Cyber Threat Intelligence (CTI) Crash Course

Cyber Threat Intelligence (CTI) Crash Course
February 21, 2024

Cybersecurity is such a broad domain with so many different areas of expertise that it’s tough to be across them all.

We all have known unknowns in the field, and none of us can be experts in everything.

That’s why we’re kicking off our “Crash Course” series, where we’ll be diving into different areas of cybersecurity and answering the most common questions about the field.

From threat intelligence, to network security, to incident response, threat hunting, pentesting, digital forensics, and cryptography and encryption, there’s a lot to learn, and the tools, techniques, and processes used in each of these fields is constantly changing.

Today, we’re starting with questions you may have about threat intelligence (CTI), particularly if you haven’t been in a threat intel analyst role before.

Threat intel is a topic near and dear to our hearts at Cosive, with many of our team members having been involved in CTI for much of their careers. We’ve even launched our own CTI product, CloudMISP.

QUICK NAVIGATION

What is threat intelligence?

“Threat intelligence” or “Threat intel” is the collection and analysis of information about potential or current threats to an organisation's security.

Threat intel typically includes details about the motives, tactics, techniques, tools, and procedures attackers use. It’s gathered from a variety of sources, including security researchers, government agencies, threat intel sharing communities, and private intelligence firms.

Why is threat intelligence important?

Threat intelligence can benefit organisations by helping them to prioritise their cybersecurity efforts. By understanding the types of threats they are most likely to face, organisations can focus their resources on defending against the most pressing threats first.

Threat intelligence can also help Security Operations Centre (SOC) teams to be more proactive. By staying up-to-date on the latest threats, organisations can anticipate potential attacks and take steps to prevent them before they happen. In some cases, threat intelligence can even be used to automatically prevent certain types of attacks, for example, by automatically blocklisting an IP address associated with phishing activity.

How can I get started with threat intelligence?

John Hubbard of the SANS Institute offers sound advice on the three main things your organisation needs to get started with threat intelligence:

  1. You must know your threat intelligence requirements. For example, what questions is your organisation trying to answer with threat intelligence? Having clear requirements prevents your organisation from aimlessly collecting data. Good starting questions include: Which threat groups are most likely to target our organisation? What tactics, techniques and procedures (TTPs) are they most likely to use against us?
  2. You must have a threat model. Threat modelling involves trying to predict what attackers might try to do to your organisation before an attack occurs. For example, if you have sensitive customer data secured behind an authenticated REST API endpoint, your REST API could be a potential high-value target for attackers. Having a threat model allows you to proactively defend against likely threats.
  3. You must have a threat intel platform you can use to manage your collected data. Data collection, correlation and analysis lies at the heart of an effective threat intelligence program. Luckily, there are sophisticated open source tools like MISP to help your SOC team collect, structure, store, correlate, and analyse this data. It’s important to note that threat intel involves a combination of automated and human efforts. It’s impossible to run an effective threat intel program without expert human analysts to translate threat intelligence into real-world actions.

What are the different types of threat intelligence?

Threat intelligence ranges from extremely broad to incredibly granular. The varying specificity of threat intel represents one of the main challenges involved with working in this space. Most threat intel falls into one of three categories:

  1. Strategic. Strategic threat intel includes broad-strokes information about threat actors, geopolitical motives, types of attacks, and overarching goals. An example of strategic threat intel could include an FBI report on a Russian state-sponsored APT targeting US government infrastructure. Strategic threat intel is of particular interest to high-level policy-makers and decision-makers such as CISOs.
  2. Operational. Operational threat intel delves into the TTPs used by threat actors. In the context of the Russian state-sponsored APT example above, operational threat intel might include compiled info on the specific techniques they’ve used across previous attacks. Operational threat intel is typically a focus at the SOC level, since it can be used to help drive team priorities and decision-making.
  3. Tactical. Tactical threat intel includes granular information like hash values, IPs, and domains (often referred to as “IOCs” or Indicators of Compromise). This type of threat intel is so granular that it’s typically of more use to machines than humans. Ideally, SOC teams will create machine-to-machine (M2M) feeds to automatically push tactical threat intel into their security infrastructure, such as firewalls. In the context of the Russian state-sponsored APT example we’ve been using, tactical threat intel might include a specific domain associated with an attack by this group.

What are some examples of threat intelligence?

To bring these concepts to life, here are some examples of different types of threat intelligence.

STRATEGIC THREAT INTELLIGENCE EXAMPLE

The first example below is an example of threat intelligence at the highest, or “strategic” level. It provides a high-level overview of an emerging threat (in this case, our favourite example: a Russian state-sponsored APT).

A tell-tale sign that threat intel sits at the strategic level is that it focuses mainly on the “who” and “why” rather than the specifics on “how” and “what”.

This report from CISA is an example of strategic threat intelligence.

OPERATIONAL THREAT INTELLIGENCE EXAMPLE

Operational threat intelligence dives into the “operations” of threat actors, such as the specific TTPs they’ve used.

An example of this kind of threat intelligence is leaked internal chat logs from a threat group. For example, in February 2022 a Ukrainian security researcher published leaked chat logs from the ransomware group Conti. In the logs, the group discusses victim bots infected with malware. Because this threat intelligence delves primarily into the “what” and the “how” of the threat group, it is threat intelligence at the operational level.

Ransomware gang chat logs translated and shared by BleepingComputer, an example of operational threat intelligence.

TACTICAL THREAT INTELLIGENCE/IOCS EXAMPLE

Tactical threat intelligence is the most fine-grained level of threat intelligence, consisting mainly of IOCs (Indicators of Compromise). This kind of intelligence is particularly useful for feeding into your automated systems using something like MISP.

Examples of tactical threat intelligence/IOCs are file hashes, IP addresses, domains and port numbers.

Although intelligence at this level is useful because of its compatibility with automated systems, it has a couple of drawbacks:

  1. Short-lived usefulness. Attackers frequently change things like file hashes, IP addresses, domains and port numbers in order to avoid detection. This means IOCs are typically only useful for a matter of days, or even hours. Therefore, part of working with IOCs involves implementing a process for aging out short-lived indicators. (Just to complicate things, there are some exceptions to the rule that IOCs are short-lived, like domain names exclusively used for malicious activity.)
  2. Chance of false positives. IOCs can easily include false positives, like non-malicious IP ranges. Automatic blocking rules applied to non-malicious IPs can degrade the experience of legitimate users if you aren’t careful.
An example of tactical threat intelligence / IOCs shared by Avertium.

What does threat intelligence do?

When used effectively, threat intelligence can be used to proactively defend against potential threats.

However, the keyword here is used. On its own, threat intel is just information. It’s how that information is used that makes it valuable.

The biggest pitfall companies fall into with threat intelligence is collecting lots of data but not using the data to take action.

Here are a few different examples of how threat intelligence could be used to prevent attacks:

  1. Let’s imagine you are working in the SOC team for a large network of hospitals in the US. You receive some strategic threat intel from a government body about a ransomware gang that has been targeting healthcare providers in the US and stealing patient health records. Expecting that you might soon face an attack from this ransomware gang, your team works on addressing any potential vulnerabilities in the way the company stores its health records. Several weeks later, your team finds evidence in the logs that an attacker may have tried to gain access to your systems, but failed.
  2. Your team receives operational threat intel about a recently discovered exploit in a piece of software used on many employee’s work machines. You immediately patch the software and shore up the vulnerability, preventing the use of that exploit against your organisation.
  3. You’ve configured your Threat Intelligence Platform (TIP) to automatically push certain types of tactical threat intel/IOCs to your firewall. You receive threat intel including an IP address associated with an attack on a similar organisation just 12 hours ago. The IP address is automatically added to your firewall blocklists. The next day, you see that your firewall blocked a request from the same IP address.

What are threat intelligence tools and platforms? What purpose do they serve?

Threat intelligence tools and platforms help with organising, storing, structuring, correlating, and analysing large volumes of threat intel in a standardised format.

Without a dedicated tool, analysts typically share threat intelligence over email. There are a few key drawbacks to this way of doing things:

  • Information overload. With many different participants, threat intel threads can quickly become very noisy and hard to follow. Email wasn’t designed for sharing threat intelligence, so there’s no easy way to automatically organise threat intel threads.
  • Non-standard formatting. Most threat intel shared over email comes in the form of PDF documents, blog post and news article links, text files, CSVs, XML, and copy-pasted text in the email body, with no standardised format. This makes it difficult to search, organise, and analyse this data without a lot of manual work.
  • Spam filters. Because threat intelligence often contains information about threats and malware, it can potentially get caught in spam filters.
  • Limited ability to automate. Email has limited integration with other systems, meaning IOCs like domains must be manually extracted and copy-pasted into blocklists. This creates more manual work for analysts.

Threat intelligence tools and platforms (often called TIPs) give analysts a better way to work with threat intel than sharing it via email threads.

Although every platform is different, they each have a few core things in common.

  • Data standardisation. Most threat intel platforms place a strong emphasis on standardised formats for representing data like STIX or MISP. These formats are JSON-based and enable ingestion and sharing of threat intel using a repeatable, machine-readable format. This standardisation makes it much easier to search, categorise, and correlate the data, as well as enabling automatic blocking of things like known malicious IP addresses, domains, and file hashes at the network perimeter.
  • Searchability. Threat intelligence platforms come with powerful search and filtering capabilities designed specifically for working with threat intelligence, making it easier to find exact information.
  • Encryption and authentication. Since threat intel platforms are built to store sensitive data, they have built-in encryption and authentication capabilities.
  • Integrations. Threat intelligence platforms come with many standard integrations with other security tools like firewalls, intrusion detection systems, and Security Information and Event Management Systems (SIEMs).
  • Correlation. Rather than relying on analysts’ memory, threat intel platforms use correlation algorithms and machine learning to detect patterns and connect the dots between seemingly unrelated events.

Some of the most popular threat intelligence tools and platforms include MISP, Anomali, and EclecticIQ.

What are threat intelligence feeds?

Threat intel feeds are a way to share and receive threat intelligence data. Typically, feeds are composed of data in a standardised, machine-readable format such as STIX and contain details about malware, phishing campaigns, vulnerabilities, malicious IP addresses, domains, file hashes, and other IOCs.

The preparation of threat intelligence feeds often involves security analysts converting unstructured data into a standardised format suitable for a threat intel feed. This requires a collective effort from the security community, including commercial threat intelligence providers (who sell their own threat intel feeds), government agencies, and open-source communities.

Threat intelligence feeds come in two flavours: passive feeds and active feeds. Passive feeds contain information only, while active feeds include the capability to take automated action on IOCs via integration with security tools. In general, passive feeds are intended for analysts, while active feeds are intended mainly for machine-to-machine consumption.

What do threat intelligence analysts do?

The purpose of a threat analyst’s role is to improve their organisation’s security posture by translating threat intelligence into action.

Depending on seniority, a threat intelligence analyst will typically focus on four key areas.

  1. Collection and organisation of threat intelligence. Threat intel analysts subscribe to feeds and gather threat intelligence that may be relevant to their organisation.
  2. Analysis and correlation of data. Once data has been gathered, analysts will analyse the data and look for patterns that could reveal current or emerging threats. This stage can also include threat and risk modelling to help determine which threats to address first.
  3. Automation and action. The byproduct of a threat analyst’s work should be action, whether the action is spearheaded by the analyst themselves or through reporting observations and threats to a more senior analyst or leader. These actions typically include creating or configuring automations, updating security controls, patching vulnerabilities, blocking malicious IPs, domains, and file hashes and modifying security policies.
  4. Consultation and recommendation. Usually the domain of senior analysts, this stage involves coordinating action at the team or organisational level in response to threats. This may also involve getting stakeholders involved from outside the SOC. An example might be organising a proactive, team-based response to an emerging ransomware threat targeting similar organisations.

What threat intelligence is most important for business?

The two most important factors in determining the importance of threat intelligence for a business are relevancy and risk.

  1. Relevancy. How relevant is the threat to the business? For example, while threat intel concerning a hacker group targeting electrical infrastructure in the UK may be interesting, it’s unlikely to be relevant to a financial technology startup in Australia. Instead, the most relevant threat intel is usually shared between organisations in the same industry and geographic location. For example, threat intel shared between cryptocurrency exchanges about the threats they’re facing is likely to be highly relevant and useful because of the similarity between organisations.
  2. Risk. How much risk is associated with the threat? For example, threats associated with data breaches and data exfiltration are of particularly high risk to businesses. A data breach can undermine customer trust, damage the businesses’ reputation, and could lead to substantial fines.

What are some commonly used threat intelligence tools?

  1. Threat intelligence platforms (TIPs), covered earlier, provide analysts a more efficient way to work with threat intelligence data.
  2. SIEM (Security Information and Event Management) tools aggregate and analyse security-related data from various sources to detect threats.
  3. Threat intelligence feeds provide information on threats in a structured way.

Wrapping up

These are the most commonly Googled questions about threat intelligence, asked and answered. I hope that you learned something new and useful while reading this.

In future, I’ll cover other fields in cybersecurity, like digital forensics, incident response, phishing defence, malware analysis, and more. Stay tuned!
You can keep up with new blog posts from Cosive by following us on LinkedIn or Twitter.