Updated: May 4
In today’s increasingly complex threat landscape, companies in every vertical need cyber threat intelligence specialists to detect, report, and suggest ways to mitigate a wide range of cyber threats.
Cyber threat intelligence is a discipline that employs hard evidence and context analysis to produce the information needed to prevent or mitigate cyber attacks. Cyber threat intelligence should not be confused with cybersecurity, yet it does not replace it either. Instead, these two disciplines can work together, and complement each other to bolster an entity’s cybersecurity posture.
Let’s face it. Today’s bad actors are growing increasingly determined and sophisticated. Their motives are no longer clear cut - sometimes they are after money, sometimes their aim is to carry out espionage, sometimes they are motivated by politics or ideology - and it is for this very reason that cyber threat intelligence specialists are so vital to the business.
And although the foundation of cyber threat intelligence is data collection and information analysis it goes much deeper than that. It utilises every bit of threat information at its disposal to pinpoint patterns and trends, and based on the intelligence reaped from these efforts, a company can make informed decisions to proactively prevent or mitigate attacks.
Kevin Holvoet, Lead of Threat Research Centre, part of CyTRIS, the CTI Department of Centre for Cybersecurity Belgium, Certified Instructor at SANS for the FOR578 CTI training, offers some advice: "Before starting with CTI, think carefully about your intelligence requirements as part of the threat intelligence lifecycle. This is the most important step that most people forget about or don't do because it's not sexy. After all, how can anyone know what to collect and analyse if they have no clue what problem they are trying to solve?”
Once this has been established, cyber threat intelligence specialists are charged with gathering data and information from a range of sources so that they are able to identify, monitor, measure, and act to stop cyber threats in their tracks. To do this, they must have the ability to gather information from a variety of sources. These may range from curated information from major security vendors, OSINT or open-source intelligence, combing through hacking forums or the dark web, as well as liaising with other businesses and identifying vulnerabilities in-house.
There are also different types of information that need to be gathered. Firstly, there is strategic intelligence or high-level intelligence that has to do with the constantly changing world of cybercrime. Business leaders use this to better allocate their resources and budget for security and defence. Information is gathered, processed, and analysed to provide the specialist with actionable information that can enhance their organisation’s security posture. This intelligence comes from a wide range of sources, including collaboration with intelligence sources, industry and vendor reports, policy documents, and white papers.
Next, operational intelligence gives specialists the information they need on the tactics, techniques, and procedures (TTPs) used by threat actors. In this way, specialists gather data to unpack how a malefactor normally attacks a target’s infrastructure and network. This type of intelligence helps cyber security practitioners to detect similar potential attacks and lower the probability and impact of an attack. This approach is proactive and makes sure that all relevant stakeholders are kept up to date on recent developments or trends. Moreover, operational intelligence helps security practitioners to focus their security efforts on the TTPs that are most likely used by attackers.
Tactical intelligence revolves around reasonably timely intelligence that matches the organisation's needs. This information is top-priority and needs rapid action from the security team. Tactical intelligence will contain valuable information on the nature and timing of future attacks, and it is gathered from a range of places, including social networks, AV logs, IMs and more.
Finally, technical intelligence is based on the indicators that an attack might be taking place, and that could compromise the control of a security operations centre (SOC). This might include particular organisational processes and users that have the ability to enable unauthorised access to attackers.
All of this intelligence pooled together can help organisations make the right decisions which in turn help to strengthen their defences. It also ensures that security practitioners can get a better grasp of the threats and risks they face, and mitigate attacks in progress to help limit the damage. Moreover, cyber threat intelligence specialists help security teams to prioritise incidents based on the impact they could have on the organisation, and enables stakeholders across the business build confidence in their decisions.
Juan Andres Guerrero-Saade, Senior Director of SentinelLabs, SentinelOne, Adjunct Professor of Strategic Studies at Johns Hopkins School of Advanced International Studies (SAIS), adds that the ability to ingest threat intelligence is a key differentiator of a mature security program. “With limitations in staff, budget, and tooling, mature security programs need to know where to apply their resources to effectively address relevant threats and that's precisely what threat intelligence scopes out."
Cyber threat intelligence specialists aim to gather as much data as possible on the latest threats, so that the security team can highlight vulnerabilities in the organisation’s network, and implement processes and defences to ensure that attacks can be identified quickly to limit any damage.
Threat Intelligence has its roots in traditional intelligence analysis. It is one of the best tools for understanding and dealing with the ever-growing complexity of the threat landscape; unfortunately, it is usually poorly used or understood.
This elite training by industry experts shows in a realistic and applied way how to get the most from threat intelligence. Attendees will learn how to collect, analyze and use threat intelligence-related data, tools, and frameworks. They will gain unique experience from our trainers, with real-life and very hands-on scenarios showing how to effectively conduct threat hunting and incident response, as well as how to apply the insights to protect a particular network.