Threat Intelligence – A Complete Guide
In this almost complete guide to threat intelligence we’ll discuss how threat intelligence should make your cyber security better. The countermeasures you have already implemented should become more accurate and precise, initiatives and projects better aligned with the threats you’ll likely to face and it should give your more confidence in your overall security posture.
There are all sorts of fancy definitions and descriptions for threat intelligence, but they will not help you to understand how to leverage threat intelligence in your own cyber security work. This almost complete guide aims to not just babble about hypotheticals but provide you with some real and actionable advice in how to begin using threat intelligence in your own cyber security program.
What Is Threat Intelligence?
Threat intelligence is about prioritizing the threats that matter.
The very core of threat intelligence is to help you make more informed and, simply put, better decisions. Which of your current security mechanisms should be prioritized and augmented with threat intelligence? Where across your digital estate are you lacking in protection? Are there specific threats facing your industry or country that you need to be aware of and defend against?
And that’s the promise of threat intelligence. It should be your guide on how to most effectively navigate the increasingly complex cybersecurity landscape. It’s not just a product or a service; it’s a methodology, a process, and a system for how to approach the specific needs of your organizational cybersecurity challenges. It’s about how to better manage business risk stemming from the cyber domain.
Make Attacks Less Likely and Reduce Attack Impact
When working with cybersecurity and specifically cyber attacks, you can either:
- Make them less likely.
- Reduce cyber attack impact.
The true challenge lies in achieving just that: How do we strengthen or build cybersecurity? Which security controls should we implement? What processes are necessary? How do we comply with regulatory and industry frameworks and compliance requirements? And so forth.
Let’s explore some of the challenges that organizations face when it comes to cyber security and then how threat intelligence could help to alleviate at least some of the pain stemming from these challenges.
What Challenges Does Cyber Threat Intelligence Address?
Listed below are some challenges that many organizations face today, and perhaps you can relate to some of them:
- Too Many Vulnerabilities – Your digital infrastructure likely has hundreds of vulnerabilities to patch, update, or address. It can be challenging to know which vulnerabilities to focus on, as they’re not all created equal.
- Remote Workforce – Employees can use their corporate credentials to access work-related resources (email, VPN) from their often shared home computers. Credential stealers can compromise these computers as they’re often not secure.
- Lacking Visibility – Many organizations feel they’re reacting to threats and “putting out fires” rather than preventing and predicting them. This is usually the result of an inability to see threats outside their network perimeter.
- Phishing and Social Engineering – Cybercriminals use CFO and BEC scams to trick users into revealing passwords and downloading malicious code masquerading as a software update or an invoice. Phishing remains a major problem and concern for many organizations, and it’s increasingly so as it relates to their supply chains.
- Increased Dependence on Supply Chains – You’re becoming increasingly dependent on a growing network of vendors and partners to do your job: your supply chain. This is also a growing concern for many organizations in terms of increased risk, as your suppliers’ cybersecurity is becoming YOUR cybersecurity.
- Alert Fatigue – Incident responders and security analysts often spend precious time hunting down suspected malicious IP addresses and domains, only to discover they were benign. They often lack historical context and relevant information regarding domains, IP addresses, and historical attacker behavior, information that will help them triage faster and more quickly isolate and evict attackers in their environments.
Can you relate to one or more of these challenges? The chances are pretty good that you can.
Categories of Threat Intelligence
When discussing threat Intelligence it’s common to categorize the “output” of the threat intelligence capability. Most commonly you’ll find the following three categories:
- Tactical CTI provides details on specific threats, such as malicious IP addresses, domains, malware strains, or vulnerabilities. It will typically facilitate and help address challenges related to alert fatigue, phishing, social engineering, and attempting to address too many vulnerabilities.
- Operational CTI further abstracts cyber attacks and begins to characterize threat actor groups and their tools/techniques. It attempts to describe particular attacker behaviors and weave together individual tactical elements into a bigger picture, which may even help you predict the most likely attacks.
- Strategic CTI identifies emerging trends to plan long-term security strategies. This is probably the most difficult type of intelligence to conduct as it involves much uncertainty and unknown elements. At the same time, it’s the one type of intelligence that may truly and significantly affect long-term risk.
Types of Threat Intelligence
There’s another often forgotten area of threat intelligence and that is the “type” of threat intelligence. Generally speaking there are four types:
- Basic
- Current
- Warning
- Estimative
These four types are the fundamental building blocks of threat intelligence and underpins all intelligence products. They can appear as tactical warnings, tactical estimates etc. The tactical, operational and strategic intelligence categories more generally refers to time perspective. If you’d like to explore these in more detail, please refer to our slightly more detailed article about the foundations for threat intelligence.
Who Uses Cyber Threat Intelligence?
Threat intelligence can be consumed across the entire organization, and it entirely depends on what challenge, or pain, you are trying to address. Broadly speaking, we could consider the following groups/roles to be recipients of threat intelligence related reporting:
- Security Analysts
- Incident Responders
- Threat Hunters
- Security Engineers
- Security Architects
- Chief Information Security Officers (CISO)
- Chief Risk Officers (CRO)
CTI offerings are typically tailored to security analysts and, to some extent, security engineers/architects. These professionals’ primary focus is obtaining TACTICAL intelligence.
Security Analysts and Their Use of Threat Intelligence
Security analysts require relevant and up-to-date intelligence on threat groups and their current active infrastructure for command and control. Think of them as guards patrolling a perimeter, investigating suspicious activities, determining if there have been any burglars in the area recently, what they might look like, etc.
Next, we’ll consider the security engineers and architects who don’t require daily updates of malicious indicators, only more generalized indicators. Their task is to understand the bigger problem, learn how systems and organizations are generally breached, and identify the general security controls that must be implemented to prevent these breaches from succeeding.
In our guard analogy, operational intelligence is about understanding where burglars typically will attempt to subvert security controls. How do they generally deceive CCTV recordings? What organizations do they typically target? How long does it take to breach a target? What are they looking for, and why?
Needs of the Chief Security Information Officer
Last but certainly not least is the security leadership – the CISOs. They must understand the types of cyber attacks that their organization is most likely to face. CISOs require situational awareness and complete visibility into areas of the infrastructure and organization that are currently the most at risk and likely to be attacked.
This involves having a good understanding of threat actors and groups targeting their industry and also the types of systems they use. Leveraging and using threat profiles can help in building this understanding. They must understand where they have applications and infrastructure that would likely attract the attention of cyber attackers. They must ensure timely remediation of vulnerabilities and, most importantly, address them in the most appropriate order.
Lastly, CISOs must try and predict the most likely future scenarios concerning business objectives and strategies. Is the organization expanding to a particular country? Are they considering migrating to a particular platform? Are they producing and inventing particular technology that other nations find highly attractive?
As you can see, there are plenty of recipients of cyber threat intelligence products, reports, and services. It all boils down to your understanding and appreciation of the challenges your organization is facing. Only after understanding your challenges can you tailor your intelligence requirements to address and meet these challenges.
Why Is Threat Intelligence Important?
Cyber threat intelligence will ultimately make your organization more resilient against cyber attacks because it will ensure investment in the most appropriate security controls based on real-world data and an understanding of the threat landscape. Additionally, it will also ensure it’s done in a cost-effective, measurable manner. This will also make it easier to provide the rationale for particular requests for more resources.
CTI will provide data supporting your argumentation, strengthening and improving the likelihood of actually acquiring the resources you need. Another important benefit of CTI is that you’re pushing the entire cyber attack kill chain toward earlier stages. Most organizations typically don’t discover they’ve been attacked until very late in the attack lifecycle.
Early Discovery Through Threat Intelligence
Imagine cyber attacks being a chain of phases that an attacker has to go through to reach their objective. If you can catch an attacker earlier in the attack, they’ll have a harder time achieving their objectives. An attacker will have to perform reconnaissance and develop necessary resources and infrastructures. They need to weaponize exploits, gain initial access, and successfully execute code on remote systems, to mention a few stages of an attack.
As previously noted, organizations typically discover attacks very late – in some cases, only after a completed attack (i.e., after they’ve been hit by ransomware). What we must strive toward is pushing the attacker toward the left, detecting them much earlier in the attack phases. And that’s exactly what CTI will help you do. It will even help you anticipate their moves and find their malicious infrastructure before they’ve even had a chance to use it.
When we push the attacker toward the left, we help minimize the impact of a successful attack. We also reduce the likelihood of them succeeding in the first place. In the ideal scenario, we predict their moves and stop them before they even begin.
How Has Threat Intelligence Made a Difference in the Real World?
In this section, we’ll highlight a few select stories from the real world where threat intelligence has had a significant impact on the outcome of cyber attacks.
Scenario 1: Predicting Threat Actor Use of Malicious Infrastructure
In this scenario, continuous monitoring and analysis were performed on newly registered domains with similar-looking or slightly modified versions of the original domain names.
Systems detected multiple instances of such domains, which were flagged for analysis by our human friends, the threat intelligence analysts. They concluded that these domains appeared suspicious. After receiving them, the detection engineering team quickly added the suspicious domains to custom detection rules.
Cybercriminals leveraged the domains in real and targeted phishing attacks against the target organization within four days of discovery and analysis.
The use of the suspicious domains triggered the custom detections, which completely thwarted this attack. The organization suffered little to no impact. Had this detection not been in place, the attack would likely have had a much more significant impact, potentially resulting in providing the attacker with initial access to the targeted environment.
Scenario 2: Discovering Leaked Credentials
In this scenario, an organization’s credentials were discovered on a dark web marketplace; they were flagged and consequently investigated. After manually reviewing the marketplace listing, threat analysts concluded that the credentials were indeed authentic. They also noted several other credentials that were available for sale.
These additional credentials were INTERNAL ONLY credentials for backup systems hypervisors. This significantly increased the risk of a very serious cyber attack.
Alerting the customer to these credentials and the added information discovered by the human intelligence analyst, the recommended action was an immediate incident investigation.
Further investigation revealed that the credentials had been harvested from a consultant’s computer. Additionally, it was discovered that the computer had NOT been onboarded in the customer EDR solution, and the attack had gone unnoticed.
The customer could terminate and reset passwords and sessions associated with the leaked credentials. The attacker, who had likely purchased the credentials, attempted to use them several days later.
Yet again, CTI made the difference between a successful breach and an unsuccessful one.
If you’re curious about marketplaces on the dark web, here’s a video in which Christoffer conducts a deep dive into a real dark web marketplace selling credentials.
Common Questions About Threat Intelligence
How can I tell vendors apart?
Many vendors and service providers focus almost exclusively on tactical threat intelligence, as this is often the easiest to provide. That is also a double-edged sword because it’s also the easiest for threat actors to change.
You’ll find that what distinguishes threat intelligence providers is their ability to move “up the ladder” from tactical toward operational and strategic intelligence. Mature vendors will discuss intelligence requirements and what actionable, relevant, and timely intelligence means to you.
How can we start using threat intelligence?
Often, the most challenging aspect of threat intelligence is getting started. Don’t worry; we’re here to guide you. First, you have to consider your current cybersecurity capabilities. Ingesting threat intelligence, of any kind (tactical, operational, or strategic), will require some dedicated resources (time, staff, and know-how) to leverage appropriately.
Therefore, the first thing to consider is what type of commitment you can make toward acquiring threat intelligence. You can choose to buy a fully managed end-to-end threat intelligence capability, or you can build everything yourself and then everything in between.
When you’ve answered that question, you’ll have a better idea of how to proceed. It’s easy to buy tools and products; however, tuning them and incorporating them into your existing processes, systems, and tools is another matter. You should ideally strive to document your needs, and typically that’s done through something called Intelligence Requirements.
There’s no single answer to this question, but it does depend on your current needs and resource availability.
How much does threat intelligence cost?
Again, this entirely depends on what you want to achieve and the level of involvement you’ll have in the capability development. Fully managed services are usually perceived as being more expensive, and to a certain extent, that may be true. However, many people fail to consider the opportunity cost of allocating an existing resource toward building threat intelligence capabilities. Ultimately, one hour spent building threat intelligence is one hour that can be deducted from somewhere else.
You’ll very likely find that the cost of CTI-related services and products varies significantly. It can be difficult to judge whether or not these costs are and can be justified. This will all circle back to whether you fully understand the challenges you’re trying to solve. Determining if CTI is the most appropriate “tool” for the job will take some effort.
Expect to pay anything from a few thousand euros per month to tens of thousands. You should probably focus on your needs, as that will help you better understand if a particular offering can address your needs and if the cost is justified.
How do I know if I’m getting any value out of my CTI service/product?
This is indeed a tough nut to crack. If nothing happens, has the service been good or bad? This can be a difficult question to answer. But you could attempt to seek indirect evidence of the service working. Is there any reporting involved that would provide a sense of what the service has done? How many “alerts” has the analyst team processed (if managed)?
Don’t be fooled by statements with random large numbers, such as “We monitor one gazillion sources across the open, deep, and dark web.” Instead, you should look for how many “alerts” were relevant in light of your organizational context. How many potential typosquatted domains have been processed? How many mentions of your brand have been spotted on the dark web?
Ultimately, this is a hard question to answer because there is no good answer. This is about trust and authority between you and your provider. Do you believe they know what they’re talking about? Are they transparent about their processes, guidelines, and ways of working? Can they be specific about what they know and don’t know?
In this video, Truesec shares the latest findings on the threat landscape from their 2024 Threat Intelligence Report.