Integrating Cyber Threat Intelligence Into Cybersecurity Program
Subsequent to my post on integrating cyber threat intelligence into cybersecurity (FAQ), I have decided to write about how to implement cyber threat intelligence into the security operations of an enterprise.
Threat intelligence is converting information gathered into actionable points needed for decision making. Information is not equal to intelligence if it is not converted into actionable points which in turn stimulate intelligence.
There are different types of misconceptions about threat intelligence, some think it is sitting in front of logs, reading, copying, and pasting security articles, hunting threats, and working alone which are myths. Threat intelligence is gathering all-around information about a specific target, analyzing security articles, gathering IOCs from logs and SIEM, working with other teams (red and blue teams), performing internal & external hunting, be on the lookout for vulnerabilities to mention but a few.
Every industry sectors are different and unique in its own way, they have its peculiar threats and attacks. Thus there is a need to develop a use case for different sectors. The following factors are to be considered when developing a use case for an organization.
- Type of industry e.g construction, financial, e-commerce, etc.
- The business requirements: getting this will come a long way to sharpen CTI requirements. An e-commerce organization will be more concerned about the availability and integrity of data than confidentiality while a health organization will be more concerned about confidentiality and integrity. In order to build a CTI system that works, define what your organization is more concerned about and look out for such weaknesses.
- Maturity of an organization: the smaller an organization, the better CTI coverage and vice versa. a matured organization will require more than 1 CTI analyst to work together and the larger an organization, the larger its domain and the bigger its threat domain.
- Value: have this at the back of your mind to state clearly the value such an organization will derive in alignment with its business goals. Of what use is CTI to the organization? If this is stated clearly, it will ensure the support of stakeholders and the continuity of the CTI program.
There are different types of intelligence ranging from Open Source Intelligence (OSINT), Human Source Intelligence (HUMINT), Signal Intelligence (SIGINT), Technological Intelligence (TECINT), Financial Intelligence (FININT), etc.
CTI Lifecycle
- Planning & Direction
- Collection
- Analysis
- Production
CTI Use Case
- Organization: Government
- Target: What threat actors are targeting?
a. Customers: citizens
b. Transaction & back—end systems
c. Sensitive information
3. Attacks: what types of threat/attack are associated with number 2 above with TTPs inclusive
4. Infrastructure: vulnerabilities of applications, services, and devices used.
N: B. A well-documented inventory of infrastructure will aid effective monitoring.
5. Point of Contact: where to gather the above intel
a. Surface & dark web
b. Social media closed groups
c. Dark web forums
d. Security vendors and researchers' blogs e.g AlienVault, VirusTotal etc.
e. OSINT & HUMINT
f. Internal information gathering such as colleagues
Threat Intelligence Products
At the end of every intel cycle, it can produce one or all of the following
- Operational Intelligence: often details potential impending operations against an organization. It is not easy to obtain and it is sector-industry based. It encompasses all-source intelligence. such as data leaks sold on the dark web. It is usually urgent, it needs immediate action
- Tactical intelligence: consists of TTPs, and IOCs of threat actors, it is particularly useful for security operation centers, depending on severity, it may be urgent but it usually an update for signature — based defense system update emerging malware, techniques used by the threat actor.
- Strategic intelligence: exists to inform decision makers of broader changes in the threat landscape. Focuses on business risk rather than technical terms.
Conclusion
CTI is the most tool in every cybersecurity program.