Threat Intelligence is also sometime known as Cyber Threat Intelligence which is an organized, analyzed and refined information of the potential attack or a way to build a defense in depth strategy for the current attacks that threaten an organization as a whole. Threat intelligence is the most critical component of modern cyber security. By integrating cyber threat intelligence into a security infrastructure, an organization can quickly assess risk, prioritize alters and threats that matters the most, minimize the exposure to attack and save time and money by increasing efficiency of the security operations. These days many companies provide threat intelligence service integrated in the form of Security Information and Event Management (SIEM) to provide real-time analysis of security alerts generated by network hardware and applications.
The use of threat intelligence and SIEM platforms helps organizations understand the risks of the most common and severe threats including internal and especially external threats such as zero day exploits and advanced persistent threats (APT) attacks. In a military, business or security context, intelligence is any information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a component of security intelligence and, like security intelligence, includes both the information relevant to protecting an organization from external and internal threats as well as the process, policies and tools designed to gather and analyze the information.
Threat intelligence is however divided into four parts as per the ‘Center for the Protection of National Infrastructure’ which include strategic threat intelligence, tactical threat intelligence, operational threat intelligence and technical threat intelligence.
Strategic Threat Intelligence consists of high-level information which is consumed by senior decision-makers. For example a report indicating that a particular government is believed to have hacked into foreign companies who have direct competitors within their own nation, hence a board might consider this fact when weighing up the benefits and risks of entering that competitive marketplace, and to help them allocate effort and budget to mitigate the expected attacks. Strategic threat intelligence is almost exclusively in the form of reports, briefings or conversations.
Tactical Threat Intelligence often consists of tactics, techniques, and procedures and is the information about how threat actors are conducting attacks. Tactical threat intelligence is gathered by defenders and incident response teams to ensure that their defense, alerting and investigation are prepared for current tactics. For example, the fact that attackers are using tools to obtain clear text credentials and then replaying those credentials is tactical intelligence which could prompt defenders to change policy and prevent interactive logins by admins, and to ensure that logging's do not get captured. Tactical threat intelligence is usually gained by reading white papers or technical press, communicating with peers in other organizations to learn what they are seeing attackers do, or purchasing service from a provider of such intelligence.
Operational Threat Intelligence is the information about specific impending attacks against the organization and is initially consumed by higher level security staff, such as security managers or heads of incident response. Any organization would love to know which groups are going to attack them, when and how, but such intelligence is very rare. In the majority of cases, only a government will have this sort of access to attack groups and their infrastructure necessary to collect this type of intelligence. For national and state threats, it is simply not possible for a private entity to legally gain access to relevant communication channels and hence good operational threat intelligence will not be an option for many organizations.
However, there are cases, where operational intelligence might be available, such as when an organization is targeted by more public actors which include hacktivist. It is advisable for organization to focus on these cases, where details of attacks can be found from open source intelligence or providers with access to closed chat forums. Another form of operational threat intelligence that might be available is that derived from activity based attacks where specific activities or events in the real world result in attacks in the cyber domain. In such instances, future attacks can sometimes be predicted following certain events and event patterns. This linking of attacks to real world events is common practice in physical security but less commonly seen in cyber security.
Technical Threat Intelligence is the information which often consists of data which is normally gathered through technical means. An example would be a feed of internet protocol (IP) addresses suspected of being malicious or implicated as command and control servers. Technical threat intelligence often has a short lifespan since attackers can easily change their IP addresse or modify sum hashes, hence the need to gather such intelligence automatically rises. Technical threat intelligence typically feeds the investigative or monitoring functions of a business, for example blocking attempted connections to suspect servers.
However, cyber threat intelligence is still a new topic and still requires some time to find more information and data regarding the topic. Targeted attacks, zero-day vulnerabilities and malware exploit such as ransom ware attacks are the area of concern for organizations these days, however, the organizations do not have required resources and expertise which is necessary to perform independent research and evaluate these threats. In most of these case threat intelligence services are often used as a form of outsourced capabilities to provide organizations with access to expertise and resources regarding advanced security topics as such, which they might not otherwise be able to afford.
The use of threat intelligence and SIEM platforms helps organizations understand the risks of the most common and severe threats including internal and especially external threats such as zero day exploits and advanced persistent threats (APT) attacks. In a military, business or security context, intelligence is any information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a component of security intelligence and, like security intelligence, includes both the information relevant to protecting an organization from external and internal threats as well as the process, policies and tools designed to gather and analyze the information.
Threat intelligence is however divided into four parts as per the ‘Center for the Protection of National Infrastructure’ which include strategic threat intelligence, tactical threat intelligence, operational threat intelligence and technical threat intelligence.
Strategic Threat Intelligence consists of high-level information which is consumed by senior decision-makers. For example a report indicating that a particular government is believed to have hacked into foreign companies who have direct competitors within their own nation, hence a board might consider this fact when weighing up the benefits and risks of entering that competitive marketplace, and to help them allocate effort and budget to mitigate the expected attacks. Strategic threat intelligence is almost exclusively in the form of reports, briefings or conversations.
Tactical Threat Intelligence often consists of tactics, techniques, and procedures and is the information about how threat actors are conducting attacks. Tactical threat intelligence is gathered by defenders and incident response teams to ensure that their defense, alerting and investigation are prepared for current tactics. For example, the fact that attackers are using tools to obtain clear text credentials and then replaying those credentials is tactical intelligence which could prompt defenders to change policy and prevent interactive logins by admins, and to ensure that logging's do not get captured. Tactical threat intelligence is usually gained by reading white papers or technical press, communicating with peers in other organizations to learn what they are seeing attackers do, or purchasing service from a provider of such intelligence.
Operational Threat Intelligence is the information about specific impending attacks against the organization and is initially consumed by higher level security staff, such as security managers or heads of incident response. Any organization would love to know which groups are going to attack them, when and how, but such intelligence is very rare. In the majority of cases, only a government will have this sort of access to attack groups and their infrastructure necessary to collect this type of intelligence. For national and state threats, it is simply not possible for a private entity to legally gain access to relevant communication channels and hence good operational threat intelligence will not be an option for many organizations.
However, there are cases, where operational intelligence might be available, such as when an organization is targeted by more public actors which include hacktivist. It is advisable for organization to focus on these cases, where details of attacks can be found from open source intelligence or providers with access to closed chat forums. Another form of operational threat intelligence that might be available is that derived from activity based attacks where specific activities or events in the real world result in attacks in the cyber domain. In such instances, future attacks can sometimes be predicted following certain events and event patterns. This linking of attacks to real world events is common practice in physical security but less commonly seen in cyber security.
Technical Threat Intelligence is the information which often consists of data which is normally gathered through technical means. An example would be a feed of internet protocol (IP) addresses suspected of being malicious or implicated as command and control servers. Technical threat intelligence often has a short lifespan since attackers can easily change their IP addresse or modify sum hashes, hence the need to gather such intelligence automatically rises. Technical threat intelligence typically feeds the investigative or monitoring functions of a business, for example blocking attempted connections to suspect servers.
However, cyber threat intelligence is still a new topic and still requires some time to find more information and data regarding the topic. Targeted attacks, zero-day vulnerabilities and malware exploit such as ransom ware attacks are the area of concern for organizations these days, however, the organizations do not have required resources and expertise which is necessary to perform independent research and evaluate these threats. In most of these case threat intelligence services are often used as a form of outsourced capabilities to provide organizations with access to expertise and resources regarding advanced security topics as such, which they might not otherwise be able to afford.
Final Words
Cyber threat intelligence is a complex term and yet unclearly defined, having multifaceted approach to framing, thinking about, and reacting to cyber adversarial activity. Many discussions emphasize the complexity of the cyber operational domain, the speed in which activity and operations take place, in operational level hacktivist group may plan to deface the physical infrastructure as well as cyber infrastructure to support their objective as well as the supposed inherent advantage of the attacker. Threat intelligence should be implemented in every aspect, type and level including strategic level, operational level, tactical level and technical level. Moreover, every emerging threats should be published and should be shared with the global security community so as the threat intelligence can be make globally available and information should be reachable so as to share the knowledge of adversaries on possible cyber-attack.
The main motive behind any cyber-attack depends on type of attack and type of attacker who is attacking. By looking at the basic first steps of an attacker, the type of attack and the targeted point where an attacker is trying to infiltrate can be clearly known and now those information can be immediately put into a place to find out if the attacker will succeed or fail. Usually, honeypots (a decoy server to find out the attack pattern of a hacker) are deployed at such case and help in studying the patterns of an attacker and also help stop attacks. Other than honeypots, to cope against such cyber-attack, threat intelligence can be used as an option for gathering intelligence of an attack in this modern sophisticated cyber domain. Threat intelligence gathers intelligence from various online source, signatures, gathers knowledge of different attack patterns and then verify the original internal and external network traffic and discards the malicious traffic or at cases of zero day attacks gives an alarm to the administrators. Correlating different rule sets in case of SIEM and making a certain rule to gather intelligence about the attack pattern also helps in reducing the threat to some extent.
Cyber threat intelligence is a complex term and yet unclearly defined, having multifaceted approach to framing, thinking about, and reacting to cyber adversarial activity. Many discussions emphasize the complexity of the cyber operational domain, the speed in which activity and operations take place, in operational level hacktivist group may plan to deface the physical infrastructure as well as cyber infrastructure to support their objective as well as the supposed inherent advantage of the attacker. Threat intelligence should be implemented in every aspect, type and level including strategic level, operational level, tactical level and technical level. Moreover, every emerging threats should be published and should be shared with the global security community so as the threat intelligence can be make globally available and information should be reachable so as to share the knowledge of adversaries on possible cyber-attack.
The main motive behind any cyber-attack depends on type of attack and type of attacker who is attacking. By looking at the basic first steps of an attacker, the type of attack and the targeted point where an attacker is trying to infiltrate can be clearly known and now those information can be immediately put into a place to find out if the attacker will succeed or fail. Usually, honeypots (a decoy server to find out the attack pattern of a hacker) are deployed at such case and help in studying the patterns of an attacker and also help stop attacks. Other than honeypots, to cope against such cyber-attack, threat intelligence can be used as an option for gathering intelligence of an attack in this modern sophisticated cyber domain. Threat intelligence gathers intelligence from various online source, signatures, gathers knowledge of different attack patterns and then verify the original internal and external network traffic and discards the malicious traffic or at cases of zero day attacks gives an alarm to the administrators. Correlating different rule sets in case of SIEM and making a certain rule to gather intelligence about the attack pattern also helps in reducing the threat to some extent.