According to Gartner, "threat intelligence is evidence-based knowledge, including context, mechanism, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard".
EC Council's definition is very similar, "threat intelligence is the analysis of data using tools and techniques to generate meaningful information about existing or emerging threats targeting the organization that helps mitigate risks".
The purpose of cyber threat intelligence is to help institutions and organizations understand the risks of cyber-attacks or cyber threats. These attacks can range from zero-day attacks, crypto viruses, APTs (Advanced Persistent Threat), botnets, or exploits. These threats are reported with the intelligence activities after reviewed by CTI analysts to provide special protection methods to assist in an active defense in your organization.
The skilled, well-funded, well-organized, and highly-sophisticated cyber attackers use techniques that reveal security strategies to the technology alone. In order to develop a defense strategy against attackers, organizations need to know how hackers operate, how they function, and what techniques they use.
Cyber-threat intelligence allows companies to identify the dynamics and consequences of risks, to improve security plans, structures, and to reduce their attack potential to minimize damage and defend their network.
CTI can identify and analyze cyber threats against your business. Therefore, CTI can help you to:
Various threatening knowledge and theoretical approaches are useful at various businesses’ level. The four categories of cyber threat intelligence have to do with different objectives:
|Unfiltered and raw data||Processed and sorted data|
|Not evaluated||Evaluated by Threat Intelligence Analysts|
|Too much-aggregated data||Only useful data|
|Disconnected, incomplete, irrelevant||Connected, completed, and relevant|
Usually, cyber threat intelligence and cyber intelligence terms are used for the same meaning. But in theory, the two terms have different contexts.
CTI is the collection and revealing of threats that may harm business elements and security at any level to institutions and organizations. It is a type of intelligence that enables early measures to be taken by detecting the goals, methods, or types of attacks of the attackers as a result of analyzing the data collected and enriched from electronic media through a process.
CTI provides information on malicious actors, their tools, their infrastructure, and their methods for;
The attack surface is the point or vector through which an attacker enters the environment and is merely a list of all possible ways in which the attacker can enter a device or network and extract data. In other words, the attack interfaces can be described as a collection of different points where unauthorized users could infiltrate an IT environment. There are a number of points from which attackers could attempt to penetrate the environment, such as access to the network, access from a remote location, or access via a network connection.
The attack surface can be categorized into 4 groups. All attack surfaces can be at least one of these 4 groups.
Attack surface refers to any asset such as domain infrastructure, web site services, cloud technologies, etc. that is open to the Internet and can be exploited by the attacker. It can be described as the network interface of an organization, its network infrastructure, and resources. The attack surface includes:
Good attack surface management products monitor all systems around the clock for newly discovered new security vulnerabilities. Real-time visibility is critical to detecting the impact of an attack on the attack surface of a range of networks, software, protocols, and services that run online in an enterprise. Given the number and complexity of network and software protocols and services in an online business, it can be difficult to identify which parts of your attacks are the source of breaches and intrusions. The identification of injury risks, which is dynamic and highly complex, is characterized by several complex areas to be explored, such as network infrastructure, network security, data security, and network management.
Digital Risk Protection eliminates risks coming out of digital transformation to defend the company's data, brand, and attack surface from unauthorized disclosure to provide an accurate view into transparent, deep, to obscure network threats.
In order to manage the attack surface, it is necessary to first identify all assets open to the Internet. The digital footprint is important because companies have many assets that they do not know or forget, as well as assets they know and manage. For instance, some promotional pages that have been opened for marketing purposes may have been forgotten to shut down or may not have been notified to the security team. Any assets that are forgotten or not configured for security threats could be harmful to companies. Because attackers always prefer to attack companies over unmanaged assets.
An indicator of compromise is a way to classify possible forensic information that may lead to the identification and validation of suspected intrusions in remote or local networks.
Some of the most common IOCs are;
YARA is a tool intended (but not limited) to help malware researchers identify and classify their samples. It has become one of the important tools frequently used for analysis and research in the field of cybersecurity. With YARA, you can create rules for malware families based on textual or binary patterns.
Simply, TTPs are the behavior of threat actors. A tactic is the highest definition of this bridge of understanding while techniques offer a more in-depth explanation of the compatibility in a tactical sense. A procedure is even lower-level procedures with a less in-depth description of a technique.
STIX is a standardized language developed by MITRE for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner.
At a high level the STIX language consists of 9 key constructs and the relationships between them;
TAXII is an application protocol for exchanging CTI over HTTPS. TAXII defines two primary services to support a variety of common sharing models:
The MISP is a free and open-source threat intelligence platform and open standards for threat information for gathering, sharing, storing, and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or even counter-terrorism information.
A threat actor is an individual or organization responsible for an incident or activity that affects or has a potential effect on the safety or security of another entity.
Threat actors can be categorized into six groups:
APT is a sophisticated, long-term malicious attack that seems to play the long game by spying on the target infrastructure for months or years before successfully breaking through the network.
APT groups are typically threat actors who receive guidance and support from the nation-states for targets that traditionally include data theft, intelligence, disruption, and destruction. APT attacks target governments that handle high-quality information or intelligence including sensitive information such as military operations, security files, advanced military technology documents, etc. These groups are different from other cybercriminals in that they tend to adapt to defenses and can maintain their presence in a system for months or even years.
The pyramid of pain represents different types of attack indicators that the analyst must lookout to detect the activities of an attacker and it is useful for incident response and threat hunting.
The types of indicators are placed in a pyramid from bottom to top:
Founded in 1958, MITRE is a non-profit company whose mission is to solve the problem of a safer world. A new curated knowledge base, known as MITRE ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge is a platform that organizes and categorizes tactics, techniques, and procedures (TTPs) used by threat actors in the digital world to help organizations identify gaps in their cyber defenses.
PRE-ATT&CK and ATT&CK show a variety of basic differences:
TLP is a range of designations used to ensure the distribution of classified information to the relevant audience. It uses four colors to show anticipated beneficiaries sharing restrictions.
TLP: RED = Not for disclosure, restricted to participants only.
TLP: AMBER = Limited disclosure, restricted to participants’ organizations.
TLP: GREEN = Limited disclosure, restricted to the community.
TLP: WHITE = Disclosure is not limited.
IT-ISAC is a non-profit organization which provides a key resource to collect cyber threat information and to exchange information between private and public sectors on both sides of the infrastructure. The IT-ISAC is the ultimate source of knowledge on the protection that concerns the IT sector.
SOCRadar combines attack surface management, digital risk protection, and threat intelligence capabilities to support SOC teams.
SOCRadar’s ThreatFusion provides actionable insights into future cybersecurity threats with a big data-powered threat investigation module to assist in searching deeper context, real-time threat investigation and analysis. SOC teams, threat intelligence analysts and incident response teams can integrate with SIEM and SOAR platforms to leverage threat flows such as IOCs, malicious IP addresses, DDoS attackers, APT groups using SOCRadar to improve their security posture.
SOCRadar's RiskPrime builds on industry-leading instant phishing domain identification, internet-wide scanning and compromised credential detection technologies by aggregating and correlating massive data points into actionable intelligence alerts. SOCRadar continuously discovers its public-facing digital assets to eliminate blind spots and shadow IT risks, and alerts SOC teams with fast and targeted intelligence.
SOCRadar’s AttackMapper provides insight and visibility into these assets to discover and monitor everything related to your organization on the Internet to bring the enormous scale of your attack surface into focus. Through SOCRadar’s advanced internet-wide monitoring algorithms, AttackMapper provides SOC teams with direct visibility into all internet-facing technological assets in use as well as assets attributed to IP, DNS, Domain, and cryptographic infrastructure.