What is CTI?
CTI or Cyber Threat Intelligence in essence is a continuous process of gathering intriguing intelligence in order to protect against any possible threats. It is a force multiplier for organizations that have set up a structured cybersecurity environment, including Red Teaming, Security Operations Centre (aka SOC), VAPT, and WAPT to help them detect and respond to sophisticated, advanced, persistent threats.
How is CTI helpful to an organization?
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
-Sun Tzu, Art of War
CTI as a part of cybersecurity assists organizations in getting attack ready and fending off attacks at perimeter levels of the organization.
In the recent attack trends observed, the attack vectors used by threat groups in order to compromise organizations have become very dynamic, it is no longer the game of IOCs, wherein limited infrastructure available to threat actors is used repeatedly to exploit different companies, today, the IOCs can be changed very quickly and are very hard to monitor.
For example, DGA (Domain Generation Algorithm), a Command & Control sub-technique is an on-the-go technique for generation of domains used by malware through customized programs/subroutines, which can be constructed using random domains like time-based, concatenating words.
In response to such techniques, in addition to IOCs, threat intelligence works with frameworks like MITRE ATT&CK and D3F3ND, which are focused not only on the IOCs that are easily variable, but also on TTPs (Tactics, Techniques and Procedures) which include the common techniques and tactics working on a broader level, and these cannot be changed very frequently.
Types of Cyber Threat Intelligence
Tactical Threat Intelligence
The intelligence under this type is technical in nature, that is mainly focusing on Indicators of Compromise (IOC). These constitute IP addresses, hashes, domains, and URLs. Such data is usually shared between companies via predefined protocols such as STIX/TAXII, and a newer standard called CACAO (Collaborative Automated Course of Action Operations) is now being implemented by many. The audience to this data mainly is SOC Analyst, SIEM Admins, Firewall, EDR, and IDS/IPS implementors to block the IOCs at respective technologies.
As the word suggests, Operational intelligence focuses on the ways in which threat actors operate, and these are structured and defined as TTPs. TTPs are less frequently changeable ways in which a particular threat actor or threat group operates. For example, APT28 is a state sponsored group operated by Russian Military Intelligence. This group mainly uses techniques like Access Token Manipulation, Account Manipulation, Password Spraying, Command & Scripting Interpreter.
These techniques are not easily changeable, and hence implementing security in accordance with such techniques provides a better chance of defending an environment against threat groups. This kind of intelligence is mainly used by threat hunters, SOC analyst, vulnerability management teams to identify and patch vulnerabilities in accordance.
This type of Intelligence is mainly defined for senior level audiences, who strategize policies, conduct surveys and govern various scenarios that may or may not occur in the generic world, followed by correlating their effect on the organization’s security posture.
For example, the geo-political condition of the Russia-Ukraine war has led to increased cyber warfare across both sides, and critical sectors such as the energy sector are being targeted. For such scenarios, OT security and securing IoT-based components have become highly important for such companies.
In addition to protecting organizations against such threats, it is also very important to regularly monitor brand reputation, and this is also covered under Threat Intelligence. Under brand protection, vendors and affiliates authorized by organizations hunt for any sensitive information related to the organization that on being available online may be used maliciously by a threat actor.
From a dark web perspective, it can be used to monitor any discussions over dark web, claims of compromising an organization, and discussions in closed circuits for gaining initial access to organizations.
Such monitoring covers not only the surface web, but also deep and dark web. In essence, the monitoring below can be done for identifying any critical data:
Dark and Deep Web Monitoring
Digital Risk Monitoring
Social Media Monitoring
Ransomware Leak Monitoring
The need for Cyber Threat Intelligence in today’s dynamics is increasing day-by-day, as the attackers begin to follow a more systematic approach, making organized cybercrime a threat. Actors have become more persistent, resulting in longer duration of attacks with any public exposure of a company’s sensitive data resulting in attacks ranging anywhere from a DDOS attack to credential exposure.
Payatu is a research-powered, CERT-in empanelled cybersecurity consulting company specializing in security assessments of IoT (Internet of Things) product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.