What is Cyber Threat Intelligence?
Over the past 8-10 years, the term Cyber Threat Intelligence (CTI) permanently settled in our dictionary. But what is it? Apart from every term containing "cyber" is cool, it does not appear we have a clear definition for CTI as at times it appears to be everything InfoSec related under the sun, including the four-decade-old anti-virus products.
The first public CTI mention was around 2004, at 16th Annual FIRST Conference in Budapest, Hungary. When Ian Cook, brought up the following questions CTI needs to answer:
- Where are the threats?
- How much security is needed?
- How much residual risk?
- Where is the balance?
Now for those of you not familiar with FIRST, this is the Forum of Incident Response and Security Teams, and is an organization that was established over 30 years ago and focuses on incident response and handling best practices, as well as connecting security teams across the globe. We have gone a long way since Ian first spoke about CTI. Currently the FIRST Cyber Threat Intelligence Special Interest Group (CTI SIG) is waiving that banner. It is the main organization which is working on formalizing CTI, its terminology and processes. The definition for CTI, published in their Curriculum, is the following:
Cyber Threat Intelligence is systematic collection, analysis and dissemination of information pertaining to a company's operation in cyberspace and to an extent physical space. It is designed to inform all levels of decision makers.
The analysis is designed to help keep situational awareness about current and arising threats.
While, it may appear the definition is clear, there is still much confusion around it. At times, CTI is also confused with some of the military intelligence disciplines, and to an extent, it overlaps. However, there are significant differences, mostly in scope, legal considerations, and the consumer, so let me elaborate and provide more context.
In the military, there are several intelligence disciplines that cover the different types of information sources being acquired and analyzed. For example:
- SIGINT – Signals Intelligence – deals with intelligence gathered from intercepted signals regardless of their transmission and type;
- DNINT – Digital Network Intelligence – or the information collected from digital networks;
- OSINT – Open Source Intelligence – deals with information derived from publicly available sources, like newspapers, television, Internet websites, and so on.
There are different disciplines in this space, and DNI website has an excellent brief overview.
In the commercial space, things are not as orderly. There is no military hierarchy where knowledgeable individuals analyze data flow, classify them, and create a structured approach. Instead, we have marketing teams jumping on ad-hoc opportunities, trying to seize an opportunity, and as a result, the public is hammered with a bunch of terms borrows from cool movies and with even cooler characters! (Yes, indeed – Johnny English comes to mind, doesn't he)?
To a large extent, CTI is a mixture of components from DNINT/CYBINT, OSINT, and SIGINT. In more specific terms, it includes NetFlow/SFlow collection, malware analysis, YARA signatures, passive DNS, your SIEM, and even your favorite blog posts that educate the team on the latest threats and indicators they manually copy from the article. It even has some HUMINT (Human Intelligence) components when your industry connections give you tips and indicators about the latest APT activity. Some companies even include some physical security components. The most obvious component is OSINT, as this is how most people in society gather information – reading the newspaper, watching TV, read blogs. From OSINT perspective the average person in society has the same level of access as an intelligence analyst. This is the component which pretty much maps one to one with what is done in government. However, this is not true for the other types of intelligence collection because of the lack of capability or legality.
It quickly becomes apparent that the average company does not have the capability to send a submarine to tap undersea cables nor dispatch a satellite with special sensors. However, it's not only about capability but legality. Many intelligence disciplines may use methods that are not legal. In different countries, local legislation allows for such activities as an extension of state policy. For example, in the US, they would be covered under Title 50 USC.
On the other hand, due to the Fourth Amendment, the US government cannot collect certain types of data without a specific court-authorized reason, which is not a problem for some private corporations. Just to give an example, an intelligence analyst cannot collect data from the public Facebook profile of a US citizen unless they are under investigation, and at the same time, Facebook can collect any type of information and store it for as long as they want, for every US citizen, who has signed up to their service and agreed to the Terms of Service Agreement.
Intelligence helps inform decision-making at different levels. In the government, this can range from soldiers in the field, through high-level politicians, all the way to the President, and in private industry, CTI informs business decisions on different levels:
- On a Tactical level, CTI informs the Incident Response Team (IRT), what Indicators of Compromise (IoC) are pertinent to particular threats, what methods they use to move about the network, etc.
- On the Operational level, CTI informs senior management and director level employees what types of threats are predominant and what defense technologies and personnel skillset they need to have to address them.
- On the Strategic level, CTI informs the CEO and other executives regarding the overall prioritization and investment they need to make in specific teams and technologies, allowing them to create policies and overall prioritization.
Regardless of the level, a business needs to understand its intelligence needs and the benefits they can expect from a CTI program with a particular maturity level. The process is interactive and starts with defining the requirements or Priority Information Requirements (PIRs), their investigation and satisfaction, implementing corrections, re-evaluation, and then producing new requirements. And while discussing the intelligence process is outside the scope of this blog, it will be covered in a future one when we discuss building a CTI Team.
It is also important to understand the difference between raw information and actionable intelligence. Many of the threat intelligence feeds and other “intelligence products” on the market lack sufficient context and specificity which make it impossible to take action. For example, given a list of “bad IP addresses”. What is bad about them? Is it contextually relevant? What if the bad IP addresses include a subset of legal adult sites? Is that something that should be blocked? Well, if the consumer is a middle school, the answer is obvious. What if the consumer is a Las Vegas hotel? Or what about a blog post outlining a criminal gang, naming the perpetrators? Is that actionable for a small IT shop? Unless one of the perpetrators is their employees, it would be hardly relevant to them. Now if the article includes the IP addresses of their C&C servers then it would have value.
Intelligence Consumers and Producers
In terms of information flow there are two roles and a team can be in either of them depending on the context of the exchange. The original entity which creates intelligence product will be the producer and the entity benefiting from it is the consumer. It is apparent the product may be based on other intelligence products, and not only raw data.
Stages of Maturity
Not all CTI programs are the same; different companies have different needs and priorities and can allocate different resources. For example, a small IT company only needs to be an intelligence consumer and situationally aware to provide informed advice to their customers. And on the other extreme, a security company running a SOC-as-a-service needs to respond appropriately and learn from incidents and distribute that information to its employees, partners, and customers. Thus, they would also become a producer.
However, it is crucial to understand that all levels of maturity bring specific capability, and for as long as the company is realistic in its expectation, the results will be positive. In the following paragraphs, I'll outline the levels of maturity in general and note that different programs will slightly differ based on the company's needs.
In the initial stages of a CTI program, the team will only be a consumer of intelligence. This will be mostly automated feeds of public and possibly private feeds of observables (aka IoCs). Any human collection will be ad-hoc and opportunistic. The information acquired will be used for the detection of threats, enrichment of internal data sources, and so on. In this phase, it is unlikely the company will have the confidence to implement automated blocking based on the information.
In the next stage, the automated feed collection will be integrated with internal automation allowing additional advanced processing of the observables and automatic blocking of threats. The team will start actively building relationships with other teams allowing the more consistent intake of high-fidelity human-generated data. Simultaneously, the team will increase the internal machine and human analytical capability. The team will also start cataloging their investigations' results, preparing them to get in the most advanced stage. In this stage, the team will also seek memberships in formal and informal information exchange organizations, which we will cover in a follow-up blog.
In the final stage, the team will become a producer of information. It will actively defend itself through proactive threat hunting and analysis, but it will also create intelligence products to share with other teams outside of the company. It will not only keep track of its internal investigations, but it will also catalog threat groups, tools, and techniques. In this phase, the team is expected to be well connected with peer teams from other organizations.
It is important to understand that not all organizations need to reach Phase 3, and in some cases even Phase 2. A small company with 2 person IR team can probably afford to have those two people only implement Phase 1 in 4 hours per week of their time.
As you can see the topic is fairly broad, and in this post, we barely scratched its surface. CTI is a multifaceted discipline aiming to systematically collect and analyze information from different sources like network monitoring, malware analysis, incident response investigations, and external sources. Then disseminate this information to decision makers of different levels within an organization.
In a future post, we will continue with more details on how to build a CTI program, examine in detail the intelligence process, and what are the different information exchange groups you can join.
If this topic is of interest, the FIRST CTI SIG Summit will be held on April 19-21 and since this year it will be online, the registration is free.
About the author
Graduate Research Assistant