Cyber Threat Intelligence (CTI)

 Cyber Threat Intelligence (CTI)

What is CTI?

Evidence-based knowledge about adversaries, their tactics, techniques, and procedures (TTPs), and their potential targets.

• Used to proactively defend against cyberattacks and mitigate risks.

CTI Lifecycle

• Direction: Define clear objectives and prioritize intelligence needs.
• Collection: Gather data from various sources (internal logs, open-source intelligence, threat feeds, etc.).
• Processing: Analyze and correlate data to identify patterns and actionable insights.
• Analysis: Interpret processed data to understand adversaries, their motivations, and potential threats.
• Dissemination: Share relevant intelligence with stakeholders in a timely and appropriate manner.
• Feedback: Gather feedback from stakeholders to improve the CTI process.

Types of CTI:

• Strategic Intelligence: High-level analysis of trends and risks to guide business decisions.
• Technical Intelligence: Focuses on specific attack artifacts and indicators of compromise (IOCs).
• Tactical Intelligence: Provides real-time insights into adversaries' TTPs to inform defensive actions.
• Operational Intelligence: In-depth analysis of specific adversaries and their motives.

CTI Frameworks and Standards

• MITRE ATT&CK: A comprehensive framework describing adversary tactics, techniques, and procedures.
• TAXII (Trusted Automated eXchange of Indicator Information): A standard for exchanging threat intelligence data.
• STIX (Structured Threat Information Expression): A language for describing threat intelligence data in a standardized format.
• Diamond Model: A visual model for analyzing cyberattacks.

**Open-Source Tools**

• MISP (Malware Information Sharing Platform): A collaborative platform for sharing threat intelligence.
• OpenCTI (Open Cyber Threat Intelligence): An open-source framework for managing and analyzing threat intelligence.
• Yara: A pattern-matching tool for identifying malware and other malicious artifacts.

Example:

Let's say a security analyst receives a suspicious email containing a link. They use Yara to analyze the link and identify it as a known phishing URL. They then use MISP to share this information with other security teams, who can take steps to protect themselves from the same attack.