What is Cyber Threat Intelligence (CTI) ?
Cyber Threat Intelligence (CTI) is the precise and contextualized information about emerging or existing cyber threats that have been refined and analyzed to provide actionable advice which allows the organizations to take informed decision to proactively defend or mitigate any cyber threats. Cyber Threat Intelligence (CTI) provides valuable knowledge with context about the adversaries and their motivations, capabilities, goals, including the tools and methods that adversaries use to conduct cyber-attacks.
In a nutshell, Cyber Threat Intelligence (CTI) is the information that is collected, relevant, fully contextualized, filtered and analyzed to answer core questions regarding any cyber threats that an organization can face, such as who is likely to attack what assets, where, when, how and why.
Note that just information is not intelligence! but the information is raw material to produce intelligence through extensive analysis. Producing Intelligence involves a comprehensive process of collecting, processing, and analyzing data. The main difference between information and true intelligence is the analysis.
Cyber Threat Intelligence (CTI) Lifecycle Process:
Planning and Direction:
Planning and Direction involve management of the entire cyber threat intelligence operation. This phase defines the purposes and objectives of the cyber threat intelligence program. In this phase, the CTI team identifies what issues need to be addressed to protect the organization and what information must be gathered to produce threat intelligence products that satisfy the organization’s requirements.
The Planning and Direction phase determines the exact requirements of consumers (organization) through Intelligence Requirements (IRs) or Priority Intelligence Requirements (PIRs) and ensures that those requirements are met to deliver the cyber threat intelligence product to the organization as they needed. From these IRs and PIRs, the CTI team determines what data and information are required and how those should be collected.
The planning and direction phase establishes the question that cyber threat intelligence is meant to answer. These questions are given to the CTI team in the name of Intelligence Requirements (IRs) by the organization’s decision-makers or head of the cybersecurity program such as CISO (Chief Information Security Officer). Intelligence Requirements (IRs) is the request of what information an organization needs from a CTI team through cyber threat intelligence operation.
For example, an Intelligence Requirement (IR) could be “Which types of adversaries are deploying attacks in our organization, and what are their motivations?” This question will lead to further collections effort and help guide CTI analyst to the answers. Answering intelligence requirements requires data collection, analysis and reporting and feedback. In the planning and direction phase, the CTI analyst develops a collection management framework. This collection plan maps all sources (both internal and external) of intelligence collection to ensure they can provide the data to answer the intelligence requirements.
Three key fundamentals of Planning and Direction phase:
The collection phase of cyber threat intelligence involves collecting the necessary data from various sources that will likely satisfy the intelligence requirements. This phase is the execution of the collection plan determined during the planning and direction phase. The data can be collected from a large variety of sources, including internal sources and external sources. Internal data sources are typically any generated logs from organizational hardware and software regarding device usage. The internal source may include indicators of compromise (IOC), network event logs, firewall logs, router logs, IDS, records of past incident responses, vulnerability scans, etc.
The external sources include threat data feeds, code repositories, malware analysis, dark web, hacking forum, social media, paste sites, human intelligence, information sharing platforms, etc. After accumulating data from these sources, the cyber threat intelligence team would then process those data and make them ready for analysis.
The processing phase of the cyber threat intelligence involves processing the collected raw data into a suitable format for the analysis. Collected data is not usable in the format in which it was collected as it comes from different sources with a variety of formats like XML, JSON, CSV, even plain text. Hence, the raw data is processed and converted into a uniform file format. Finally, the data is sorted, organized, filtered, and then prepared for analysis.
Here are some of the most common ways to process data related to cyber threat intelligence:
• Normalization (Normalizing collected data into uniform formats.)
• Indexing (Make searchable data list.)
• Translation (Translating the data as it may be collected from foreign sources.)
• Enrichment (Providing additional metadata and context in the data.)
• Filtering (Filtering for false and redundant information.)
• Prioritization (Data prioritization.)
• Visualization (Visualization of sorted and organized data based on what analysts need.)
The analysis phase of cyber threat intelligence is very crucial. The analysis phase involves integrating, interpreting, evaluating, and analyzing the processed raw data to transform those data into finished intelligence. The goal of the analysis phase is to develop a finished cyber threat intelligence product that answers the intelligence requirements (IRs) outlined in the planning and direction phase.
In the analysis phase, the CTI analyst synthesizes disparate pieces of processed data and interprets those data to identify patterns, uncover threats, determines its meaning, and enrich data with contextual information. Besides, the data is evaluated through various analytical techniques to assess the importance and implications of processed data. Tactical analysis answers what/where/when/how questions regarding threats, attacks, vulnerabilities, etc. outlined in the intelligence requirements by analyzing technical telemetry data such as network activity, malware samples, hash values, malicious domains, IPs, logs. Operational analysis analyzes specific threats, campaigns, adversaries, and their capabilities (TTP) to answer who is behind the threats, why, and how. Strategic analysis holistically assesses threats, risks, emerging technologies, and geopolitics that may impact/provide opportunities for the organization now and in the future. Strategic Analysis answers who is attacking and why?
Cognitive biases, perceptual biases, and reasoning errors can cause inaccurate evaluation. Therefore Structured Analytic Techniques (SATs) are leveraged to reduce biases. Through integration, evaluation, and analysis, CTI analyst produces the final intelligence products on time. Finished intelligence provides actionable advice regarding Intelligence Requirements (IRs) questions like what is happening, why it is happening, what might occur next, adversaries TTP (Tactics, Techniques, and Procedures), motivations, goals, etc.
The output of the analysis phase should enable action, whether that action is updating a threat profile, patching systems, or creating rules for threat detection. Actionable threat intelligence should be timely, accurate, contextual, and coherent. An interplay between collection and analysis often occurs, when cyber threat intelligence analyst realizes that the collected data is not providing the required raw material and perhaps different data needs to be collected for the appropriate analysis.
The dissemination phase of cyber threat intelligence involves distributing the finished intelligence products to relevant consumers in a digestible format. The dissemination phase ensures the delivery of different intelligence reports for strategic, operational, tactical levels. These wide-ranging consumers need to be able to understand the intelligence information, digest its content, and understand what action needs to be taken. Dissemination enables organizations to operationalize intelligence work. Dissemination also determines how often intelligence reports should be distributed and with what format etc. Proper dissemination of actionable threat intelligence provides the most value and applicability to intelligence consumers.
The feedback phase of cyber threat intelligence involves getting feedback on the finished intelligence from the intelligence consumers. The feedback determines whether the produced intelligence successfully answers the intelligence requirements or not. Depending on the feedback, the intelligence cycle may start from the beginning until the intelligence satisfies the requirements. However, the intelligence cycle will be over if the intelligence process satisfies the requirements. If the intelligence process fails to answer the requirements, then adjustments need to be made for future iterations of the intelligence distribution.
1. Katie Nickels, 2019, The Cycle of Cyber Threat Intelligence Webcast, SANS Institute.
2. Jared Ettinger, 2019, Cyber Intelligence Tradecraft Report: The State of Cyber Intelligence Practices in the United States, Carnegie Mellon University.
3. Scott J. Roberts & Rebekah Brown, 2017, Intelligence-Driven Incident Response: Outwitting the Adversary, O’Reilly Media.
4. CREST, 2019, What is Cyber Threat Intelligence and how is it used?, www.crest-approved.org
5. Chris Pace, Andrei Barysevich, Levi Gundert, Allan Liska, Maggie McDaniel, John Wetzel, 2018, The Threat Intelligence Handbook: A Practical Guide for Security Teams to Unlocking the Power of Intelligence, CyberEdge Group.
6. Jeff Compton, 2017, The CTI Process Lifecycle: Achieving Better Results Through Execution, FireEye.
7. The Recorded Future Team, 2020, What the 6 Phases of the Threat Intelligence Lifecycle Mean for Your Team, Recorded Future.
8. Wilson Bautista, 2018, Practical Cyber Intelligence, Packt Publishing.
9. Anomali, 2020, What is Threat Intelligence?, https://www.anomali.com/resources/what-is-threat-intelligence
10. CBEST, 2016, CBEST Intelligence-Led Testing Understanding Cyber Threat Intelligence Operations, Bank of England.
11. Josh Lefkowitz, 2019, Why All Security Disciplines Should Use the Intelligence Cycle, securityweek.com