Intelligence is the ability to acquire knowledge and skills over time and apply them when needed. Cyber Threat Intelligence (also called threat intelligence) is a cybersecurity domain that deals with acquiring information about security attacks and incidents, learning from them, and using that information to prevent, detect, and mitigate future attacks.

Gartner defines threat intelligence as evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. According to IBM, threat intelligence is defined as detailed, actionable threat information for preventing and fighting cybersecurity threats targeting an organization.

Threat Intelligence enables data-driven actions to prevent and mitigate cyberattacks, swift detection and response to attacks, and identification of emerging threats and vulnerabilities. Threat Intelligence is gathered by security researchers and analysts from multiple sources by analyzing trends, patterns, and relationships in the data. Based on the type of information content and which stakeholders the information is being catered to, there are four broad categories of threat intelligence.

Technical Threat Intelligence

Technical threat intelligence deals with information about artifacts involved in past attacks or attacker's tools, command and control channels, and infrastructure . These artifacts can be common indicators of compromises like blacklisted or compromised IP addresses, file hashes related to malware or malicious scripts, email subject lines, web URLs, malicious domain names, etc. Technical Threat Intelligence is used by Security Operations Centers (SOCs) to detect, block, and respond to cyber-attacks and threat-hunting teams to make a profile of threat actors and correlate attack campaigns.

Technical Threat Intelligence can be easily integrated into an organization's IT infrastructure, like firewalls, monitoring, and incident response through data feeds and APIs. Because the attacker can easily change artifacts like file hashes, IP addresses, URLs, etc., Technical Threat Intelligence has a short life span.

Tactical Threat Intelligence

Tactical Threat Intelligence, also known as TTPs (Tactics, Techniques, and Procedures), focuses on the behaviors of threat actors and attack patterns. The MITRE ATT&CK framework's list of TTPs and the knowledge of detections and mitigations of these techniques fall under this category of threat intelligence.

Tactical Threat Intelligence covers the trends and patterns of attack for a threat actor group or malware. This knowledge is not something the attackers can change quickly, like with IoCs, but it takes months to develop. The knowledge of attackers' behavior helps cyber defenders ensure they have proper prevention, alerting, and incident response mechanisms in place and helps organizations anticipate and prevent future attacks.

Operational Threat Intelligence

Operational Threat Intelligence includes specific high-level information such as which group might be targeting an organization, when, and how . This is targeted at higher-level security personnel like CISOs or incident response managers. However, operational threat intelligence for small organizations is rare.

Operational threat intelligence is used in the military for national defense. The military gathers information about threat actors, monitors their activity, and predicts when they might attack. Big organizations also use operational threat intelligence to predict attacks on special occasions like big sale days, festivals, etc. However, Operational Threat Intelligence has a short life span as it is primarily influenced by current scenarios.

Strategic Threat Intelligence

Strategic Threat Intelligence is targeted at decision-makers with limited IT domain knowledge, such as CEOs and business executives, to understand cyber threats to the organization. It contains high-level information about the organization's threat landscape. The information includes strategic assets in an organization that can be attacked, the financial impact of an attack, recent attack trends, geopolitical situations, etc. Strategic threat intelligence is usually in the form of reports, briefings, or presentations.

Structured and Unstructured CTI

Another way to categorize threat intelligence is based on whether the information is well structured or not.

Structured CTI

Structured CTI follows a well-defined format and taxonomy. They can be easily integrated with monitoring, detection, and incident response automation tools. The CTI data in STIX format, MISP format, MITRE ATT&CK matrix, or an organization's internal format are some examples of structured CTI. However, structured CTI is exclusive and very difficult to generate in the first place.

Unstructured CTI

Unstructured CTI is openly available information about security threats and incidents in the form of textual reports, blogs, tweets, chat messages, pictures, etc. Threat hunters and security researchers monitor this information on the Internet and dark web to learn about novel attacks and attacker behavior. However, because of its vague nature, unstructured CTI is almost impossible to integrate into an organization's defense.

Structured vs Unstructured CTI

The objective of Cyber Threat Intelligence is not just to possess threat information but to use that information effectively in defense against adversaries. An organization would want to integrate the knowledge from the CTI into its operations and defense systems to prevent, detect, and mitigate cyber threats effectively. Examples of integration of CTI can be blocking incoming requests in the firewall from a list of blacklisted IPs, scanning file attachments in the email servers for malware signatures, establishing incident response plans in case of security incidents, monitoring for specific types of attacks relevant to the organization, adversary emulation with red team vs blue team exercises, etc.

Unstructured CTI, on the other hand, cannot be readily integrated into an organization's cyber defense. This information, in the form of natural language text, has to be converted into a well-defined format and taxonomy, i.e., structured CTI. With structured CTI, several CTI artifacts can be easily integrated into an organization's processes and defense systems, such as Firewall, SIEM, SOAR, and incident response. Structured CTI also makes it easier to check readiness against probable attacks, perform adversary emulation, and train security personnel. Thus, structured CTI is of greater value to an organization in terms of automatic integration than unstructured CTI.

Organizations not only use structured CTI information for their defense but also share it by making alliances among each other for collective defense. Examples of these initiatives are private alliances like Cyber Threat Alliance, publicly available MISP communities and feeds, international alliances like NATO CCDCOE and ENISA CSIRTs network, etc.

Biplab Gautam

Disclaimer: This article on Cyber Threat Intelligence is an extract from my Master's thesis work CTI Extraction using Large Language Models. Feel free to write me an email if you are interested more on this.

References

1. “Definition: Threat intelligence,” May 2013. [Online]. Available: https://www.gartner.com/en/documents/2487216

2. “What is threat intelligence?” Nov 2022. [Online]. Available: https://www.ibm.com/topics/threat-intelligence

3. D. Chismon and M. Ruks, “Threat intelligence: Collecting, analysing, evaluating,” MWR Infosecurity, Tech. Rep., 2015.

4. B.E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, “Mitre att&ck: Design and philosophy,” in Technical report. The MITRE Corporation, 2018.

5. B. Jordan, R. Piazza, and T. Darley, STIX™ Version 2.1, January 2021, oASIS Committee Specification 02. [Online]. Available: https://docs.oasis-open.org/cti/stix/v2.1/cs02/stix-v2.1-cs02.html

6. C. Wagner, A. Dulaunoy, G. Wagener, and A. Iklody, “Misp: The design and imple- mentation of a collaborative threat intelligence sharing platform,” in Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, 2016, pp. 49–56.