Step 4: Analysis

The analysis is the pivotal point at which raw threat data transforms into actionable intelligence. 

In this phase, security analysts rigorously examine and validate trends, patterns, and other insights that can address the security requirements of stakeholders and yield recommendations.

Step 5: Distribution

The security team communicates its findings and recommendations to the relevant stakeholders. 

Based on these recommendations, actions may be taken, such as implementing new SIEM detection rules to target newly identified indicators of compromise (IoCs) or updating firewall blacklists to block traffic from suspicious IP addresses. 

Many threat intelligence tools seamlessly integrate and share data with security solutions like SOARs or XDRs, automating the generation of alerts for active threats, assigning risk scores for threat prioritization, or triggering other response actions.

Step 6: Feedback

During this phase, stakeholders and analysts evaluate the most recent threat intelligence cycle to ascertain whether the established requirements were met. 

Any emerging questions or intelligence gaps discovered may inform the subsequent iteration of the threat intelligence lifecycle.

Why do you need Threat intelligence?

Identifying potential compromise indicators is pivotal for security personnel in detecting ongoing or past cyberattacks, and the application of artificial intelligence can significantly enhance this endeavor. 

Common indicators of compromise (IOCs) include the following:

• Anomalous Privileged User Account Activity: Attackers frequently attempt to elevate their account privileges or migrate from a compromised account to one with higher authorization levels.

• Unusual Login Patterns: After-hours logins, especially those targeting unauthorized files, rapid successive logins from diverse global IP addresses, and failed login attempts from non-existent user accounts, are noteworthy signs of suspicious activity.
• Unexplained Database Read Volume Surge: A substantial increase in database read requests may indicate illicit extraction of an unusually extensive dataset, such as a comprehensive collection of credit card numbers within a database.
• Irregular Domain Name System (DNS) Requests: Spikes in DNS requests originating from a specific host or suspicious patterns of DNS queries to external hosts raise concerns, as they might signify external parties establishing command and control communication.
• High Volumes of Requests for a Singular File: Cybercriminals frequently use repeated attacks, signaling potential vulnerability probing. For instance, observing 500 requests for the same file could suggest an ongoing exploration of security weaknesses.

• Unexplained Alterations in Configuration or System Files: While detecting a credit card harvesting tool can be challenging, it is relatively easier to spot changes in system files resulting from the installation of such devices.

Effectively identifying these IOCs necessitates combining human expertise and advanced AI-driven tools. 

Such a synergistic approach empowers security teams to respond swiftly and mitigate potential security breaches, ultimately enhancing the overall cyber threat posture.

Threat Intelligence Tools

Various threat intelligence tools are readily available, catering to different aspects of threat intelligence gathering:

• Malware Analysis Tools: These applications find the intricacies of malware by reverse-engineering it. This process aids security professionals in comprehending the malware’s functionality, enabling them to devise defenses against similar future attacks.
• Security Information and Event Management (SIEM) Solutions: SIEM tools empower security teams to conduct real-time network monitoring, thereby collecting vital data on anomalous activities and suspicious network traffic.

• Network Traffic Analysis Software: These tools access network-related data and record network behaviors, simplifying the task of identifying potential intrusions.
• Threat Intelligence Communities and Resource Repositories: Accessible online platforms that aggregate known compromise indicators and community-generated threat data prove invaluable for threat intelligence. Some of these communities facilitate collaborative research and provide actionable guidance on thwarting or mitigating potential threats.
• Entities Well-Versed in Emerging Threats: Organizations equipped with knowledge about emerging threats and strategies to evade them can proactively take measures to prevent potential attacks. Gathering and analyzing threat intelligence should be an integral component of the overall cybersecurity strategy for any enterprise.

Types of Threat Intelligence

Cyber Threat Intelligence is generally divided into the categories mentioned below:

Strategic Threat Intelligence

It is primarily intended for non-technical stakeholders like corporate boards or organizational leadership, offering a high-level analysis. 

Its focus extends beyond technical jargon, encompassing broader business implications. This form of intelligence typically relies on open sources, readily accessible to anyone. 

These sources may include media reports, white papers, and research findings.

Tactical Threat Intelligence

Tactical threat intelligence zeroes in soon, tailored for a more technically adept audience. 

It serves as a guide to identifying straightforward Indicators of Compromise (IOCs), enabling IT teams to detect and eliminate specific network threats proactively. 

IOCs comprise suspect IP addresses, well-known malicious domain names, unusual traffic patterns, red flags in login activities, or an uptick in file and download requests. 

Tactical intelligence represents the most streamlined category and is often automated. Nevertheless, it can have a relatively brief lifespan due to the rapid obsolescence of many IOCs.

Operational Threat Intelligence

Every cyberattack has a ‘who,’ ‘why,’ and ‘how.’ Operational threat intelligence takes on the task of exposing these critical questions by scrutinizing past cyber incidents. 

It strives to conclude the intent, timing, and level of sophistication involved. Operational threat intelligence demands more extensive resources than its tactical counterpart and has more enduring relevance. 

Cyber adversaries encounter more significant challenges in altering their tactics, techniques, and procedures (abbreviated as TTPs) than in adjusting their tools, such as specific malware strains.

How Do You Get Threat Intelligence?

There are three main categories:

Open-source Cyber Threat Intelligence (CTI)

Resources such as MITRE Attack/Defend, AlienVault OTX, and Talos threat reports are the foundation of the CTI program. 

These open CTI repositories, often likened to the tip of the iceberg, provide a wealth of knowledge that is more than adequate for initiating a CTI initiative. 

As a CTI program matures and the quest for current, pertinent intelligence intensifies, one seamlessly transitions to the next category.

Commercially Sourced Cyber Threat Intelligence

This tier encompasses offerings like those from FireEye and CrowdStrike, providing multiple daily intel updates for thorough review. 

Among these daily updates, one or two actionable insights may emerge, while the remainder offers valuable contextual information. This category closely parallels Open-source CTI with two pivotal distinctions. 

First, the timeliness factor is striking; information is typically reported within 24 hours of discovery, with a few days representing the outer limit, starkly contrasting to Open CTI, which can take weeks, months, or even years to surface publicly. 

Second, Commercial CTI sources deliver consistent, high-quality reporting structures, often supplemented with scriptable and parseable indicators of compromise (IOCs), log data, YARA rules, and more.

Private Cyber Threat Intelligence

Private CTI consists of intelligence shared exclusively among seasoned professionals at a TLP (Traffic Light Protocol) Red classification level. 

While these sources do not constitute the majority of a CTI program (the majority comprises Paid For CTI), they offer exceedingly high-quality, actionable information. 

These exclusive channels typically manifest through private communication platforms like Slack and Discord or casual conversations over beverages or phone conversations. 

Access to these privileged channels expands organically as one network within the industry engages in knowledge-sharing, delivers presentations, and builds professional relationships.

Your Threat Detection Program, Your Defense!

The efficacy of threat intelligence programs cannot be overstated; their impact on an organization’s security posture is undeniable. 

Successful threat intelligence programs begin with a keen awareness of the organization’s unique context. 

This contextual understanding ensures that threat alerts are accurate and actionable, designed for the industry, technology stack, and geographic locations involved.

Data quality and integration are the essentials of a strong program. High-quality threat intelligence feeds, encompassing malware, vulnerabilities, and indicators of compromise, are integrated into the existing security infrastructure. 

This not only minimizes the risk but also optimizes the detection process. Real-time data analysis and correlation are vital for early threat detection. 

Effective programs swiftly identify patterns and correlations in large datasets, enabling proactive threat mitigation. 

Human expertise remains indispensable in this process, as skilled analysts interpret and act upon the data, transforming it into actionable intelligence.

Successful threat intelligence involves continuous learning and adjustment concerning cybersecurity, ensuring organizations remain one step ahead of potential threats.