The 3 Flavors of Cyber Threat Intelligence

No time to read? Listen to this episode here:

Before we jump into the business of the day, here are the cybersecurity news you might've missed this week:

  • President Biden signs executive order to improve cybersecurity. President Biden has signed an executive order to improve the nation's cybersecurity in the wake of the ransomware attack that affected a major US pipeline contractor, Colonial Pipeline. In a fact sheet, the order aims to create a standardized playbook to ensure that all federal agencies identify and mitigate such attacks in the future.

  • DarkSide, responsible for the Colonial Pipeline hack, says "See ya". The bad actor responsible for the Colonial Pipeline hack, DarkSide, has shut down operations after a hefty $5M payday courtesy of the pipeline contractor. Only it likely wasn't their choice - a message posted on the Russian OSINT channel on Telegram explains that the group lost access to its site and, more importantly, the crypto account through which it pays its hacker-workers was drained. Whodunnit?

  • Apple executives hush about the hack of 128 million iPhones. According to emails released by Epic Games in a lawsuit, Apple execs were briefed about the biggest breach since the company's existence - the 2015 hack of 128 million iPhones. Instead of notifying the affected users, Apple remained tight-lipped until now.

And now to the topic of the day.

The 3 Flavors of Cyber Threat Intelligence

In a digitized world like ours, one of the best ways to ensure the business' longevity is to see cyberattacks coming a mile away. After all, a compelling record shows that 30,000 websites face attacks daily, with quite a decent rate of success.

63% of these attacks are financially motivated, resulting in ransom demands in turn for releasing (or not leaking) sensitive personal information, critical business data, and trade secrets. A recent example of this playing out to its logical conclusion is the Colonial Pipeline ransomware breach, as the principal US pipeline contractor's fuel delivery operations got hijacked by hackers, ultimately resulting in a hefty $5 million ransom in bitcoin.

Drawing conclusions from this by far not the only - or the most prominent - example, it is clear that your establishment needs to be effectively prepared for a fairly inevitable attack. The key to achieving that is to have a comprehensive Cyber Threat Intelligence (CTI) program or a dedicated partner, that will proactively address ransomware attacks, manage indicators of compromise (IoCs), and mitigate advanced persistent threats (APTs). In high-risk sectors, namely finance or life sciences, such foresight should be treated as a priority, not an optional feature the business may skimp on.

We’ve discussed what Cyber Threat Intelligence is, and the various processes involved in the CTI lifecycle in our previous blogs. However, CTI is not made equal and comes in three distinct flavors - let's take a look.

Strategic Threat Intelligence

This type of Cyber Threat Intelligence provides a company with the big picture of your establishment’s past, present, and future threat landscapes and is mainly intended to aid senior leaders in the high-level decision-making process.

The content here is less technical, contextual, and is usually presented during briefings and specific board meetings. Strategic Threat Intelligence is often collated from carefully selected public sources - specific news publications, expert opinions on cybersecurity, and government policy documents.

A strategic Threat Intelligence report must contain relevant insights into threat patterns, emerging cybersecurity trends, and the risks particular high-level decisions (such as expanding into a new market or releasing a new digital product) may carry. While the information is typically not overly technical, the research is elaborate and 100% reliability is expected.

Tactical Threat Intelligence

This type of intelligence highlights the techniques, tactics, and procedures (TTPs) of specific bad actors relevant to an organization and is typically highly technical, including Indicators of Compromise such as IP addresses, file names, malware hashes, and more. Tactical reports are intended for cybersecurity teams within the organization - often a Security Operations Centre (SOC), and the like.

Tactical threat intelligence should be used to inform improvements to existing security controls and processes, speeding up current and future Cyber Incident Response activities. The information used in procuring such intelligence is typically sourced from specific sharing frameworks (such as MISP), vendor reports, and targeted asset and industry insights about both known and potential vulnerabilities.

Depending on the type, some of this information can be raw, unfiltered data that a human analyst would spend several hours to sort out. Taking advantage of CTI collection and aggregation tools like AEGIS™ that utilizes emerging machine learning and AI algorithms to process and filter relevant information from millions of data points, can speed the process tremendously.

Operational Threat Intelligence

Finally, this type of intelligence deals with the details behind the nature, timing, and the intended outcome of attacks, as well as the thought process of the hacker(s) behind them.

As this typically includes technical information - such as what attack vector is being used, what vulnerabilities are being exploited, or what command and control domains are being employed - this kind of intelligence is often referred to as "technical threat intelligence". A common source of technical information like this is threat data feeds, which focus on a particular type of indicator, like malware hashes or suspicious domains.

Other inputs of operational information on specific attacks can come from closed sources like the interception of threat group communications, either through infiltration or by "hacking the hackers" - all coming together to provide a holistic picture of the attacker.

Ultimately, each type of Cyber Threat Intelligence serves its own vital purpose, and your CTI program is at its strongest when all the three types of work in tandem.

Don't forget to subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

41 views0 comments

Recent Posts

See All