Cyber threat intelligence is information about a prevailing or evolving cyber threat that can be disseminated by threat intelligence partners to organizations in order to reinforce security against cyber-attack vectors. Cyber threat intelligence data might take the form of rogue IP addresses, known malware hashes, attachments,
and other core threat identifiers. Such data may also include other critical information about a threat activity, like Indicators of Compromise (IOCs), Indicators of Attack (IOAs), the methods used in the attack, and sometimes the motivation or even ID of the attacker. Through threat intelligence sharing community platforms or tools, it is possible to share cyber threat intelligence between organizations and stop attacks before they occur.
Threat intelligence data is used to learn about an adversary and gain insights into current threats. Threat intelligence can be a valuable tool when it comes to lessons learned in Incident Response (IR) and preventing future attacks. Intelligence is used to learn how threat actors are operating. This is of great value to the cybersecurity domain, because nowadays the threat landscape is so broad and adversaries vary widely, from state-sponsored actors to cybercriminals extorting money from their victims.
The Importance of CTI
Every organization has certain core objectives regardless of their size, business type, or geographical location, such as increasing their income, mitigating risks, dropping expenditures, increasing the number of clients and satisfying employees, conforming to regulations, and so on. However, information security is often overlooked and is frequently not seen as a core objective due to its cost, and as a result, the time spent on security awareness training is minimal. To combat this prevalent outlook, in this section, you are going to learn how cyber threat intelligence can have a positive impact on your organization. The key benefits of threat intelligence are as follows:
• Mitigating risk: Adversaries are constantly discovering new ways to infiltrate organizations. Threat intelligence provides visibility into these existing and emerging security hazards, which will reduce the risk of data loss, prevent or minimize the disruption of business operations, and increase regulatory compliance.
• Stopping financial loss: Security breaches can cost your organization in the form of post-incident remediation and restoration processes as well as in fines, investigations, and lawsuits. Using a threat intelligence tool can help you to make timely, informed decisions to prevent system failure and the theft of confidential data. It also assists in protecting your organization’s intellectual property and in saving your brand’s reputation
• Increasing operating success: Threat intelligence helps in the creation of a more efficient security team. Using automated threat sharing platforms to validate and correlate threat data, and to integrate the data into your organization will strengthen your security posture and can lower your IR time. Moreover, it will allow your operational workforce to work more efficiently and will save your business money.
• Reducing costs: Threat intelligence benefits any kind of organization regardless of its shape and size. It helps process threat data to better understand attackers, respond to incidents, and proactively predict and block the possible next moves of attackers. Leveraging external threat intelligence can reduce costs
Structured Threat Information Expression
Structured Threat Information Expression, commonly known as STIX, is a special language format to exchange threat intelligence related to cyberattacks. STIX is open source, and free to be used by anyone. STIX allows us to share threat intelligence from any point of view, such as suspicion or compromised information (IoC). It also allows us to represent clearly with objects and detailed relationships between them with threat information. STIX is generally shared in JSON format, but can also be represented visually for any analyst to take advantage of the information. The information shared can be easily integrated with security-analytics tools. STIX has 12 domain objects to define a threat element (more information can be found at https://oasis-open.github.io/cti-documentation/stix/ intro ): Attack Pattern: Allows us to describe how threat actors attempt to compromise any target by providing information about the type of Tactics, Techniques, and Procedures (TTP). Campaign: Describes the grouping of attacker behavior for a particular set of malicious activities and attacks that are observed over a period of time against very specific group of targets
Course of Action: Defines what action is to be taken to prevent or respond to an attack.
Identity: This object helps define individuals, organizations, or groups, as well as classes of individuals, organizations, or groups. Indicator: It can contain a pattern of threat information that can be used to detect suspicious or malicious cyberactivity.
Intrusion Set: Describes attacker or adversarial behaviors and resources grouped together as a set, and its common properties are assumed to be orchestrated by an individual threat actor.
Malware: Information about malicious code and malicious software, which can be used to compromise the confidentiality, integrity, or availability of a victim’s data or system.
Observed Data: Contains information observed on a system or network (for example, a source or destination IP address). Report: This object may contain threat information related to the description of a threat actor, malware, attack techniques, or contextual data.
Threat Actor: This object can carry information about any individuals, groups, or organizations assumed to have malicious intent.
Tool: Any information about software packages that can be used by adversaries to perform an attack.
Vulnerability: Vulnerability or bug information of a software that can be directly used by a hacker to compromise a system or network. Here is a sample JSON structure of STIX:
{ “type”: “”,
“id”: “object–xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,
“created”: “yyyy-mm-ddThh:mm:00.000Z”,
“name”: “”, “description”: “”
Trusted Automated Exchange of Intelligence Information
Trusted Automated Exchange of Intelligence Information (TAXII) The Trusted Automated Exchange of Indicator Information (TAXII) is a standard way for message exchanges that provides a sharing mechanism of actionable cyber threat information between different organizations and product/service boundaries. TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. Broadly, TAXII covers two primary services of sharing models:
Collection: This is an interface to access a repository of Cyber threat intelligence (CTI) objects provided by a TAXII server, which further allows a producer to host a set of CTI data that can be requested by TAXII clients and servers to exchange information in a request-response model (more information can be found at https://oasis-open.github.io/cti-documentation/taxii/intro ), shown as follows:
Channel: This is maintained by a TAXII server. Channel allows CTI producers to push data to many consumers and consumers to receive data from many producers. TAXII clients usually will exchange information with other TAXII clients in a publisher-subscriber model,
Part 2: coming soon
- OASIS Open Command and Control (OpenC2)
- Traffic Light protocol (TLP)
- Cyber Analytics Repository by MITRE (CAR)
- IntelMQ by ENISA
- Recorded Future
- Anomali STAXX
- Cyberthreat-intelligence feeds