Let’s delve into it
A quick Google search for an answer will return many variations. Some will make sense to you, and some will not.
Cyber threat intelligence (CTI) is gathering information from various sources about current or potential threats to an organization. That’s a simple and short definition for now, you would think.
I will explore this question in more detail in this article and hope to help you better understand and define it.
What is Cyber Threat Intelligence (CTI)?
However, Indicators of compromise (IOC) are correctly defined as forensic data, such as data found in system log entries or files, that identifies potentially malicious activity on a system or network. Since this is a debated topic, there are correct answers.
There are a lot of different ideas about what precisely cyber threat intelligence (CTI) is. It is far better to understand what Cyber Threat Intelligence does than what it is.
Attacker vs Defender
To explore things in more detail, Cyber Threat Intelligence (CTI) and Intelligence work, whether cyber intelligence or counterterrorism, always involve two core things: an attacker and a defender. Cybersecurity is nearly always a defensive activity, so the threat is always about the attack within the content of CTI.
Cyber Threat Intelligence Analysts are there to advise on the best defense against the attacker, and I would define CTI at its core, as a structured analysis of the threat. That structure exists in your mind in the tools you use and the way you use them, and it can be changed and adapted. We often see that intelligence work is an art, craft, and science.
People sometimes say structure is the container of creativity, and I agree.
Photo created by the author using DALL-E.
It is essential to know that CTI is an emergent field within Cyber Security. People were doing Cyber Security long before they started to talk about Cyber Threat Intelligence, which usually sits within a broader context of Cyber Security.
For instance, a large company with hundreds of cybersecurity consultants or other positions like incident responders. In case of a cyber crisis, these individuals will come and technically manage that crisis for you. They are skilled people who work within Cyber Security but are not necessarily Cyber Threat Intelligence analysts who aim to interact with their mission and function as a second line to analyze the incident in collaboration with Incident Responders. The primary focus for CTI analysts is the threat; they look at a specific threat and then to the next one, and so forth.
Drawing created by the author using Obsidian
WHAT DOES ‘CYBER’ MEAN?
The word ‘cyber’ denotes a relationship with information technology (IT), i.e., computers. (It can relate to all aspects of computing, including storing data, protecting data, accessing data, processing data, transmitting data, and linking data.)
The term “cyber” encompasses the following meanings:
- A relationship with modern computing
- A relationship with the cutting edge of modern technology
Cyber — ‘Widespread interconnected digital network’ — not just the internet!
WHAT DOES ‘THREAT’ MEAN?
A threat is a statement indicating the will to harm or create negative consequences for someone.
Many threats involve a promise to physically harm someone in retaliation for what they have done or might do. Some threats are meant to intimidate and don’t involve pressuring someone to do something. Not all threats involve violence.
A security threat is someone or something that might make a situation unsafe. A threat can also mean a warning or sign that harm or trouble is coming.
WHAT DOES ‘INTELLIGENCE’ MEAN?
There is no agreed definition or model of intelligence. According to the Collins English Dictionary, intelligence is ‘the ability to think, reason, and understand instead of doing things automatically or by instinct.’ The Macmillan Dictionary defines ‘the ability to understand and think about things, and to gain and use knowledge.’
Within cyber security, intelligence describes collecting, standardizing, and analyzing data generated by networks, applications, and other IT infrastructure in real-time.
How do Organizations Use Cyber Threat Intelligence?
> Cyber threats are ever-evolving, and there are increasing levels of cyber threats while the corporate network is becoming more extensive and diffuse, offering more avenues of attack.
> Cyber security must move from reactive (monitoring + response) to proactive (policy management), and CTI is widely considered the specialization that allows this to happen.
> Cyber threat intelligence is an area of cyber security that focuses on collecting and analyzing information about current and potential attacks that threaten an organization’s or its assets’ safety.
> Cyber Threat Intelligence in practice within an organization:
- Security Operation Centre (SOC) — This feeds into tangible security, such as firewalls, i.e., Indicators of Compromise (IOC).
- Incident Response — attributes an attack to a defined group/individual.
- Human Resources — policy around areas like crisis management.
- Patch and Vulnerability Management — prioritization.
- Business Risk Management — cyber has an impact on all business areas.
CTI can be used in a vast range of business processes, such as:
- Strategic Level — the board and senior decision makers.
2. Operational Level — SOC operations and security controls application
3. Tactical Level — threat hunting within log files.
Cyber threat intelligence aims to give organizations an in-depth understanding of the threats that pose the most significant risk to their infrastructure and devise a plan to protect their business. CTI Analysts strive to provide as much actionable intelligence as possible.
Through analysis, you can understand why a threat actor may attack your systems in the first place. Knowing the opposition’s motive can illuminate which areas of your systems are most vulnerable.
With this in mind, I would like to emphasize some of the primary reasons why organizations utilize cyber threat intelligence:
- Identify and assess potential threats to their networks and systems.
- Enhance their overall security posture by proactively taking measures to prevent attacks.
- You can improve incident response efforts by having up-to-date information about known threats.
- Prioritise resources for the mitigation of high-risk vulnerabilities.
- Monitor external sources for signs of a potential breach or attack.
- Stay informed about malicious actors’ tactics, techniques, and procedures.
The role of a Cyber Threat Intelligence Analyst
> A Cyber Threat Intelligence analyst is a specialized role within an organization and a more comprehensive professional cyber security practice.
> Cyber Threat Intelligence analysts gather data to track, evaluate, and report on threats that could impact an organization. They combine contextual knowledge of the threat landscape with analytical abilities.
> Analysts combine various sources, including private data collections and open source intelligence (OSINT) evaluation, to produce a complete picture of an organization’s risk posture that informs the business’s steps to mitigate these risks.
Identifying organizational intelligence requirements
Collecting relevant data and conducting all-source analysis to inform the decision-making process
Identifying, monitoring, and assessing potential threats or weaknesses
Validating that security qualifications and requirements are met
Creating reports that highlight key findings for security teams and other members of the organization
Presenting findings to other teams and proposing counteractions to mitigate threats
They create short-term and long-term evaluations to help security teams better understand the threats they face and what they can do to prevent attacks and breaches in the future.
As previously mentioned, I firmly believe that an analyst’s primary objective is to create valuable insights by combining the art, craft, and science of CTI.