Cyber Threat Intelligence, a.k.a. The Art of War

Cyber Threat Intelligence, a.k.a. The Art of War

Cybersecurity is a thriving industry, both from the protection and prevention perspective and the threat actors and their growing arsenal. The good guys face a seemingly endless number of challenges. At times, it can seem impossible.

Cyber threat intelligence (CTI) is the best solution to address the growing number of bad actors, the enormous amount of data spreading misinformation and false alarms, and a severe shortage of qualified, skilled professionals. Intelligence solutions automate the collection and processing of data using machine learning. ML algorithms can process data and identify the techniques and tactics of those trying to break through cybersecurity barriers.

CTI is an evolving solution to cybercrimes. With each new attack, more data is gathered and processed by smart algorithms, and the results are used to update and strengthen cybersecurity defenses.


What is Cyber Threat Intelligence?


According to Gartner, a well-established and respected voice in technology,

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”


There are three commonly accepted types of cyber threat intelligence.

  1. Tactical: Technical knowledge helps detect and identify cybercriminals.
  2. Operational: Knowledge of the intent or capabilities of an attacker, including tools, processes, and techniques.
  3. Strategic: A better understanding of the risks associated with each attack, resulting in more robust defenses and preventative strategies.


How does Cyber Threat Intelligence Work?


CTI is the by-product of data collected from cyber threats and attacks. Once collected, the data is analyzed using machine and even deep learning models to understand the dangers better and provide smarter defenses against them.

The gathering and analysis of cyber threat data is not a typical process. The information doesn’t go in one end and come out the other. The curating of cyber threat intelligence is a cyclic process. The results discovered by the automated machine learning agents become the source for the next set of discoveries. CTI is continually teaching itself how to improve.

The analysis process used in CTI does not reach conclusions. It does not just answer questions. It is far more valuable to understand how the solution was reached than just the solution itself. Using an iterative process identifies and fills gaps in the process itself. It asks as many questions as it answers. CTI is how security models keep pace with or even predict coming threats.


Steps of Cyber Threat Intelligence


CTI uses a cyclic process. To say the data gathered for cyber threat intelligence is analyzed and the results fed back into the process is an oversimplification. There are distinct steps in this intelligence lifecycle. They are:


1.      Requirements & Planning

When gathering requirements and planning any project, the first step is to ask the right questions.

  • Who are my cyber attackers?
  • What are the motivations for their attacks?
  • If I were the attacker, where would I attack?
  • Where do I need to strengthen my defenses?
  • What data is at risk?

You should ask questions directly targeting your cybersecurity measures. The answers may hurt, but probing questions will result in better threat intelligence.

With the right questions asked, you can define a clear and directed CTI plan. This initial information will be the driving force of the lifecycle process. Weak requirements will lead to an inadequate plan and less effective cyber threat intelligence.

2.      Collection

After the requirements have been defined and a plan set, begin collecting the data required to meet your objectives. Data can come from web or internet traffic logs, third-party data sources, on-line communities, and subject matter experts (SME) in your industry.

3.      Processing

Once data is collected, it will need to be processed and organized in the format required for the next step – analysis. You will likely have a tremendous amount of structured and unstructured data. Analytic models, including machine learning, can process data in both formats.

When accumulating data from various sources, it will need to be cleaned and organized for your intelligence learning engines. The processing step may involve decryption, translation, and filtering data for relevance and reliability.

4.      Analysis

You have the data and have cleaned and organized it. Now, it’s time to analyze the data and search for the answers to the questions posed in the first step. Search the data specifically for security-related information. The goal is to provide analytics that your team will understand and be able to use. The output can range from simple reports to in-depth analysis of threat lists.

5.      Dissemination

Information gains value as it is shared. The results of your analytics must reach the right audience. For the intelligence you are building to be applied to enhance security systems, it has to get into the hands of the people that can make that happen. The information circulated should include calls to action and provide solutions to the demands of stakeholders.

6.      Feedback

The next step in the cyber threat intelligence lifecycle is feedback. With the questions from the first step answered, the resulting intelligence is reviewed for completeness and effectiveness. This cycle aims not to determine a final solution but to drive the objectives of the next intelligence cycle.

The perpetrators of cyber threats and attacks are continually changing their behaviors and tactics. The CTI cycle is always working to stay ahead of the adversary. If we allow the process to stop, cyber attackers will swiftly overtake any advances we have made and gain footholds that will be difficult to loosen.


Why is Cyber Threat Intelligence Important?


Our adversaries are gathering CTI. If we are not actively building our cyber threat intelligence, we will lose the cybersecurity battle. The primary purpose of CTI is to know and strengthen our defenses, know the intent behind attacks against us, and maintain an advantage over those who mean us harm.


A well-defined and managed cyber threat intelligence can achieve the following objectives:

  • Ensure we are current in our knowledge of attack methods and tactics
  • Help us be proactive in our defenses against cybercrimes
  • Keep critical players informed of the latest trends and impact of cyber attacks


The Benefit of Cyber Threat Intelligence


There are many advantages of using CTI. With the mountain of data and analytics used by this intelligence process, not only are rapid response actions applied, but the intent of the attacker is examined and understood. Knowing your attacker’s plan reduces their ability to harm. It forces cyber adversaries to also learn and evolve with each attack. CTI is the key to understanding the enemy and preparing in advance for their next invasion.


Some of the more commonly accepted benefits of cyber threat intelligence are:

  • Enables a proactive cybersecurity approach
  • Improves detection of cyber threats and attackers
  • Helps develop a predictive cybersecurity model
  • Results in better, more informed decisions during and after each cyberattack


Know Your Enemy


Cyber threat intelligence is actionable data to reinforce an organization’s weaknesses and knowledge gaps. Collected and analyzed information about any external threat gives the company or individual the upper hand when building defenses against future attacks. The attackers and their threats will continue to evolve and strengthen. A continuous CTI environment will provide a more secure perimeter around our assets and information.

Cyber threat intelligence provides the means for organizations to win the battle against the growing number of bad actors and cyber threats. Without CTI, a security team is nearly defenseless against today’s cyber villains. An attempt to build a defense without actionable intelligence is like taking a shot in the dark. No good will come from it. It is more likely to harm.

The ancient Chinese general, Sun Tzu, is credited with the following quote. The quote varies, depending on the source, but the message is the same.

“Know the enemy and know yourself; in a hundred battles, you will never be defeated. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.”

In today’s cyber community, we are in a battle against an enemy without morals or societal values. In the end, knowledge will always win. The question is, “Who will own the intelligence?”