Cyber threat intelligence

Cyber threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace.[1] Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence or intelligence from the deep and dark web.

Types

There are three overarching types of threat intelligence:[1]

Tactical: technical intelligence (including Indicators of Compromise such as IP addresses, file names, or hashes) which can be used to assist in the identification of threat actors
Operational: details of the motivation or capabilities of threat actors, including their tools, techniques and procedures
Strategic: intelligence about the overarching risks associated with cyber threats which can be used to drive high-level organizational strategy

Benefits of cyber threat intelligence

Cyber threat intelligence provides a number of benefits, including:

Empowers organisations to develop a proactive cybersecurity posture and to bolster overall risk management policies
Drives momentum toward a cybersecurity posture that is predictive, not just reactive
Enables improved detection of threats
Informs better decision-making during and following the detection of a cyber intrusion

Key Elements

Cyber threat data or information with the following key elements are considered as cyber threat intelligence:[2]

Evidence based: cyber threat evidence may be obtained from malware analysis to be sure the threat is valid
Utility: there needs to be some utility to have a positive impact on a security incident's outcome or organization
Actionable: the gained cyber threat intelligence should drive security control action, not only data or information

Attribution

Cyber threats involve the use of computers, software and networks. During or after a cyber attack technical information about the network and computers between the attacker and the victim can be collected. However, identifying the person(s) behind an attack, their motivations, or the ultimate sponsor of the attack, is difficult. Recent efforts in threat intelligence emphasize understanding adversary TTPs.[3]

A number of reports have been released by public and private sector organisations which attribute cyber attacks. This includes Mandiant's APT1 and APT28 reports, US CERT's APT29 report, and Symantec's Dragonfly, Waterbug Group and Seedworm reports.

References

"Understanding Cyber Threat Intelligence Operations" (PDF). Bank of England. 2016.
GerardJohansen (2017-07-24). Digital Forensics and Incident Response. Packt Publishing Ltd, 2017. p. 269. ISBN 9781787285392.
Levi Gundert, How to Identify Threat Actor TTPs

Anca Dinicu, "Nicolae Bălcescu" Land Forces Academy, Sibiu, Romania, Cyber Threats to National Security. Specific Features and Actors Involved - Bulletin Ştiinţific No 2(38)/2014
Zero Day: Nuclear Cyber Sabotage, BBC Four - the Documentary thriller about warfare in a world without rules - the world of cyberwar. It tells the story of Stuxnet, self-replicating computer malware, known as a 'worm' for its ability to burrow from computer
What is threat intelligence? - Blog post providing context and adding to the discussion of defining threat intelligence.
Threat hunting explained - Short article explaining cyber threat intelligence.
A known actor in cyber threat intelligence - Site dedicated to threat intelligence.

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[Bank_of_England_Cyber_Threat_Intelligence_Operations-1] "Understanding Cyber Threat Intelligence Operations" (PDF). Bank of England. 2016.

[Digital_Forensics_and_Incident_Response_2017-2] GerardJohansen (2017-07-24). Digital Forensics and Incident Response. Packt Publishing Ltd, 2017. p. 269. ISBN 9781787285392.

[3] Levi Gundert, How to Identify Threat Actor TTPs