Cyber threat intelligence

Cyber threat intelligence - CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace.^[1] Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

Types[]

There are three overarching, but not categorical - classes of cyber threat intelligence:^[1]

Tactical: technical intelligence (including Indicators of Compromise such as IP addresses, file names, or hashes) which can be used to assist in the identification of threat actors
Operational: details of the motivation or capabilities of threat actors, including their tools, techniques and procedures
Strategic: intelligence about the overarching risks associated with cyber threats which can be used to drive high-level organizational strategy

Benefits of Cyber Threat Intelligence[]

Cyber threat intelligence provides a number of benefits, which include:

Empowers people, organizations and agencies to develop a proactive and robust cybersecurity posture and to bolster overall risk management and cyber security policies and responses
Drives momentum toward a proactive cybersecurity posture that is predictive, not simply reactive after a cyber attack
Enables improved detection of both risks and threats
Informs better decision-making before, during and following the detection of a cyber intrusion or intended interference of IT/OT services.
Enables sharing of knowledge, skills and experiences among the cyber security community of practice and systems stakeholders.
Communicates threat surfaces, attack vectors and malicious activities directed to both information technology and operational technology platforms.
Serve as fact-based repository for evidence of both successful and unsuccessful cyber attacks.
Provide indicators for computer emergency response teams and incident response groups.

Key elements[]

Cyber threat data or information with the following key elements are considered as cyber threat intelligence:^[2]

Evidence-based: cyber threat evidence may be obtained from malware analysis to be sure the threat is valid
Utility: there needs to be some utility to have a positive impact on a security incident's outcome or organization
Actionable: the gained cyber threat intelligence should drive security control action, not only data or information

Attribution[]

Cyber threats involve the use of computers, storage devices, software networks and cloud-based repositories. Prior to, during or after a cyber attack technical information about the information and operational technology, devices, network and computers between the attacker(s) and the victim(s) can be collected, stored and analyzed. However, identifying the person(s) behind an attack, their motivations, or the ultimate sponsor of the attack, - termed attribution is sometimes difficult. Recent^[when?] efforts in threat intelligence emphasize understanding adversary TTPs.^[3] Across industries, organizations have started using the MITRE ATT&CK framework to understand threat actors' TTPs and identify holes in defenses.

A number of recent^[when?] cyber threat intelligence analytical reports have been released by public and private sector organizations which attribute cyber attacks. This includes Mandiant's APT1 and APT28 reports,^[4]^[5] US CERT's APT29 report,^[6] and Symantec's Dragonfly, Waterbug Group and Seedworm reports.^[7]^[8]^[9]^[10]

CTI Sharing[]

In 2015 U.S. government legislation in the form of the "Cybersecurity Information Sharing Act" encouraged the sharing of CTI indicators between government and private organizations. This act required the U.S. federal government to facilitate and promote 4 CTI objectives:^[11]

Sharing of "classified and declassified cyber threat indicators in possession of the federal government with private entities, nonfederal government agencies, or state, tribal, or local governments";
Sharing of "unclassified indicators with the public";
Sharing of "information with entities under cybersecurity threats to prevent or mitigate adverse effects";
Sharing of "cybersecurity best practices with attention to the challenges faced by small businesses.

In 2016, the U.S. government agency National Institute of Standards and Technology (NIST) issued a publication (NIST SP 800-150) which further outlined the necessity for Cyber Threat Information Sharing as well as a framework for implementation.^[12]

References[]

^ ^a ^b "Understanding Cyber Threat Intelligence Operations" (PDF). Bank of England. 2016.
^ GerardJohansen (2017-07-24). Digital Forensics and Incident Response. Packt Publishing Ltd, 2017. p. 269. ISBN 9781787285392.
^ Levi Gundert, How to Identify Threat Actor TTPs
^ "APT1: Exposing One of China's Cyber Espionage Units | Mandiant" (PDF).
^ https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf
^ https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
^ https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
^ https://symantec-blogs.broadcom.com/blogs/threat-intelligence/waterbug-espionage-governments
^ https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
^ PrivacySavvy
^ Burr, Richard (2015-10-28). "S.754 - 114th Congress (2015-2016): To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". www.congress.gov. Retrieved 2021-06-09.
^ Johnson, Christopher S.; Badger, Mark Lee; Waltermire, David A.; Snyder, Julie; Skorupka, Clem (October 2016). "Guide to Cyber Threat Information Sharing". doi:10.6028/nist.sp.800-150. Cite journal requires |journal= (help)