What is Cyber Threat Intelligence (CTI)
There are many definitions of threat intelligence out there. Each vendor has their own ideas about what makes threat intel “threat intel”.
Praetorian defines threat intelligence as actionable evidence-based knowledge used to defend against threats.
Threat intelligence can take many forms; often, it includes Indicators of Compromise (IOCs), actions, tools, and context. Intelligence feeds, Open Source Intelligence (OSINT) output and CTI services are all examples.
The first key aspect of threat intelligence is that it’s evidence-based. Tying it back to evidence makes it actionable and accurate. You want accurate intelligence because you should base decisions off it. In a perfect system, bad data in = bad results out and good data in = good results out. Tying threat intelligence to data helps prevent using bad data.
Information vs Intelligence
The other key aspect of threat intelligence is knowledge. This means not data, not observations, and not raw information. Your threat intelligence should be refined, processed, analyzed, groomed, and maintained. Again, bad data in = bad results out. Without refining and processing your information, you may make judgments and decisions based on potentially unrelated, outdated, and/or incorrect data.
Types Threat Intelligence & Their Uses
There are three types of threat intelligence: Tactical, Operational, and Strategic. Each type has its own uses, target audience, and examples.
The first type of threat intelligence we cover is tactical. Tactical threat intelligence is focused on tactical uses: short term questions for “hands on keyboard” personnel. Security Operations Center (SOC) analysts, incident responders, threat hunters, and even your detection systems will find the most value in tactical intelligence, because the main goal of tactical threat intelligence is to help the organization mitigate active, imminent, and realized threats.
Often, tactical threat intelligence is focused on Tactics, Techniques, and Procedures (TTPs) and the IOCs generated by them. Things such as IP addresses, hashes, domains, reputation, ownership information, and related indicators are all examples of tactical threat intelligence.
Tactical threat intelligence is useful for answering questions like “Are we susceptible to this vulnerability?”, “Is this domain malicious?” or “Has our environment been scanned by a malicious actor?” Additionally, tactical threat intelligence can be used to enrich detection systems. Praetorian recommends using IOCs from your detection systems to perform automated analysis and enrich events in other detection systems.
Operational threat intelligence aims to answer questions of “who?”, “why?”, and “how?”; Operational intel is best used to improve operational capabilities and processes; in essence, it should inform operational decisions. For example, use operational intelligence to decide which threat hunts to do, which tools to use, which roles you should hire for, which logs and alerts you should prioritize, and which patches you should apply first. Operational intelligence will tell you which threats you face, which threat actors are targeting your industry, and how they are primarily doing it. A mature organization can use these data points to prioritize initiatives. For example, if your threat intelligence attributes attacks targeting your industry to a nation state, you should use this knowledge to drive support for moving past SMS Multi-factor Authentication (MFA).
Often, operational threat intelligence is useful for SOC analysts, Incident Response (IR) team members, threat hunters, but also management, directors, and architects. Those responsible for operations should consume operational threat intelligence.
Strategic threat intelligence is one step up from operational threat intelligence. It should be used to drive strategic decisions, business decisions, risk tolerances, and policy requirements. Strategic threat intelligence consists of knowledge about high-level trends, broad patterns and macroeconomic conditions. Strategic threat intelligence explains the conditions behind “who?” and “why?”. Strategic intel should come into play when making executive decisions, moving into new areas of business, making large partnerships and implementing new strategies. Oftentimes, strategic threat intelligence is consumed by executives; the CISO, CIO, CTO, and executive board should digest and understand strategic threat intelligence.
Examples of strategic intelligence sources include foreign and national policy documents, whitepapers, and research reports from security leaders, news from local, national, and international areas. A mature security organization will distill information and insights from these primary sources into digestible and actionable observations.
Threat Intelligence Lifecycle
When building out a threat intelligence program, it’s important to understand the threat intelligence lifecycle. Having a concrete plan will help ensure your rollout is successful whether you are producing threat intelligence for others or you are trying to integrate threat intelligence into your existing processes.
The first stage in the threat intelligence lifecycle is planning. Before you begin you need to understand your goals and determine the purpose of your threat intelligence program. Are you trying to enrich your tools? Are you trying to help determine attribution? What about prioritizing remediations? These are all the questions you should answer during the planning phase. Look at who is going to consume the threat intelligence and where you are going to get your raw data from. During this stage you should take an inventory of your use cases and potential sources.
The collection stage comes after the planning stage. This stage is where you collect raw data. Make sure you utilize internal sources like Network Intrusion Detection Systems (NIDS), Endpoint Detection and Response (EDR) logs, and event logs as well as external sources like open source intelligence tools, open source threat feeds, and vendor threat feeds. In this stage, your data will include raw blog posts, IOCs like IPs, hashes, domains, reputation, code snippets, tool output (strings, for example) and any other data you might use in an investigation. Additional sources can include forums, social media, and other industry subject matter experts.
After collecting your data, you are going to want to process it. You aren’t analyzing at this stage just yet, instead, you are normalizing, deduplicating, decrypting, translating, and enriching your data. If you receive data in foreign languages, translate it into your native tongue; ensure all IP addresses are valid, sort file hashes by algorithm, etc.
It’s also a good idea to enrich your data at this stage. If we take a look at domains, you might want to enrich it with reputational data, ownership information, the domain’s age, and correlate it with other associated indicators, like resolved IP addresses.
After processing your data, you will need to analyze it. This is the phase where you turn enriched data into threat intelligence; it’s the point where you make sound judgments about the data you collected. This is where you evaluate your data against your requirements – answer the questions you set out to answer during the planning phase and create actionable recommendations for your target audience.
The dissemination phase is where you share your findings with the appropriate consumers. The key action item in this phase is to make your threat intelligence usable. Oftentimes, your threat intelligence will take a different form for each type – technical threat intelligence might be best ingested as a Security Information and Event Management (SIEM) index, strategic intelligence might be a presentation to the executive team. The key is that your findings are easily digestible and tailored to your audience.
After sharing your findings with your audience, you should collect feedback. This is where you assess the output format: was a 50-page pdf the best route, or should it have been a presentation? Were the recommendations generated during the analysis phase actionable? Did you capture your entire audience? Should a particular business unit be consulted during planning? Were there data gaps that you should have accounted for during collection?
These are the questions that you want to answer. After collecting feedback and answering these types of questions, you should go back to the planning stage and start all over again.
Overall, threat intelligence is a key part of any defensive strategy. A mature organization will have a well-established threat intelligence function that produces, consumes, and shares threat intelligence with the security community at-large. Less-mature organizations can benefit from the time savings and efficiencies that threat intelligence can provide.