Threat intelligence is evidence-based knowledge about existing or potential threats that includes context, mechanisms, mechanisms and actionable recommendations and can be used to make response decisions. Gartner, McMillan (2013) from Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study) Today, most organizations focus their efforts only on the installation of technical security tools, such as IPS / IDS, SIEM, ME, but do not fully use collected data for analytics.
Company Mentioned
Threat intelligence is evidence-based knowledge about existing or potential threats that includes context, mechanisms, indicators, consequences, actionable recommendations and can be used to make response decisions.
Gartner, McMillan (2013) from Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study
What Is Threat Intelligence Used For?
Threat intelligence raises awareness of threats and more adequately selects protective measures that are suitable for the landscape of threats relevant to the organization (taking into account the specifics of its activities/sector of the economy, industry).
Threat intelligence also improves the quality of detection and response to threats both proactively and reactively.
Today, most organizations focus their efforts only on the installation of technical security tools, such as IPS / IDS, ME, SIEM, but do not fully use the collected data for analytics.
The Analytical Threat Intelligence Life Cycle
The Planning Stage of the Threat Intelligence Life Cycle
Definition of the list of assets;
Definition of the list of threats;
Determine the list of sources of information.
Internal: Firewall, IDS, SIEM, AV;
External: Community Information.
The Collection Stage of the Threat Intelligence Life Cycle
The Processing and Analysis Stage of the Threat Intelligence Life Cycle
Once the raw data has been collected, it must be converted into a format suitable for analysis. To what extent the found threats are applicable to a particular organization (region and sector).
The Dissemination Stage of the Threat Intelligence Life Cycle
The final step in the threat intelligence life cycle involves determining whether changes to the threat inventory need to be made.
3 Levels of Threat Intelligence
Tactical intelligence
Goal: To gain a broader understanding of threats.
Tactical intelligence is short-term, technical in nature, and identifies simple indicators of compromise (IOC - Indicators Of Compromise).
short service life, since IOCs can become obsolete in a few days or even hours.
Questions to ask:
What are the IOC channels? (SIEM, Firewall, AV, Endpoints, IDS, NGFW)
Are IOCs relevant?
Operational intelligence
Goal: Track active APT factions to better understand the opponents behind the attacks.
Behind every attack are questions:
"Who?" - attribution;
"Why?" - motivation;
"How?" - TTP.
Tactics, Techniques, and Procedures (TTPs) - The goal is to define behaviors that can be used to protect against certain strategies and threat vectors used by attackers.
Operational intelligence requires human analysis of information. Operational intelligence requires more resources than tactical intelligence but has a longer lifespan because attackers cannot quickly change their TTPs.
Strategic intelligence
Attackers don't operate in a vacuum - there are almost always higher-level factors in place to carry out cyberattacks. For example, nation-state attacks are usually tied to geopolitical conditions.
Strategic intelligence shows how global events, foreign policy, and other long-term local and international movements can potentially affect an organization's information security.
How to Incorporate Data from Threat Intelligence
expand the list of threats;
use when setting the priority of eliminating vulnerabilities;