Most organisations strive hard to stay updated on the latest security trends and attack vectors to help defend themselves proactively against a growing barrage of cyberattacks. But staying on top of cyber threats is easier said than done. With growing IT connectivity and complexity, an expanding threat surface (remote workers, BYOD, shadow IT, Internet of Things, etc.) and a looming shortage of skilled cyber security labour, it’s now considerably more challenging and overwhelming for IT and security teams to collect, process and analyse security information and monitor adversarial tactics. This is why organisations need a robust mechanism that helps filter and contextualise vast amounts of security data and prioritise remediation of major threats: this is where cyber threat intelligence comes in.
What Is Cyber Threat Intelligence?
The word “threat” in cyber terms means anything causing harm to information assets. This can range from anything like a vulnerability (such as Solarwinds or Log4j) to an insider threat (such as disgruntled or careless employees) or from organised crime to hacktivists and state-sponsored attackers. “Intelligence” obviously means information that can be derived from multiple sources (internal sources like security systems, firewalls, user and entity behaviour analytics and SIEMs, and external sources like open-source intelligence, social media intelligence, and dark-web intelligence). Threat intelligence overall is relevant, timely, contextualised, trustworthy and actionable information about adversarial threats, both present and predicted attacks against your organisation.
What Are the Different Levels of Cyber Threat Intelligence?
Cyber threat intelligence (CTI) can primarily be divided into three levels. At the highest level is strategic threat intelligence, which is a macro view of the threat landscape, a combination of emerging trends and strategic insights that are mostly applicable to senior business leaders who want quarterly or annual threat reports.
The next level down is tactical intelligence, which relates to a short or medium-term future. Tactical intelligence analyses the TTPs (threats, tactics, procedures), uses real-time information to track and monitor threats and ensures all mechanisms are in place and in line with the current threat landscape. This level is more relevant for IT and security managers, analysts and technical teams looking to create a more proactive barrier upfront. The final or the bottom layer is operational intelligence, which is relevant to SOC and cyber security responders, focusing on the specifics of incoming attacks and real-time response necessary to prepare for imminent threats or bolster defences when necessary.
How Does CTI Provide Value to the Business?
There are a number of ways in which CTI can be immensely valuable to the business. Here are the top six:
- CTI provides organisations with imminent attack indicators
- CTI helps identify short-term priorities
- CTI educates the board on strategic outlook
- CTI supports the reduction of risk
- CTI increases the efficiency of security operations
- CTI helps uncover previously unknown threat events
A single analyst can conduct threat intelligence in an organisation, and in more advanced scenarios, organisations can have a fully staffed, well-structured, matured intelligence unit. Regardless of what stage your organisation is in, at some point, you need to consider the levels of outsourcing required because when we speak about these levels of data and information, most organisations can’t analyse data in an orderly manner. Outsourcing is a great way of allowing organisations to understand how CTI works and validate the proof of concept before taking on additional overhead or building a full-time internal capability. Try focusing on just one type of intelligence (strategic, tactical or operational) and the goals you are looking to achieve. The pragmatic approach to CTI is just to try and crawl before you start to walk and then run.