What is Threat Intelligence?
By: AIONCLOUD R&D Director Hyunmok Kim
Threat Intelligence or CTI(Cyber Threat Intelligence) is an emerging topic when it comes to security threats and responses. In this article, we will discuss the basic concepts, needs, and how to find and respond to threats in two parts.
Part1
Internet attacks are evolving daily. Hackers are constantly attempting various attacks using new technologies. They share information through their own community or reveal their technology in the public domain as an open-source. Such spread of information causes more incidents and damages. Organizations and companies fighting the hackers sharing information amongst them can effectively neutralize attackers’ threats.
Recent attacks are near impossible to defend with a single security system. Also, old but modified attacks or brand new attacks are increasing yearly. Unlike previous attacks that were directed at random targets, newer attacks are directed at specific targets and using APT (Advanced Persistent Threat). Thus, the traditional method of reactively defending against the attack has been obsolete, and to predict future attacks and block 100 percent of the attacks is too challenging due to lack of manpower, resources, and technology.
Intelligence’s defined as the ability to acquire and apply knowledge and the same applies when talking about artificial intelligence as well.
"Threat intelligence" (TI) is evidence-based knowledge — including context, mechanisms, indicators, implications, and actionable advice — about an existing or emerging menace or hazard to IT or information assets - Gartner
The important thing here is evidence-based knowledge. Evidence-based knowledge can help overcome the limitations of security systems based on reactive responses to various evolving attack methods and technologies and resource limitations such as personnel and technologies for a proactive response.
Security departments need to be knowledgeable about related topics to support proactive and predictive cybersecurity operations. In that sense, Threat Intelligence can reveal unknown information based on evidence of existing threats and provide knowledge to help organizations make better security decisions.
One of the benefits of Threat Intelligence is that it helps security experts understand the attacker’s decision-making process. For example, if you know the vulnerability that is exploited by the attacker, then you can choose the best techniques and patches that can mitigate that vulnerability.
Also, when you need to make important decisions such as management indicators, business direction, or investments, known threats or predictable threat information analyzed through Threat Intelligence can help make important policy decisions.
■ Threat Intelligence types
Various information collected and analyzed can be put into different categories depending on who looks at the information and the categories can be roughly divided into three types.
- Strategic Intelligence: Provide trending information for a non-technical audience
- Tactical Intelligence: Provide an overview of tactics, techniques, and procedures of attackers aimed at a more technical audience
- Operational Intelligence: Provide technical information about specific attacks and campaigns
Strategic intelligence provides information to the organization's management and decision-makers to understand the risks posed to the organization by cyber threats and make important decisions. Hence, the content could be generally non-technical and can be provided through reports or briefings, but it must be able to provide insight into tactics, objectives of attackers, geopolitical events, or trends.
In order to generate strategic intelligence information, in addition to general cybersecurity technologies, it needs a strong understanding of analysts, social politics, and business concepts with expertise. For these reasons, strategic intelligence information tends to be the most difficult form of intelligence to generate. Sources of information are mainly policy documents from the national or non-governmental organizations, media, subject-specific publications, white papers produced by security organizations, and research reports.
Tactical intelligence provides an attacker's tactics, techniques, procedures and paths, and indicators of compromise (IOC) used in the attack. IOC are things like, wrong IP address, URL, file hash, and known malicious domain, network, or hostname. Since the information can be read in the system, it can be collected through logs or feed information provided by the security product or through API integration. Tactical intelligence is the easiest form of intelligence to create and can be automated. As a result, it can be found through open sources, free feeds, etc., but it has a very short lifespan because IOCs, such as malicious IPs or domain names, can be discarded within days or hours.
Operational intelligence provides information on cyber-attacks, events, or campaigns. It provides expert insight to help incident response teams understand the intent and timing of a particular attack. Every attack has an actor (who), the reason for the attack (why), and the attack method (how). By using these various factors together, you can grasp the overall situation, and through understanding the situation, you can gain insight into how an attacker plans, performs, maintains campaigns, and key operations. This insight is called operational intelligence.
Operational intelligence cannot be created solely with systems such as security equipment. In order to convert data into a format that can be easily used by customers, analysis through security personnel is required. Although operational intelligence requires more resources than tactical intelligence, attackers cannot easily change TTPs (Tactics, Techniques, and Procedures) as they can change tools such as certain types of malware or infrastructure, resulting in longer information life.
Operational intelligence is most useful for cybersecurity professionals who work in security operation centers and perform routine tasks. It can be regarded as the most effective intelligence field in cybersecurity such as vulnerability management, incident response, and threat monitoring.
■ Threat Intelligence Life Cycle
Threat intelligence provides information to predict and respond to possible threats by analyzing and processing the collected information based on vulnerabilities, attacks, or events based on specific targets. Simply distributing fragmented raw data is not the same as intelligence data. Intelligence information (or finished product) may vary depending on who will consume the information (analysts with technical expertise or executives seeking extensive information).
Threats occur at specific times and places, attacking vulnerabilities in specific systems, and when they achieve their intended purposes, they can either disappear or wait for the desired time to arrive. In order to be an effective threat intelligence data, it is necessary to understand a series of intelligence life cycles corresponding to the lifespan of the information, and Gartner divides the threat intelligence life cycle into five phases. Planning and Direction: Define and prioritize the goals of the threat intelligence program.
- Collection: Collect data to meet established goals and requirements
- Processing: Processing, filtering, and processing the collected data.
- Analysis and Production: Analysis and evaluation to make informed decisions
- Dissemination and Feedback: Providing completed intelligence information to appropriate stakeholders and providing necessary feedback for improvement
Most people cannot distinguish between Threat Intelligence and common threat data. Without intelligence, simple data alone cannot provide the predictive knowledge necessary to proactively detect threats.
Cyber threat intelligence helps protect the network, regulates the cost of maintaining a network, and provides security teams with the knowledge and understanding they need to focus on what's really important. Whether you're building your own solution or using a threat intelligence feed, integrating threat intelligence offers a kind of insurance that you can rely on in today's ongoing threat landscape.
The AI CLOUD Center for Threat Intelligence (AICC), a security intelligence platform developed by MONITORAPP, is cloud-based and collects various attack logs through linkage with existing MONITORAPP products as well as third parties products through data mining. It provides evidence-based knowledge to respond to and predict various threats.
-Part 1 end-
In part two we will discuss Monitorapp’s Threat Intelligence Platform: AICC
To try our AICC pleaes visit:
https://aicc.monitorapp.com/threat_info/analysis