Integrating Cyber Threat Intelligence Into Cybersecurity Program

Subsequent to my post on integrating cyber threat intelligence into cybersecurity (FAQ), I have decided to write about how to implement cyber threat intelligence into the security operations of an enterprise.

Threat intelligence is converting information gathered into actionable points needed for decision making. Information is not equal to intelligence if it is not converted into actionable points which in turn stimulate intelligence.

There are different types of misconceptions about threat intelligence, some think it is sitting in front of logs, reading, copying, and pasting security articles, hunting threats, and working alone which are myths. Threat intelligence is gathering all-around information about a specific target, analyzing security articles, gathering IOCs from logs and SIEM, working with other teams (red and blue teams), performing internal & external hunting, be on the lookout for vulnerabilities to mention but a few.

Every industry sectors are different and unique in its own way, they have its peculiar threats and attacks. Thus there is a need to develop a use case for different sectors. The following factors are to be considered when developing a use case for an organization.

  1. Type of industry e.g construction, financial, e-commerce, etc.

There are different types of intelligence ranging from Open Source Intelligence (OSINT), Human Source Intelligence (HUMINT), Signal Intelligence (SIGINT), Technological Intelligence (TECINT), Financial Intelligence (FININT), etc.

CTI Lifecycle

  1. Planning & Direction

CTI Use Case

  1. Organization: Government

a. Customers: citizens

b. Transaction & back—end systems

c. Sensitive information

3. Attacks: what types of threat/attack are associated with number 2 above with TTPs inclusive

4. Infrastructure: vulnerabilities of applications, services, and devices used.

N: B. A well-documented inventory of infrastructure will aid effective monitoring.

5. Point of Contact: where to gather the above intel

a. Surface & dark web

b. Social media closed groups

c. Dark web forums

d. Security vendors and researchers' blogs e.g AlienVault, VirusTotal etc.

e. OSINT & HUMINT

f. Internal information gathering such as colleagues

Threat Intelligence Products

At the end of every intel cycle, it can produce one or all of the following

  1. Operational Intelligence: often details potential impending operations against an organization. It is not easy to obtain and it is sector-industry based. It encompasses all-source intelligence. such as data leaks sold on the dark web. It is usually urgent, it needs immediate action

Conclusion

CTI is the most tool in every cybersecurity program.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Olajumoke Oloyede

I am a Cyber Threat Intelligence Analyst, Cybersecurity Trainer and Cybersecurity Researcher