Cyber Security

An Introduction To Threat Intelligence

Sharing is caring!

Threat intelligence is an elusive concept. Cyber-security vendors have developed numerous definitions for it based not only upon different procedural viewpoints, but also driven by competitive imperatives. As a result, the scope of this post is limited to an introduction of the key concepts and principles of threat intelligence explaining the role it plays within network defense, offering advice and best practice, and pointing out available community support.


Key concepts and principles

Within the context of cyber-security, threat intelligence represents the synthesis of information detailing potential threats with a solid understanding of network structure, operations, and activities.

In order to generate this evidence-based knowledge with any value for network defenders, information on the mechanisms and indicators, often termed ‘threat feeds’, must then be contextualized by contrasting it with baseline knowledge of network activity. The collation and collection of threat feeds is the creation of threat intelligence, which then informs ‘security analytics’ to improve chances of detection. Security analytics in a network defense setting usually takes one of two forms:

1. ‘Big data’ platform crunching network data to ascertain trends .

2. Security information and event management (SIEM) infrastructure with rules set up to automate the detection of anomalous activities; both of these are stand alone and do not require threat intelligence to function, however they are informed by it at a strategic and operational level .

At the strategic level, threat intelligence enables the development of future cyber-security testing by:

 Identifying and detailing emerging threats and possible mitigation
 Framing testing scenarios by confirming they are relevant to such threats
 Supporting business cases for network control settings to counter vulnerabilities
 Directing sensor enrichment network defense policy

Understanding these factors will enable network defenders to determine their resilience to compromise, ability to detect threats, and speed of recovery. It will also inform operational level activity such as:
 Trend analysis determining the evolving capabilities of attackers
 Indicators that highlight current attack vectors being exploited
 Tracking changes in the capability of attacks
 Understanding of the operational cycle of attacks
 Identifying opportunities to exploit potential vulnerabilities of an attacker
 Establish a better picture of the environment/threat

At the tactical level, threat intelligence allows the network defender to monitor for threats in as close to real time as possible by:
 Exposing attack infrastructure and methodology
 Identifying an existing or emerging menace or hazard
 Comparing observed activity with known tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs)
 Highlighting the implications of a compromise and actionable advice
 Informing defensive actions and mitigation of current threats

Depending on the accuracy and reliability of the threat feeds, effective threat intelligence also covers three temporal aspects, a past, present, and future: it identifies previously unidentified network vulnerabilities by exploiting threat details of historical incidents; it prioritizes current investigations according to alerts of active threats; and finally, it enables the monitoring of infrastructure for, and prevention of, repeat attacks.

Common languages and frameworks

In order to rationalise and standardise the transmission of threat feeds, there is a collaborative effort by numerous cyber-security vendors to establish common languages and standards. Some of the most widely adopted are listed below:

 Common Attack Pattern Enumeration and Classification (CAPEC) is a publicly available, community-developed list of common attack patterns that include comprehensive schemas and classification taxonomy. Each entry captures knowledge about how specific stages of an attack are designed and executed. It provides guidance on ways to mitigate the attack’s effectiveness.

 Cyber Observables (CybOX™) is a standardized schema for the specification, capture, characterisation, and communication of threat related events. It provides a standard format for addressing cyber observables improving consistency, efficiency, interoperability, and overall situational awareness.

 Microsoft Interflow™ is a security and threat information exchange platform for professionals working in cyber-security. It is part of the Microsoft Active Protections Program (MAPP), established in 2008 to help provide security software vendors with early access to software vulnerability information.

 Structured Threat Information (STIX™) is a collaborative project to define and develop a standardized language to represent structured cyber threat information. The STIX language intends to convey the full range of potential cyber threat information and in as expressive, flexible, extensible, automatable, and as human-readable way as possible.

 Trusted Automated eXchange of Indicator Information (TAXII™)
is a set of services and message exchanges that enable actionable cyber threat information to be shared across organization and product/service boundaries. It is the preferred mechanism of exchanging information represented using the Structured Threat Information Expression (STIX™) language, enabling organizations to share structured cyber threat information in a secure and automated manner.

Best practice and support

Traditionally the term ‘intelligence’ has been understood as meaning either a product or a process, however within the context of cyber-security, threat intelligence is also a service available for purchase. As the time available to react to a threat is compressed, threat intelligence has become a critical element to a successful security program.

A good threat intelligence service can provide immediate security information tailored to the client’s network. These services prioritise vulnerabilities and predict threats, enabling security teams to rapidly take action. More advanced services also integrate vulnerability alerting with real-world threat intelligence covering geo-political and business intelligence.

Regardless of an organisation’s size, the following steps will guide organisations in improving their cyber-security:
 Understand the target network, the incident response process, and the risk
 Identify and communicate the benefits to key stakeholders
 Build an effective team that can respond to the challenges and educate employees
 Refine sources of threat data and security analytics for better threat intelligence
 Define relevant processes, then test and review them regularly
 Automate these processes to reduce reaction time.

Join The Discussion