Cyber threat intelligence
![]() | This article may be too technical for most readers to understand.(October 2015) |
According to CERT-UK, Cyber Threat Intelligence (CTI) is an "elusive"[1] concept. While cybersecurity comprises the recruitment of IT security experts and the deployment of technical means to protect an organization's critical infrastructure or intellectual property, CTI is based on the collection of intelligence using open source intelligence (OSINT), social media intelligence (SOCMINT), human Intelligence (HUMINT), technical intelligence or intelligence from the deep and dark web. CTI's key mission is to research and analyze trends and technical developments in three areas:
- Cybercrime
- Hactivism
- Cyberespionage (advanced persistent threat, APT or Cyber spying)
Those accumulated data based on research and analysis enable states to come up with preventive measures in advance. Considering the severe impacts of cyber threats, CTI has been raised as an efficient solution to maintain international security.
Types
The UK's National Cyber Security Centre (NCSC) distinguishes four types of threat intelligence:[2]
- Tactical: attacker methodologies, tools, and tactics - relies on enough resources and involves certain actions to go against potentially dangerous actors trying to do infiltration
- Technical: indicators of specific malware
- Operational: details of the specific incoming attack, assess an organisation's ability in determining future cyber-threats
- Strategic: high-level information on changing risk (strategic shifts) - senior leadership is required[by whom?] for thorough determination to critically assess threats
In the financial sector, the CBEST[3] framework of the Bank of England assumes that penetration testing is no longer adequate to protect sensitive business sectors, such as the banking sector. In response, the UK Financial Authorities (Bank of England, Her Majesty's Treasury, and the Financial Conduct Authority) recommend several steps to guard financial institutions from cyber threats, including receiving "advice from the cyber threat intelligence providers operating within the UK Government".[4]
Benefits of tactical cyber intelligence
- Provides context and relevance to a large amount of data
- Empowers organisations to develop a proactive cybersecurity posture and to bolster overall risk management policies[citation needed]
- Informs better decision-making during and following the detection of a cyber intrusion
- Drives momentum toward a cybersecurity posture that is predictive, not just reactive[5][page needed]
- Enables improved detection of advanced threats
Challenges and Controversies on the value of cyber threat intelligence
There are also challenges that cyber threat intelligence research is facing, including some controversies on the value of threat intelligence and whether it really works. Different experts have voiced their concerns on whether TI is really effective in its current state. [6] [7] [8] Conversely, others have argued that Threat Intelligence can help identify vulnerabilities and ways to resolve them.[9]
Key Elements
Cyber threat data or information with the following key elements are considered as cyber threat intelligence:[10]
- Evidence based: cyber threat evidence may be obtained from malware analysis to be sure the threat is valid
- Utility: there needs to have some utility for organization to have a positive impact on security incidents
- Actionable: the gained cyber threat intelligence should drive security control action, not only data or information
Attribution
Cyber threats involve the use of computers, software and networks. During or after a cyber attack technical information about the network and computers between the attacker and the victim can be collected. However, identifying the person(s) behind an attack, their motivations, or the ultimate sponsor of the attack, is difficult. Recent efforts in threat intelligence emphasize understanding adversary TTPs.[11]
APT attribution studies
- APT1
- APT28
- APT 29
- Blackvine Cyber Espionage group
- Dragonfly
- ESG Solution Showcase - Cavirin Hybrid Cloud Security
- Joint FBI and DHS report on the DNC hack
- Waterbug Group
- Seedworm
CTI and political risk
Influential geopolitical countries, such as the US, Russia, China and Iran, use cyberspace as an extension of their foreign and intelligence collection policies. To achieve these objectives, they have formed APT units that primarily specialise in the following fields:
- Collection of sensitive data from business or government computer systems
- Electronic penetration or sabotage of critical infrastructure computer systems (for example, read about Stuxnet)
A combination of CTI with political risk analysis, which includes a deep understanding of current geopolitical disputes and leadership ulterior political motives, can help analysts understand future cyberwarfare patterns.[citation needed]
See also
- Cyber Intelligence Sharing and Protection Act
- Cyber space
- Denial-of-service attack
- Malware
- Zero-day (computing)
- Ransomware
References
- ^ "CERT-UK, An Introduction to Threat Intelligence" (PDF). Archived from the original (PDF) on 2015-10-03. Retrieved 2015-08-30.
- ^ NCSC, Threat Intelligence: Collecting, Analysing, Evaluating
- ^ "CBEST, An Introduction to Cyber Threat Modelling" (PDF). Archived from the original (PDF) on 2015-09-23. Retrieved 2015-09-01.
- ^ CBEST, Implementation Guide
- ^ Intelligence and national security alliance, cyber intelligence task force December 2015[vague]
- ^ Do Threat Intelligence Exchanges Really Work?
- ^ Is Threat Intelligence Garbage?
- ^ 5 Reasons Why Threat Intelligence Doesn't Work
- ^ Four Concrete Ways Treat Intelligence Can Make Organizations Safer
- ^ GerardJohansen (2017-07-24). Digital Forensics and Incident Response. Packt Publishing Ltd, 2017. p. 269. ISBN 9781787285392.
- ^ Levi Gundert, How to Identify Threat Actor TTPs
Further reading
- Anca Dinicu, "Nicolae Bălcescu" Land Forces Academy, Sibiu, Romania, Cyber Threats to National Security. Specific Features and Actors Involved - Bulletin Ştiinţific No 2(38)/2014
- Zero Day: Nuclear Cyber Sabotage, BBC Four - the Documentary thriller about warfare in a world without rules - the world of cyberwar. It tells the story of Stuxnet, self-replicating computer malware, known as a 'worm' for its ability to burrow from computer
- What is threat intelligence? - Blog post providing context and adding to the discussion of defining threat intelligence.
- Threat hunting explained - Short article explaining cyber threat intelligence.
- A known actor in cyber threat intelligence - Site dedicated to threat intelligence.