Cyber threat intelligence

Last updated

Cyber threat intelligence (CTI) is a subfield of cybersecurity that focuses on the structured collection, analysis, and dissemination of data regarding potential or existing cyber threats. [1] [2] It provides organizations with the insights necessary to anticipate, prevent, and respond to cyberattacks by understanding the behavior of threat actors, their tactics, and the vulnerabilities they exploit. [3] [4] [5] Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

Contents

In recent years, threat intelligence has become a crucial part of companies' cyber security strategy since it allows companies to be more proactive in their approach and determine which threats represent the greatest risks to a business. This puts companies on a more proactive front, actively trying to find their vulnerabilities and preventing hacks before they happen. [6] This method is gaining importance in recent years since, as IBM estimates, the most common method companies are hack is via threat exploitation (47% of all attacks). [7]

Threat vulnerabilities have risen in recent years also due to the COVID-19 pandemic and more people working from home - which makes companies' data more vulnerable. Due to the growing threats on one hand, and the growing sophistication needed for threat intelligence, many companies have opted in recent years to outsource their threat intelligence activities to a managed security provider (MSSP). [8]

Process - intelligence cycle

The process of developing cyber threat intelligence is a circular and continuous process, known as the intelligence cycle, which is composed of five phases, [9] [10] [11] [12] carried out by intelligence teams to provide to leadership relevant and convenient intelligence to reduce danger and uncertainty. [11]

The five phases are: 1) planning and direction; 2) collection; 3) processing; 4) analysis; 5) dissemination. [9] [10] [11] [12]

In planning and directing, the customer of the intelligence product requests intelligence on a specific topic or objective. Then, once directed by the client, the second phase begins, collection, which involves accessing the raw information that will be required to produce the finished intelligence product. Since information is not intelligence, it must be transformed and therefore must go through the processing and analysis phases: in the processing (or pre-analytical phase) the raw information is filtered and prepared for analysis through a series of techniques (decryption, language translation, data reduction, etc.); In the analysis phase, organized information is transformed into intelligence. Finally, the dissemination phase, in which the newly selected threat intelligence is sent to the various users for their use. [10] [12]

Types

There are three overarching, but not categorical - classes of cyber threat intelligence: [4] 1) tactical; 2) operational; 3) strategic. [4] [9] [12] [13] [14] These classes are fundamental to building a comprehensive threat assessment. [9]

Benefits of cyber threat intelligence

Cyber threat intelligence provides a number of benefits, which include:

Key elements

There are three key elements that must be present for information or data to be considered threat intelligence: [12]

Attribution

Cyber threats involve the use of computers, storage devices, software networks and cloud-based repositories. Prior to, during or after a cyber attack technical information about the information and operational technology, devices, network and computers between the attacker(s) and the victim(s) can be collected, stored and analyzed. However, identifying the person(s) behind an attack, their motivations, or the ultimate sponsor of the attack, - termed attribution is sometimes difficult, [20] as attackers can use deceptive tactics to evade detection or mislead analysts into drawing incorrect conclusions. [21] Multiple efforts [22] [23] [24] in threat intelligence emphasize understanding adversary TTPs to tackle these issues. [25]

A number of recent [ when? ] cyber threat intelligence analytical reports have been released by public and private sector organizations which attribute cyber attacks. This includes Mandiant's APT1 and APT28 reports, [26] [27] US CERT's APT29 report, [28] and Symantec's Dragonfly, Waterbug Group and Seedworm reports. [29] [30] [31]

CTI sharing

In 2015 U.S. government legislation in the form of the Cybersecurity Information Sharing Act encouraged the sharing of CTI indicators between government and private organizations. This act required the U.S. federal government to facilitate and promote four CTI objectives: [32]

  1. Sharing of "classified and declassified cyber threat indicators in possession of the federal government with private entities, nonfederal government agencies, or state, tribal, or local governments";
  2. Sharing of "unclassified indicators with the public";
  3. Sharing of "information with entities under cybersecurity threats to prevent or mitigate adverse effects";
  4. Sharing of "cybersecurity best practices with attention to the challenges faced by small businesses.

In 2016, the U.S. government agency National Institute of Standards and Technology (NIST) issued a publication (NIST SP 800-150) which further outlined the necessity for Cyber Threat Information Sharing as well as a framework for implementation. [33]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

<span class="mw-page-title-main">Honeypot (computing)</span> Computer security mechanism

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.

The United States Computer Emergency Readiness Team (US-CERT) was a team under the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like "Where am I most vulnerable to attack?", "What are the most relevant threats?", and "What do I need to do to safeguard against these threats?".

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

The Indian Computer Emergency Response Team is an office within the Ministry of Electronics and Information Technology of the Government of India. It is the nodal agency to deal with cyber security incidents. It strengthens security-related defence of the Indian Internet domain.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat. Threat analyst Lesley Carhart stated that there is no consensus amongst practitioners what threat hunting actually entails.

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology seeks to deceive an attacker, detect them, and then defeat them.

<span class="mw-page-title-main">Yuval Elovici</span> Israeli computer scientist

Yuval Elovici is a computer scientist. He is a professor in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev (BGU), where he is the incumbent of the Davide and Irene Sala Chair in Homeland Security Research. He is the director of the Cyber Security Research Center at BGU and the founder and director of the Telekom Innovation Laboratories at Ben-Gurion University. In addition to his roles at BGU, he also serves as the lab director of Singapore University of Technology and Design’s (SUTD) ST Electronics-SUTD Cyber Security Laboratory, as well as the research director of iTrust. In 2014 he co-founded Morphisec, a start-up company, that develops cyber security mechanisms related to moving target defense.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).

Paulo Shakarian is an associate professor at Arizona State University where he leads Lab V2 which is focused on neurosymbolic artificial intelligence. His work on artificial intelligence and security has been featured in Forbes, the New Yorker, Slate, the Economist, Business Insider, TechCrunch, CNN and BBC. He has authored numerous books on artificial intelligence and the intersection of AI and security. He previously served as a military officer, had experience at DARPA, and co-founded a startup.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Extended detection and response (XDR) is a cybersecurity technology that monitors and mitigates cyber security threats.

Dr Paul Watters is an Australian cybercrime researcher and cybersecurity professional. He is Honorary Professor of Criminology and Security Studies at Macquarie University. Dr Watters has made significant research contributions to cybercrime detection and prevention, including phishing, malware, piracy and child exploitation. He is the inventor of the 100 Point Cyber Check, a cyber risk assessment for small-medium enterprises. According to ScholarGPS, he is ranked in the top 0.84% of researchers globally.

Ali Dehghantanha is an academic-entrepreneur in cybersecurity and cyber threat intelligence. He is a Professor of Cybersecurity and a Canada Research Chair in Cybersecurity and Threat Intelligence.

ANY.RUN is a cybersecurity company that provides an interactive malware analysis sandbox and threat intelligence services for real-time analysis and investigations of malware and phishing threats. The platform is designed for use by cybersecurity professionals, researchers, and IT specialists, providing tools for interactive analysis of malicious software and behavior and threat intelligence services.

References

  1. Schlette, Daniel; Böhm, Fabian; Caselli, Marco; Pernul, Günther (2020). "Measuring and visualizing cyber threat intelligence quality". International Journal of Information Security. 20 (1): 21–38. doi: 10.1007/s10207-020-00490-y . ISSN   1615-5262.
  2. Kant, Neelima (2024). "Cyber Threat Intelligence (CTI): An Analysis on the Use of Artificial Intelligence and Machine Learning to Identify Cyber Hazards". Cyber Security and Digital Forensics. Lecture Notes in Networks and Systems. Vol. 36. pp. 449–462. doi:10.1007/978-981-99-9811-1_36. ISBN   978-981-99-9810-4.
  3. Dalziel, Henry (2014). How to Define and Build an Effective Cyber Threat Intelligence Capability. Syngress. ISBN   9780128027301.
  4. 1 2 3 4 5 6 Bank of England (2016). CBEST Intelligence-Led Testing: Understanding Cyber Threat Intelligence Operations (PDF) (Report). Bank of England.
  5. Saeed, Saqib (2023). "A Systematic Literature Review on Cyber Threat Intelligence for Organizational Cybersecurity Resilience". Sensors. 23 (16): 7273. Bibcode:2023Senso..23.7273S. doi: 10.3390/s23167273 . PMC   10459806 . PMID   37631808.
  6. 1 2 CyberProof Inc. (n.d.). Managed Threat Intelligence. CyberProof. Retrieved on April 03, 2023 from https://www.cyberproof.com/cyber-101/managed-threat-intelligence/
  7. IBM (2022-02-23). "IBM Security X-Force Threat Intelligence Index". www.ibm.com. Retrieved 2022-05-29.
  8. "MSSP - What is a Managed Security Service Provider?". Check Point Software. Retrieved 2022-05-29.
  9. 1 2 3 4 5 6 7 8 "What is Cyber Threat Intelligence used for and how is it used?". blog.softtek.com. Retrieved 2023-04-12.
  10. 1 2 3 Phythian, Mark (2013). Understanding the Intelligence Cycle (PDF) (1st ed.). Routledge. pp. 17–23.
  11. 1 2 3 4 Kime, Brian (March 29, 2016). "Threat Intelligence: Planning and Direction". SANS Institute.
  12. 1 2 3 4 5 6 7 8 Gerard, Johansen (2020). Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats (2nd ed.). Packt Publishing Ltd.
  13. Trifonov, Roumen; Nakov, Ognyan; Mladenov, Valeri (2018). "Artificial Intelligence in Cyber Threats Intelligence". 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC). IEEE. pp. 1–4. doi:10.1109/ICONIC.2018.8601235. ISBN   978-1-5386-6477-3. S2CID   57755206.
  14. 1 2 3 4 5 6 7 8 Kaspersky. (n.d.). What is threat intelligence? Definition and explanation. Retrieved on April 03, 2023 from https://www.kaspersky.com/resource-center/definitions/threat-intelligence
  15. Berndt, Anzel; Ophoff, Jacques (2020). "Exploring the Value of a Cyber Threat Intelligence Function in an Organization". In Drevin, Lynette; Von Solms, Suné; Theocharidou, Marianthi (eds.). Information Security Education. Information Security in Action. IFIP Advances in Information and Communication Technology. Vol. 579. Cham: Springer International Publishing. pp. 96–109. doi:10.1007/978-3-030-59291-2_7. ISBN   978-3-030-59291-2. S2CID   221766741.
  16. 1 2 3 Shackleford, D. (2015). Who’s Using Cyberthreat Intelligence and How?. SANS Institute. https://cdn-cybersecurity.att.com/docs/SANS-Cyber-Threat-Intelligence-Survey-2015.pdf
  17. Nguyen, Quoc Phong; Lim, Kar Wai; Divakaran, Dinil Mon; Low, Kian Hsiang; Chan, Mun Choon (June 2019). "GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection". 2019 IEEE Conference on Communications and Network Security (CNS). IEEE. pp. 91–99. arXiv: 1903.06661 . doi:10.1109/cns.2019.8802833. ISBN   978-1-5386-7117-7.
  18. Marino, Daniel L.; Wickramasinghe, Chathurika S.; Manic, Milos (October 2018). "An Adversarial Approach for Explainable AI in Intrusion Detection Systems". IECON 2018 - 44th Annual Conference of the IEEE Industrial Electronics Society. IEEE. pp. 3237–3243. arXiv: 1811.11705 . doi:10.1109/iecon.2018.8591457. ISBN   978-1-5090-6684-1.
  19. Leite, Cristoffer; den Hartog, Jerry; Ricardo dos Santos, Daniel; Costante, Elisa (2022), Reiser, Hans P.; Kyas, Marcel (eds.), "Actionable Cyber Threat Intelligence for Automated Incident Response", Secure IT Systems, vol. 13700, Cham: Springer International Publishing, pp. 368–385, doi:10.1007/978-3-031-22295-5_20, ISBN   978-3-031-22294-8 , retrieved 2024-11-11
  20. Leite, Cristoffer; Den Hartog, Jerry; dos Santos, Daniel Ricardo (2024-07-30). "Using DNS Patterns for Automated Cyber Threat Attribution". Proceedings of the 19th International Conference on Availability, Reliability and Security. ACM. pp. 1–11. doi:10.1145/3664476.3670870. ISBN   979-8-4007-1718-5.
  21. Skopik, Florian; Pahi, Timea (2020-03-20). "Under false flag: using technical artifacts for cyber attack attribution". Cybersecurity. 3 (1): 8. doi: 10.1186/s42400-020-00048-4 . ISSN   2523-3246.
  22. Leite, Cristoffer; Den Hartog, Jerry; Dos Santos, Daniel R.; Costante, Elisa (2023-12-15). "Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents". 2023 IEEE International Conference on Big Data (BigData). IEEE. pp. 2999–3008. doi:10.1109/BigData59044.2023.10386324. ISBN   979-8-3503-2445-7.
  23. Navarro, Julio; Legrand, Véronique; Lagraa, Sofiane; François, Jérôme; Lahmadi, Abdelkader; De Santis, Giulia; Festor, Olivier; Lammari, Nadira; Hamdi, Fayçal (2018), Imine, Abdessamad; Fernandez, José M.; Marion, Jean-Yves; Logrippo, Luigi (eds.), "HuMa: A Multi-layer Framework for Threat Analysis in a Heterogeneous Log Environment", Foundations and Practice of Security, vol. 10723, Cham: Springer International Publishing, pp. 144–159, doi:10.1007/978-3-319-75650-9_10, ISBN   978-3-319-75649-3 , retrieved 2024-11-11
  24. Landauer, Max; Wurzenberger, Markus; Skopik, Florian; Settanni, Giuseppe; Filzmoser, Peter (2018-11-01). "Dynamic log file analysis: An unsupervised cluster evolution approach for anomaly detection". Computers & Security. 79: 94–116. doi:10.1016/j.cose.2018.08.009. hdl: 20.500.12708/6096 . ISSN   0167-4048.
  25. Levi Gundert, How to Identify Threat Actor TTPs
  26. "APT1: Exposing One of China's Cyber Espionage Units | Mandiant" (PDF).
  27. "APT28: A Window Into Russia's Cyber Espionage Operations" (PDF). FireEye, Inc. 2014. Retrieved 3 December 2023.
  28. "Grizzly Steppe - Russian Malicious Cyber Activity" (PDF). NCCIC. 29 December 2016. Retrieved 3 December 2023.
  29. "Dragonfly: Western energy sector targeted by sophisticated attack group".
  30. "Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments".
  31. "Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms".
  32. Burr, Richard (2015-10-28). "S.754 - 114th Congress (2015-2016): To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". www.congress.gov. Retrieved 2021-06-09.
  33. Johnson, C.S.; Badger, M.L.; Waltermire, D.A.; Snyder, J.; Skorupka, C. (4 October 2016). "Guide to Cyber Threat Information Sharing". National Institute of Standards and Technology . doi: 10.6028/nist.sp.800-150 . Retrieved 3 December 2023.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.