Why “Cyber Intelligence Threat Information Services”
In recent years, Threat Intelligence Platforms ( TIPs ) have gained a foothold in many global Security Operations Centers (SOCs). With this technology comes unique value that can be provided to Cyber Security Services within an organization. Supported by a TIP platform and a Cyber Threat Intelligence (CTI) approach , we can combine it into a “Cyber Threat Intelligence Program” that provides intelligence (as a process and product) to inform decisions within a series of cyber security services of the organization. In this blog post, we illustrate what that value might look like by including some critical factors.
Why have a cyber threat intelligence program?
A. Cyber Threat Intelligence (CTI) helps with the collection and analysis of information about threats and adversaries. Produce threat models that provide the ability to make informed decisions for prediction, preparation, prevention, detection, hunting, response, and forensic actions against various cyber attacks.
B. Cyber Threat Intelligence (CTI) focuses on threat modeling, supporting the team to assess and make informed strategic, tactical, and operational decisions about existing or emerging threats to the organization.
C. Cyber Threat Intelligence (CTI) helps the organization identify and mitigate various business or industry risks by converting unknown threats into known threats and helps implement various advanced and proactive defense strategies
D. With the constant and innovative TTPs used by threat actors, cyber threats are becoming significant risks for any business sector. To thwart these threats, it is important for organizations to incorporate and leverage Cyber Threat Intelligence (CTI) to strengthen their existing security posture .
What are popular Cyber Threat Intelligence (CTI) strategies?
As a general starting point, the organization should develop its Cyber Threat Intelligence (CTI) Strategy based on its business risk levels and regulatory, compliance, or business requirements. Popular words used in common literature when it comes to CTI may include:
- Security services based on cyber threat intelligence
- Cyber Threat Intelligence leads security services
- Security services focused on Cyber Threat Intelligence
- Cyber Threat Intelligence Reported Security Services
The first three seem to suggest that CTI is the main driver for making decisions within your cybersecurity organization. I think this is the wrong perception and the focus needs to be shifted to using intelligence to inform policy and not drive it.
This was also from my argument with the SPEED Use Case Framework post , where I highlighted that a biased threat-centric approach is risky and should be augmented with:
- General Asset-Centric Baseline Controls
- (and Critical Assets with Enhanced Baseline Controls)
- Asset self-protection
- (tamper alerts, loss of visibility, technical compliance management)
Compliance-driven countermeasures - (sometimes you just need to meet audit standards)
Split between CTI feeds, quantitative and qualitative threat models. - (simply getting rid of everything in a threat model doesn’t work)
What needs to be emphasized before starting a Cyber Threat Intelligence program is that a basic SOC background must be in place in order to unlock the value of a Cyber Threat Intelligence Program:
1. Security Incident Management Process established.
2. Established SOC Core technologies (Example: SIEM, SOAR, EDR, IDS, IPS).
3. Established technologies must be able to automatically receive and apply Indicators of Compromise (IOC) feeds
Critical points
This is an oversimplification of CTI types, in reality the implementation of these types may vary by organization.
Within the SANS and EC-Council literature operational and tactical are interchanged (I suspect this has to do with the military origin of most of these conceptual frameworks). Due to my background primarily in business, I changed these to make it more logical for me (and the multitude of businesses I feature in general).
SANS talks about strategic, tactical and operational, but the EC Council also talks about technical CTI for simplicity, this has been left out of the diagram.
Conclusion:
A Cyber Threat Intelligence-informed SOC strategy is highly beneficial to your organization in terms of combating targeted cyber threats, but don’t forget that it’s the CTI’s job to inform policy, not create it.