
What is Threat intelligence and why it is important?
As per Gartner “Threat intelligence is evidence based knowledge, including context, mechanisms, indicators and actionable advice, about an existing or emerging menace or hazard or assets that can be used to inform decisions regarding the subject’s response to that manace or hazard” or simply put, threat intelligence means “knowledge of threat that you can use to defend yourself”. From definition it's clear that threat intelligence is vital part of defense strategy that increases chance of winning a war.
What is Cyber Threat Intelligence?
As per Crowdstrike, Cyber Threat intelligence refers to
“Data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.”
Pitfalls with current CTI approach:
There are two high-level types of Security operations center that exist in InfoSec teams, first that generate threat intelligence and other that consume threat intelligence. Where the first type of team generally sells intelligence to the second type of teams. There is also a small percentage of InfoSec teams that do both these activities. However, the key gaps in the way these processes function can be divided into two broad parts.
- CTI Generator team that generates it to sell to consumers lacks the organizational context.
- CTI Consumer group, that has organizational context but looks for intel that is applicable to industry or geography not the organization itself.
Due to these two fundamental gaps in CTI process, the effectiveness of CTI gets reduced by multi-fold.
Here the key to success is generally held by third type of team which does both generation and consumption of threat intelligence, however due to traditional thought process of focusing on geography and industry, that team also fails to fully take advantage of context that they could take.
Hence it is concluded that in order to take full advantage of CTI one must focus on the organizational context. Here the thought process of a CTI team should be
“while it is good to know what is happening in the industry and geography, its non-negotiable for a Security Operations Center to know what is happening to their organization”
as it provides most important knowledge that can be used to defend them on daily basis.
How is CTI generation different from Daily SOC monitoring or Threat Hunting?
While both SOC Monitoring and Threat hunting could lead to intelligence gathering, but the way these activities are performed in most of the organizations, do not contribute to intelligence gathering, however with necessary process and thought process changes the functions can contribute towards generation of high-fidelity intelligence which can truly protect the organization from ongoing attacks and produce operational and tactical intelligence to say the least.
Types of Tactical Threat intelligence and its difference:
There are two broad categories of Tactical threat intelligence.
Indicator of Compromise (IoC)
These types of indicators are used to detect infected systems within a network, while these are good for quickly detecting threat actors within network, they do not provide lot of prevention value as they are seen only once threat actor has been successful in their mission.
Indicator of Attack (IoA)
These types of indicators are more proactive in nature and help detect a threat actor’s activity much earlier in the attack kill chain, and hence provides opportunity to blue team members to fully trace an attack lifecycle and plan defense at various stage of attack thus resulting in defense in depth strategy.
Sources for Intelligence gathering:
Fundamentally every packet that is dropped or each file that is quarantined by any of the control devices could lead to threat intelligence gathering. Thus, the following activities lead to a generation of high-fidelity intelligence gathering.
Gathering IoC:
Controls/processes that help detect a successful compromise are good source for gathering Indicators of Compromise, here are some of the examples:
- Endpoint Detection and Response (EDR)
- Incident response report
- DNS logs
Gathering IoA:
Preventive devices that are deployed across the network are best suited to provide this type of Intelligence.
- Firewall/IPS/WAF device events.
- Honeypots
- Application logs such as Web/SSH.
Tips for smaller organizations
Generally, CTI is considered as niche and resource intensive activity, however with right thought leadership and purpose-built processes the CTI goals can be achieved by other teams within organization provided there is some level of interest in junior members IT organization towards learning and enhancing InfoSec skills, given are some examples for that.
- Server/Application admins with right guidance/SOP can help flag application discrepancies which can lead to gathering of IoA.
- Network admins with constant knowledge transfer from the InfoSec team can help gather IoA.
- Having the right tools such as malware analysis sandbox even service desk agent can help gather various IoC.
Once various indicators are gathered, they must be operationalized like any other threat intelligence feed, but this info should have higher confidence rating than any other paid/free feeds that the organization may have subscribed for.