An Insight into Threat Intelligence: Who Needs TI Data and Why is Threat Intelligence important?

Sometimes it is rather hard to briefly explain what threat intelligence means since many things depend on the context in which the term is used: this may be both a process and an action. There is a number of academic terms, for example, from Gartner and SANS Institute.

TI definitions

Cyber threat intelligence is a knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help cybersecurity and business staff at all levels protect the critical assets of the enterprise.

Definitive Guide to Cyber Threat Intelligence

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.

Gartner, McMillan (2013) from Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study

The set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators.

SANS Institute

The need for intelligence data results from the development of cybersecurity and improvements of its maturity level. We’ll give an example, imagine that: startup N becomes successful, the value assumption of its product is proved, the product sales go up, and the company is growing. At first, the company has no cybersecurity system, it has only administrator (often he is a freelancer) managing the security. But as the company grows, it ends up with an IT-department. The headcount goes up. Workstations and servers have antivirus installed, and in the network appear firewalls. Time goes on and the company is successfully developing, scaling up to 1,000 persons. It requires dedicated cybersecurity functions, since usually this is a non-core activity for IT. The company starts a cybersecurity department. The business grows, the product portfolio expands, the company absorbs several smaller players on the market. The cybersecurity department grows, optimizes and standardizes its functions and establishes specialized functions: operation and support of security tools; cyberincident response; vulnerability management, audit, and compliance with regulatory requirements… This list is almost endless. The company starts taking into consideration cybersecurity risks along with others exactly at this stage (or maybe even earlier but usually later).  The cybersecurity department needs to be aware of actual threats on the inside, and on the outside, it must provide all business stakeholders with information about risks and possible threats in a language that would be clear to them. TI can help with that.

Our practice shows that threat intelligence becomes attractive after building the process for incident response or in the course of building of own SOC (Security Operations Center). TI is a piece of bread for providers of IT-security services (MSSP/MDR). Basically, TI can be used by smallest companies but usually they have no time for that because they focus on business development at the initial stages. Another reason is that the level of solutions for TI data collection and handling usually require human and material resources. In other words, TI is attractive for large companies or for those who are specialized in outsourcing of cybersecurity processes.

How threat intelligence may help to solve cybersecurity tasks and why TI platform is required

Threat intelligence is a specific knowledge that helps us to understand current threats, their effects on the company or industrial sector and give a chance to manage risks and take strategic decisions. In general, they make it possible to:

  • Raise the awareness of threats and select protective measures in details in accordance with the threat landscape relevant for the company (with reference its activity/economy sector or industry).
  • Improve the quality of detection and responding to threats both in a proactive and reactive manner.

The threat intelligence platform is a system used to manage such knowledge. Let us compare it with data aggregators such as RSS-reader. RSS-readers have a simple task: collecting articles, saving them and presenting to the user for reading. The TI platform should not only collect data but also give an opportunity for the examination of collected artifacts, relations between them to understand the attack pattern, outspread of malicious infection, finding out of similar features of various malware and groups, attack attribution and similar analytical tasks including automatic ones.

Why this may be required? There is a lot of data sources but the amount of data is much more. Dozens (or even hundreds) of various data sources may be connected to the TI-platform input. Each source shall be occasionally updated, it should provide new data and periodically change previously provided data. The TI platform shall create new artifacts, update status of previous ones if they have been changed, delete twins, align (normalize), and remove old artifacts. Clear interrelations between artifacts should be distinguished and associated to each other by determination of their nature. This is just few of the operations performed.

Moreover, the system may perform delayed operations. For example, IoCs correlation, e.g., a suggestion of two or more similar artifacts based on the interrelation found between them. Another example is detection of distant links when artifacts are inter-related not directly but via other artifacts. This may also include calculations of maliciousness ratings of Indicators of compromise based on a number of factors. This list of operations is far from being exhaustive.

Note that we used the “indicator of compromise” entity a few times only. This is one of the most famous TI terms but not the major one. The indicator of compromise is what makes TI useful, e.g., not just having knowledge but also using it to achieve the desired result.

In the next post we will tell you about data exchange formats of threat intelligence, their nature, objects and entities, importance and hierarchy. Stay tuned!