Threat Intelligence and Its Lifecycle

THREAT

The ability of any other party to access or interfere with the regular activities of an information network. Common threats today include:

•  APT 

•  Phishing

•  Malware

•  Botnets

•  DDOS

•  Ransomware

INTELLIGENCE

Knowledge of a threat acquired by human analysts or identified through system events. Intelligence is a general term; however, a TIP provides analysts with specific types of intelligence that can be automated, including:

• Technical knowledge of attacks, including indicators

• Finished intelligence – the output of human beings looking at the available information and reaching conclusions about situational awareness, predicting potential outcomes or future attacks, or estimating adversary capabilities

• Human intelligence – any intelligence gathered by humans, such as lurking within forums to check for suspicious activity

PLATFORM

A threat intelligence management system that automates and streamlines much of the labor analysts have traditionally done individually.

Threat intelligence is information used by an organization to understand the threats that are currently targeting the organization or can harm the organization in future. This information is used to prepare, prevent and detect cyber threats that seek to leverage valuable resources. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. Threat intelligence can help organizations gain valuable knowledge about the threats, and can build effective defense mechanisms and lessens the risks that could damage reputation of the organization. Because, targeted threats require targeted defense, and cyber threat intelligence delivers the capability to defend more proactively. Threat Intelligence Platforms also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

Importance of Threat Intelligence Platform:

Threat intelligence systems collect raw data from a variety of sources on emerging or existing threat factors and threats. This information is then analyzed and filtered to create threat management reports that contain information that automated security control solutions can use.

• It has the ability to share threat intelligence with other stakeholders and communities. Adversaries typically coordinate their efforts, across forums and platforms.

• A TIP creates a common environment for security teams to communicate threat information with their trusted circles, interact with security and intelligence specialists, and receive assistance on conducting coordinated countermeasures.

• Threat intelligence is actionable — it’s timely, provides context, and is able to be understood by the people in charge of making decisions.

• Ensure you stay up to date with the often overwhelming volume of threats, including methods, vulnerabilities, targets and bad actors.

• Help you become more proactive about future cyber security threats.

• Keep leaders, stakeholders and users informed about the latest threats and repercussions they could have on the business.

Lifecycle of Threat Intelligence:

The lifecycle of threat intelligence involves 6 phases which are shown below:

•     Direction

•     Collection

•     Processing

•     Analysis

•     Dissemination

•     Feedback

 

 

 

 

 

Direction:

The direction phase of the lifecycle is when you set goals for the threat intelligence program. This involves understanding the:

•      Information assets and business processes that need to be protected

•      Potential impacts of losing those assets or interrupting those processes

•      Types of threat intelligence that the security organization requires to protect assets and          respond to threats

•      Priorities about what to protect

This phase should determine the exact requirements of the consumer-often called Intelligence Requirements (IRs) or Priority Intelligence Requirements (PIRs). From these IRs and PIRs, one can establish what data and information is required and how it should be collected.

Collection:

Collection is the process of gathering information to address the most important intelligence requirements. Information gathering can occur organically through a variety of means, including:

•  Pulling metadata and logs from internal networks and security devices.

•  Subscribing to threat data feeds from industry organizations and cyber security                     vendors.

•  Holding conversations and targeted interviews with knowledgeable sources.

•  Scanning open source news and blogs.

•  Scraping and harvesting websites and forums.

•  Infiltrating closed sources such as dark web forums.

The information gathered will often be a mix of finalized reports from cyber security professionals and vendors, as well as raw data, such as virus signatures. It's a difficult task to figure out which sources are likely to give the needed information, be credible, and deliver information that can be ingested quickly.

Processing

The transformation of acquired data into a format that can be used by the organization is known as processing. Raw data and information are compiled, combined with information from other sources, and transformed into intelligence. Almost all raw data, whether collected by humans or machines, must be processed in some way.

Distinct gathering methods frequently necessitate different processing approaches. It's possible that human reports will need to be connected and ranked, as well as debugged and validated. Processing in a more technical sense can entail extracting signs from an email, augmenting them with other data, and then communicating with endpoint protection systems for automated blocking.

Threat Intelligence Platform Automate more! With the right tools, most processing work- flows, as well as most collection processes, can be automated.

Analysis:

Analysis is a human activity that transforms data into insight that can be used to make decisions. Depending on the circumstances, judgments may include whether to investigate a potential danger, what immediate actions to take to prevent an attack, how to tighten security controls, and how much more security resource investment is justifiable.

Analysts must have a clear understanding of who will be using their intelligence and how they will make decisions. You want your intelligence to be viewed as practical rather than theoretical. The manner in which the data is presented is particularly essential. Collecting and processing data and then delivering it in a manner that the decision maker cannot understand and use is pointless and wasteful.

Analysts will typically apply a variety of quantitative and qualitative analytical techniques to assess the importance and implications of processed information, integrate it by combining disparate pieces of information to identify patterns, and then interpret the significance of any newly developed knowledge. Analysts are likely to use a range of techniques in order to ensure accurate and unbiased assessments that should be predictive and actionable.

Dissemination:

The finished intelligence product must be sent to the appropriate locations. It is the timely delivery of completed intelligence products in a format that is appropriate for the target audience. The frequency with which content is disseminated should correspond to the time period on which it is based — for example, operational content should be delivered regularly, but strategic content should be delivered more infrequently.

• It delivers Cyber Threat Intelligence products according to the format and timelines specified by the user.

• If a customer's system is updated with new CTI products every 24 hours, delivery must be able to meet that requirement. If the customer wants to provide near-real-time security to their users, delivery must be able to handle that. 

Dissemination Methodologies

Cyber Threat Intelligence solutions must be delivered on time in the ever-changing world of cyber security vulnerabilities, vectors, and attacks. Variety of dissemination options make expedient delivery possible:

•   Flat file downloads:  CSV, JSON, spreadsheet, text files are made available to the customer.

•   API:  Programmatic access to products allowing customer access to pull the data they want based on types, time ranges, and other parameters.

•   Feeds:  Automatically pushes products to customers in an agreed upon format. 

Feedback:

As you may have guessed, we believe it is crucial to understand your overall intelligence priorities as well as the requirements of the security teams that will be compiling threat intelligence. Their needs guide all phases of the intelligence lifecycle and tell you:

• What types of data to collect

•  How to process and enrich the data to turn it into useful information

•  How to analyze the information and present it as actionable intelligence

•  To whom each type of intelligence must be disseminated, how quickly it needs to be disseminated, and how fast to respond to questions

You'll need regular feedback to make sure you're understanding each group's needs and making adjustments when their needs and priorities shift. Establish a route for quick, informal feedback (such as an email address, an internal forum, or a team collaboration tool) for each "customer" team, as well as a formal, structured surveying method (such as an online survey or a quarterly face-to-face meeting). The informal route enables you to respond and change quickly, whilst the structured survey ensures that you receive feedback from everyone and that you can track your progress over time.