Cyber Threat Intelligence (CTI) Part 6— CTI Lifecycle — Analysis
For a quick recap of an introduction to Cyber Threat Intelligence (CTI), what are the skill set requirements a CTI analyst should have and the three stages of the CTI Lifecycle — Planning & Direction, Collection, Processing, please check out the first 5 parts of this series:
Cyber Threat Intelligence Part 1 — Quick Introduction to Cyber Threat Intelligence
Cyber Threat Intelligence Part 2 — What are the skill set requirements for a Cyber Threat Analyst?
Cyber Threat Intelligence (CTI) Part 3 — CTI Lifecycle
Cyber Threat Intelligence (CTI) Part 4 — CTI Lifecycle — Collection
Cyber Threat Intelligence (CTI) Part 5 — CTI Lifecycle — Processing
In this article, I’ll introduce the next stage of the CTI Lifecycle: Analysis
The purpose of Analysis is to take useful information from Processing and extract Intelligence. During the analysis phase, analysts review intelligence gathered in the previous stages of the CTI Lifecycle and use it to identify patterns, correlations, and insights. This phase also includes examining the various threat indicators, the tactics, techniques, and procedures (TTPs) used by attackers, trying and understand their motivations and also the potential impact of a threat to the organization.
The CTI analysis phase involves both automated and manual techniques to examine large volumes of data, including toolkits and platforms. The analysis process also involves validating the quality and accuracy of the gathered data, removing false positives, and prioritising security threats.
The analysis stage in the CTI Lifecycle involves a comprehensive and detailed examination of collected data and information to identify significant conclusions and critical insights. This stage is where organisation context enrichment is fulfilled.
The CTI analysis stage involves:
Tuning: Tuning is the process of modifying the system to reduce the number of false-positive alerts. In this stage, the various output from the sources are refined and optimised to remove and eliminate false positives.
As part of the tuning process, in a healthcare organisation, the following activities are executed:
Review of threat intelligence feeds: Analysts would review incoming threat intelligence feeds from external sources or security vendors and assess the threat level, including the nature and scope of identified threats.
Threat profiling of known actors: CTI analysts would profile known cybercrime groups that may be targeting the organisations assets or customers. They would analyse the known tactics, techniques and procedures (TTPs) of threat actors, and look for commonalities in the threat intelligence feeds to build an overall profile of these threat actors.
Trend analysis of attacks: Analysts would analyse the TTPs used in recent attacks, determined through network traffic or system logs, and seek out any emerging threat trends. This analysis would help the organization to proactively prepare defences against future attacks that utilise similar tactics or exploit similar vulnerabilities.
Identification of vulnerable infrastructure: Analysts would perform threat modelling to identify vulnerabilities and weaknesses that may be present in the organisation’s infrastructure. This would help organisations to identify the assets they need to protect the most and prioritize threat response activities based on the criticality of these assets.
Assessment of potential business consequences: Analysts would assess the potential impact of a threat on the organisation’s day-to-day business operations, including the loss of sensitive data, operational downtime, reputational damage, and financial losses.
Correlation: The process of analysing related data points to assist in the identification of relationships and information that may not have been detected through individual data analysis.
Threat intelligence correlation is the technique for investigating the relationship between two threat elements or actors. It helps connect the various data between these threat elements to gain more knowledge about cyber threats and make the threat intelligence contextualised, actionable and noise-free.
Correlation involves extracting insights and analysis in identifying patterns and trends. The process of correlation involves analysing large volumes of data to identify indicators of compromise (IoCs) that may indicate the presence of a threat. These indicators could include IP addresses, domain names, file hashes, and other unique identifiers associated with known malicious activity.
Let’s say a healthcare research organisation has detected a potential cyber threat from a threat actor interested in their industry. During the analysis stage, the threat analyst correlates the available threat intelligence data to identify any patterns or IoCs associated with the threat actor. They use threat intelligence feeds, open-source intelligence, and other sources of data to enrich the available threat intelligence data. For example, they may use a threat intelligence platform (TIP) to search for any IoCs associated with the attacker’s tactics, techniques, and procedures (TTPs). They may also search for any known malicious IPs or domains associated with the attack or used by the threat actor
Once they have identified potential IoCs associated with the threat actor, they use threat intelligence correlation to connect the dots between different indicators and uncover potential relationships or patterns. For example, they may identify that the threat actor has used the same malicious domain in other attacks against other healthcare organisations.
In this example, threat intelligence correlation allowed the healthcare organisation to proactively detect and respond to a potential threat, enabling them to protect sensitive research data and prevent a major data breach.
In the next part, I will talk about the fifth stage of the CTI Lifecycle — Dissemination.
Thanks for reading and as always, all feedback is welcome.
Lastly, if you enjoy any of my blogs, it would be great if you could please follow me as a reward for the algorithm :)