Threat Intelligence : the fundamentals

In our daily lives we are constantly evaluating, identifying and mitigating threats based on information we have or other people have therefore there is an importance to apply it to other parts of life. In threat intelligence we take the same approach.

With a history of attacks such as Stuxnet (2010), Cyber Threat Intelligence (CTI) can be seen to take its roots from APT1 report in 2013 where Mandiant was able to identify and attribute the tactics and techniques used to implicate Chinese based threat actors in attack as far back as 2006.

This brought APTs (advanced persistent threats) to the mainstream leading to adoption of CTI and development of languages such as STIX1.0 to model and present cyber threats for sharing and MITRE ATT&CK Framework, for classifying adversarial behaviors which was released in 2015.

Organisations in similar industries tend to have similar environments therefore they attract similar attackers, who would be interested in the particular resources they have. By identifying these similarities, we can use this information to anticipate and plan for incidents in the event of a threat.

Types of Intelligence

We have four types of intelligence that can collect and apply at different levels within an organisation namely:

  1. Technical Intelligence
  2. Tactical Intelligence
  3. Operational Intelligence
  4. Strategic Intelligence
Types of intelligence

Technical Intelligence

Technical threat intelligence focuses on particular indicators of an attack and serves as a foundation for analyzing such incidents. A Threat Intelligence analyst, would typically look for indicators of compromise (IOCs) and command and control channels, tools, etc., including reported IP addresses, phishing email content, malware samples, and bogus URLs. Because IOCs become outdated in a matter of days, communicating technical intelligence in time is crucial.

The difference between tactical and technical intelligence is that tactical CTI is malware used to carry out an attack, whereas technical CTI is the detailed information on the malware implementation.

Tactical Intelligence

These are the details of threat actor tactics, techniques, and procedures (TTPs). Tactics describe the what while techniques describe the how.

Operational Intelligence

Operational CTI helps answer the following questions:

  • Who is behind the attack?
  • What tools and tactics are being used?
  • What information assets are being targeted?
  • How far has the attack progressed? 
  • What systems have been compromised?
  • What data has been accessed?
  • What steps can halt the attack?
  • What must be done to remediate the attacks effects?

Operational CTI users in an organization include a wide variety of personnel including, but not limited to: Incident responders and teams, network defenders, host analysts, malware analysts, forensic analysts, and more.

Strategic Intelligence

The information obtained can be used by senior executives at the company, such as CISO. The purpose of Strategic Threat Intelligence is to manage existing cyber risks and unknown future risks.

Benefits of Threat Intelligence

Having a threat intelligence organisation can have tremendous improvement in how an organisation handles and prepares for threats. It can also result in lower levels of risk as well as reduced time spent investigating, detecting and recovering from incidences. Below are some of the benefits.

This article is based on my presentation for SheHacks in February 2021. You can watch the presentation on SheHacks YouTube — Threat Intelligence

Author: Doreen Ochung, Cyber security analyst.

Follow her on: Twitter, LinkedIn

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store