Cyber Threat Intel

What is Cyber Threat Intel?

Threat intel is the information about the threats. Cyber threat intel is used to better understand, predict and adopt to the behavior of malicious actors. It plays an important role in preventing the zero-day attacks.

"Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes" (NIST).

Threat Intel life Cycle:

Intelligence lifecycle is the process of developing raw information into finished intelligence for policymaker to use in decision making and action.


CTI Life Cycle

Planning and Direction

Planning and direction helps in setting up the goals for the threat intel program. Priorities and requirements are defined in this phase.

Collection:

Collection means gathering of data to produce the finished intelligence. Data includes logs(Firewall, IPS/IDS, Endpoints), threat feeds and OSINT(reports, social media, public forums).

Collection


Types of Collection Sources:

Private/Commercial Data:

Organizations provide the finished intelligence like Threat intel reports, malware reports and incident response reports that describe the full picture of threat actor. Paid threat intel feeds. There are different vendors that provides these feeds.

Community Data:

The purpose of creating/joining the community is to share the critical vulnerability, sharing of cybersecurity intelligence among the trusted organizations within an industry and between sectors. Some of communities are ISAC, ISAOs.

Public Data:

Public data sources are available without any cost. There are huge databases available which includes the phishing emails, crawling and scanning IPs and hashes of malwares. There are many problems with the publicly available feeds which are follows. Public information can be collected from Cyber Crime TrackerURL HausRansomware Tracker, and Openphish.
  • Trust
  • Lack of context
  • Outdated data

Data Processing:

Data processing is the conversion of data into useful information that is used by the organization. Processing can be manual as well as automated.

Automated:

The most common approach is automated way of processing the data which includes follows:
  • Identification based on patterns
  • Algorithm based processing
  • Machine Learning Processing
  • NLP (Natural Language Processing)

Manual:

Manual Processing involves humans. In this method data in processed manually without the use of machine. In some cases it is difficult make automated collections of indicators as some of the finished reports doesn't explicitly mention IOCs so analyst can create TTPs from the report manually in efficient way.

Stages of Processing:

Stages of Processing

Sorting and filtering refers to the pre-processing. At this stage raw data is organized for the following stages. Data is collected from several sources you need to eliminated the duplicate or incomplete data. In second stage data is organized in such a way that it can be compatible with SIEM solutions. At last data is ingested and stored for future use such as temporal analysis or campaign analysis.

Analysis and Production:

Threat Intel team must effectively combine data from different sources and produce meaningful patterns to make judgements. Once the analysis is complete TI team provide the finished report to communicate the key findings to the decision maker.

Dissemination:

It involves getting finished intelligence out to the place it needs to go in order to drive the results, address the risks. It means timely completion of finished report.

Overview of Pillars of dissemination:

Pillars of Dissemination


Comments

Popular posts from this blog

Analyzing Spear Phishing Email

Practical Malware Analysis - LAB01