Threat intelligence is an elusive concept. Cyber-security vendors have developed numerous definitions for it based not only upon different procedural viewpoints, but also driven by competitive imperatives. As a result, the scope of this post is limited to an introduction of the key concepts and principles of threat intelligence explaining the role it plays within network defense, offering advice and best practice, and pointing out available community support.
Key concepts and principles
Within the context of cyber-security, threat intelligence represents the synthesis of information detailing potential threats with a solid understanding of network structure, operations, and activities.
In order to generate this evidence-based knowledge with any value for network defenders, information on the mechanisms and indicators, often termed ‘threat feeds’, must then be contextualized by contrasting it with baseline knowledge of network activity. The collation and collection of threat feeds is the creation of threat intelligence, which then informs ‘security analytics’ to improve chances of detection. Security analytics in a network defense setting usually takes one of two forms:
1. ‘Big data’ platform crunching network data to ascertain trends .
2. Security information and event management (SIEM) infrastructure with rules set up to automate the detection of anomalous activities; both of these are stand alone and do not require threat intelligence to function, however they are informed by it at a strategic and operational level .
At the strategic level, threat intelligence enables the development of future cyber-security testing by:
Identifying and detailing emerging threats and possible mitigation
Framing testing scenarios by confirming they are relevant to such threats
Supporting business cases for network control settings to counter vulnerabilities
Directing sensor enrichment network defense policy
Understanding these factors will enable network defenders to determine their resilience to compromise, ability to detect threats, and speed of recovery. It will also inform operational level activity such as:
Trend analysis determining the evolving capabilities of attackers
Indicators that highlight current attack vectors being exploited
Tracking changes in the capability of attacks
Understanding of the operational cycle of attacks
Identifying opportunities to exploit potential vulnerabilities of an attacker
Establish a better picture of the environment/threat
At the tactical level, threat intelligence allows the network defender to monitor for threats in as close to real time as possible by:
Exposing attack infrastructure and methodology
Identifying an existing or emerging menace or hazard
Comparing observed activity with known tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs)
Highlighting the implications of a compromise and actionable advice
Informing defensive actions and mitigation of current threats
Depending on the accuracy and reliability of the threat feeds, effective threat intelligence also covers three temporal aspects, a past, present, and future: it identifies previously unidentified network vulnerabilities by exploiting threat details of historical incidents; it prioritizes current investigations according to alerts of active threats; and finally, it enables the monitoring of infrastructure for, and prevention of, repeat attacks.
Common languages and frameworks
In order to rationalise and standardise the transmission of threat feeds, there is a collaborative effort by numerous cyber-security vendors to establish common languages and standards. Some of the most widely adopted are listed below:
Common Attack Pattern Enumeration and Classification (CAPEC) is a publicly available, community-developed list of common attack patterns that include comprehensive schemas and classification taxonomy. Each entry captures knowledge about how specific stages of an attack are designed and executed. It provides guidance on ways to mitigate the attack’s effectiveness.
Cyber Observables (CybOX™) is a standardized schema for the specification, capture, characterisation, and communication of threat related events. It provides a standard format for addressing cyber observables improving consistency, efficiency, interoperability, and overall situational awareness.
Microsoft Interflow™ is a security and threat information exchange platform for professionals working in cyber-security. It is part of the Microsoft Active Protections Program (MAPP), established in 2008 to help provide security software vendors with early access to software vulnerability information.
Structured Threat Information (STIX™) is a collaborative project to define and develop a standardized language to represent structured cyber threat information. The STIX language intends to convey the full range of potential cyber threat information and in as expressive, flexible, extensible, automatable, and as human-readable way as possible.
Trusted Automated eXchange of Indicator Information (TAXII™) is a set of services and message exchanges that enable actionable cyber threat information to be shared across organization and product/service boundaries. It is the preferred mechanism of exchanging information represented using the Structured Threat Information Expression (STIX™) language, enabling organizations to share structured cyber threat information in a secure and automated manner.
Best practice and support
Traditionally the term ‘intelligence’ has been understood as meaning either a product or a process, however within the context of cyber-security, threat intelligence is also a service available for purchase. As the time available to react to a threat is compressed, threat intelligence has become a critical element to a successful security program.
A good threat intelligence service can provide immediate security information tailored to the client’s network. These services prioritise vulnerabilities and predict threats, enabling security teams to rapidly take action. More advanced services also integrate vulnerability alerting with real-world threat intelligence covering geo-political and business intelligence.
Regardless of an organisation’s size, the following steps will guide organisations in improving their cyber-security:
Understand the target network, the incident response process, and the risk
Identify and communicate the benefits to key stakeholders
Build an effective team that can respond to the challenges and educate employees
Refine sources of threat data and security analytics for better threat intelligence
Define relevant processes, then test and review them regularly
Automate these processes to reduce reaction time.