Ever get the feeling threat intelligence produces more background noise than value?
Threat Intelligence is one of the most overused buzz words in the cybersecurity industry at the moment – Everyone is doing Threat Intelligence these day.
Virtually every security professional we have spoken to is at a loss when presented with the challenge of integrating Threat Intelligence into existing workflows.
According to Gartner Research VP Anton Chuvakin, Cyber Threat Intelligence (CTI) is segmented into tactical and strategic levels; Strategic TI commonly covers reports and other human-readable artifacts on threat actors, intentions, affiliations, interests, goals, capabilities, plans, campaigns, and more. Tactical TI (sometimes labeled “technical” or Machine-readable TI), incorporates feeds of IPs, URLs, hash and other lists. Tactical TI could also cover other system-level or network-level artifacts that can be matched to what is observed on other systems.
The key and challenge to successful CTI is the capability to blend strategic and tactical insights in time for organizations to respond accordingly – reducing the noise by sifting through the sheer volume of data produced.
To address this challenge, Rich Threat Intelligence blends the power of machines and the intelligence of humans to provide unprecedented CTI which delivers measurable value. The approach, coupled with the response capabilities found on next-generation platforms, expands the definition of both tactical and strategic insights into a new standard of cybersecurity capabilities across the entire kill chain.
The 5 Essentials of Rich Threat Intelligence:
1. Organizational and Domain Profiling
Existing CTI solutions focusing on OSINT are primarily based on human generated intelligence providing a generic and therefore less relevant picture of the threat risks and landscape. At the tactical end of the threat spectrum, vendors tend to rely purely on IP and URL lists for TI. Without focusing on the specific needs of a particular organization, the bulk of CTI insights remain irrelevant. Rich Threat Intelligence is targeted to accommodate the cybersecurity requirements of a specific organization based on its needs, assets, intellectual property, names, stakeholders and unique threat risks.
2. Automated Collection
Intelligence collection automates the entire engagement with all OSINT sources (e.g. social media, darkweb, deepweb, paste sites, etc.). Rather than reactively collecting data after the fact, Rich Threat Intelligence crawlers can proactively reach out to all OSINT sources, including entering the threat actors’ communities and bypassing human authentication mechanisms (such as CAPTCHA), all while automatically cultivating trust once inside closed off communities.
3. Smart Analysis
Armed with Natural Language Processing (NLP), machine learning algorithms, and ontology data mining, RTI generates automated links between the multiple indicators discovered during the collection process. This enables deduplicating incidents and reducing noise, as well as making sense of sporadically dispersed incidents. These links are created in real time, enabling unprecedented insight into otherwise unrelated incidents.
4. Knowledge Attribution
Over time, the knowledge accumulated in RTI-enabled systems is aggregated into a rich database for quick and easy access to threat entities. Threat actors, techniques, and other collected intelligence is attributed to the intelligence incidents generated during collection, delivering actionable insights in real time. This enables comprehensive attribution of multiple incidents in context with real-time events and emerging plans.
5. Response Automation
Targeted and actionable insights are only as valuable as the organization’s response capability. Building automated response capabilities into RTI solutions is key, enabling real-time mitigation with little or no human involvement.
Learn more about Cyberint’s approach to Threat Intelligence