What is Cyber Threat Intelligence?
By Neal Humphrey,
Over the last several years a lot of the articles that have been about IT and security have used the term “cyber threat intelligence (CTI)”…which is fine. The issue though is that the term keeps being used in different ways. Whether its from a list of IP addresses, to hashes or signatures in use, a description of known bad actors or even vulnerability information, it seems we’re using the term in lots of different ways without a commonly accepted definition.
This leads to the question of “Is there an actual, agreed upon definition somewhere out there, and if so, what really is cyber threat intelligence?”
Cyber Threat Intelligence Definitions
Turns out… No. There isn’t really. And while there isn’t a common definition of cyber threat intelligence, there is an industry specific definition from Gartner that we can start with:
Gartner’s definition of cyber threat intelligence
Threat intelligence is evidence based knowledge that includes context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
For those of you that are more experienced with CTI, there are also categorizations of CTI (Tactical, Strategic, and Operational) and different methods of gathering CTI (HUMINT, SIGINT, and OSINT). But that’s for a later day. My goal today is to create an accurate, generally available and understandable definition of Cyber Threat Intelligence that includes some things I think Gartner is missing.
I submit this definition, contrary to Gartner’s, not that their definition is wrong, though. It’s not. Their definition is simply focused on the collection, initial analysis and distribution of CTI, not the actual use and value of CTI in a unique organization.
Deepwatch’s definition of cyber threat intelligence:
The collection, curation and continuous analysis of intelligence relating to malicious items or actors, as seen on the internet or elsewhere, that is determined to be a relative threat or concern by an organization through a review of their priorities, risks and mitigations currently in place for common or uncommon threats.
Let’s break that definition out into it’s keywords and phrases:
- Continuous Analysis
Collection is the easiest piece in defining CTI. CTI is usually seen and defined by IOCs (Indicators of Compromise) that are consistently published by varying sources. For most organizations it is the collection of these IP addresses, domains, URLs, hashes, email addresses, CVEs, product notifications, etc. This information is collected in a management console or database and used in various actions.
Collection is also the easiest part to get wrong. The old adage that says too much is never enough is in its inverse here. It is very, very easy to drown your organization in more IOCs and information than you can use, let alone effectively.
Curation is the review of collected IOCs or information for relevance to the organization. Curation needs to look at the context of information that is gathered, not just the volume or the source of the intelligence. Just like a car’s trade in value, the relevance of any IOC starts to degrade as soon as it is detected and published. Curation is all about understanding the current fit of the information to the organization.
Continuous Analysis is the simple feedback loop that makes CTI useful. CTI can create a voluminous amount of information that needs to be sifted through, organized and personalized for its value to be judged. Selected intelligence can then be put into use in a variety of ways once the impact has been determined. Measuring that impact is a unique consideration for the organization that also needs to factor in not only the context of external intelligence but also the internal intelligence that can be utilized.
Each organization has their own priorities, and these priorities constantly change. This is one of the aspects of internal intelligence that needs to be understood. In fact, it’s my opinion that this needs to be discussed and understood first, before starting to look at any external feeds or sources of intelligence.
As each organization has their own priorities they also have their own risks associated with those priorities. These risks are constantly changing due to shifts in the external threat landscape and internal concerns.
Most people will look to the detection and prevention technologies in the infrastructure only when thinking of mitigating factors to use for CTI. That isn’t deep enough. You need to also take into account other components like compensating controls, network segmentations, user controls and even physical security. All of these types of mitigations and Run Books should be compared against your company’s priorities, risks and current analysis of external threats and intelligence.
Simply put, this is the answer to the question of “Is this concern or threat relative at this point?” Is the intelligence that has been collected, curated or recently analyzed a relative threat based on the priorities, risks and current mitigations in place? If not, what other mitigations or intelligence is needed to help minimize the relative threat?
CTI is an incredible force multiplier for cybersecurity. Instead of having to man all the walls of your metaphorical castle, you get an idea of when, where and how an attack could happen, allowing you to prepare your defenses and your responses appropriately.
The thing that you don’t want to do with CTI though is consume everything possible to defend against everything possible. Relativity is the key. It’s a process more so than a technology. You will need experts to understand the intelligence and that grasp the context of the information, but you will also need internal information to determine its risk factors based on priorities and mitigations.
We’re your partners in (preventing) crime
At Deepwatch, our named squads, our Content Library’s extensive use cases and our automation driven cloud SecOps platform help our customers to put this definition into action. Understanding your priorities and your mitigations through a hybrid SOC model allows for consistent review and continual analysis of cyber threat intelligence against current risks. Real time information sharing and collaboration between our threat hunters, squads and customers establishes a trusted working relationship for continued growth of internal CTI. When used correctly, it is the best way to meet one of the best known quotes in the Art of War:
“To know your Enemy, you must become your Enemy. … If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
– Sun Tzu
Take advantage of the security expertise provided by Deepwatch and get an ally to help use CTI as a force multiplier for your security infrastructure. Contact us today.