Explanation

Threat intelligence is information that an organization uses to understand the threats that are currently targeting them, or could target them in the future.

Threat Intelligence Lifecycle

Planning and direction

  • Determines scope
  • Set goals
  • Define stakeholders

    Collection

  • Collect as much data as required to meet the goal.

    Processings

  • Collected data needs to be processed into a readable format.

    Analysis

  • The information needs to be analysed to get a detailed report of what has been found out and what needs to be done
  • This must be in a format suitable for who it will get passed on to

    Dissemination

    This involves getting the information to where it needs to go to.

For each of these audiences, you need to ask:

  • What threat intelligence do they need, and how can external information support their activities?
  • How should the intelligence be presented to make it easily understandable and actionable for that audience?
  • How often should we provide updates and other information?
  • Through what media should the intelligence be disseminated?
  • How should we follow up if they have questions?

Feedback

You need regular feedback to make sure your collecting the correct intelligence or how you can improve the intelligence you gather.

Types of Threat Intelligence

Strategic Threat Intelligence

  • High level, non-technical information.
  • Used when presenting to executives and decision makers

Operational Threat Intelligence

  • About studying threat actors
  • Gain information about who they are, motivations, tactics, techniques and procedures.
  • Technical and not easily automated.

Tactical Threat Intelligence

  • Technical in nature, immediate value to the organization
  • Shared in the form of IOC’s
  • Used by a human analyst or security tools.

Why Threat Intelligence is valuable.

Cyber Threat Context

In Depth threat analysis could determine future attacks and help to put defensive measures in place to protect against them

Incident Prioritization

Threat intelligence can give context to incident responders to allow them to make a decision on which incidents are the highest priorities.

Investigation enrichment

Giving context to a situation can greatly affect what is done. If there is an IP scanning your network, it could be harmless. But if the IP has been flagged before this indicates it is very important to look into.

Information Sharing

Sharing information with other organizations can help to get a better picture of the current threat landscape. This would allow companies to better monitor what threats are likely to happen and gather more IoCs to analyse their systems for existing problems

Types of threat intelligence

SIGINT

  • Signal Intelligence
  • Interception of radio and broadcast communication to gather intelligence
  • Can break down into comint and elint
  • COMINT - communications intelligence (message and voice)
  • ELINT - electronic intelligence, gathered from equipment not directly used for communication (guidance communication, radars)
  • Usually used in electronic warfare

OSINT

  • Open source intelligence
  • Gathered from any public information source

HUMINT

  • Gathered through other humans
  • Common in espionage

GEOINT

  • Geospatiol intelligence
  • Used by militaries to access the best attack and defensive positions

The Future of Threat Intelligence

  • Tenable are coming up with a solution to how threat intelligence can be rated
  • CVEs are identifiers of reported vulnerabilities
  • CVSS is a method of scoring different vulnerabilities.
  • The issue with CVSS is they are not company specific. Also very critical vulnerabilities could be extremely technical so won’t be carried out by many hackers
  • Predictive prioritization will combine vulnerability data with threat intelligence so it will change the CVSS rating depending on the current threat lasndscape.

Resources

  • A curated list of Awesome Threat Intelligence resources https://github.com/hslatman/awesome-threat-intelligence

  • A curated list of awesome threat detection and hunting resources https://github.com/0x4D31/awesome-threat-detection

  • A curated list of amazingly awesome open source intelligence tools and resources https://github.com/jivoi/awesome-osint

  • Get the latest technical details on significant advanced malware activity https://www.fireeye.com/current-threats.html

  • 10 of the Best Open Source Threat Intelligence Feeds https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/

  • Weekly Threat Briefing—Cyber Threat Intelligence Delivered to You: Anomali Weekly Threat Briefing

  • 11 Cyber Threat Intelligence Tips https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2016/11-cyber-threat-intelligence-tips

  • Threat Intelligence Defined and Explored https://www.forcepoint.com/cyber-edu/threat-intelligence

  • Cyber Threat Intelligence Feeds http://thecyberthreat.com/cyber-threat-intelligence-feeds/