Cyber Threat Intelligence (CTI) is a fundamental element of any cybersecurity ecosystem.
Cybersecurity activity plays a central role in preventing, detecting and mitigating cyber attacks that threaten organizations. Cyber Threat Intelligence (CTI) is a fundamental element of any cybersecurity ecosystem. The activity is based on the collection and analysis of precise information, aimed at immediately identifying the hacker or supporting the decision-making process as soon as a computer intrusion is detected. Intelligence has roots in the military sphere, where a first phase of planning by the command bodies is followed by that linked to the collection of information; which are then processed, grouped and made usable, allowing you to make more accurate decisions. In the same vein as the famous Chinese military strategist Sun Tzu, according to whom it was a priority to know oneself well, this aspect is also fundamental in companies. The latter must in fact know exactly what resources they have available and where they arelocated, monitoring everything that happens with the utmost attention.
To know yourself it is also important to know your enemy, quickly identifying useful information, analyzing it and communicating it to those who have to make decisions.
Cyber threat intelligence can be of three types. Strategic when it focuses on the attacker and draws a profile of him, indicating the reason that drives him to act and specifically hit that type of activity or sector. It is aimed at a non-technical audience. There are various categorizations, for example the one provided by Mandiant or Group-IB based on acronyms that contain the motivation and a progressive number: APT for Advanced Persistent Threat, FIN for Financial, etc.Operational when it focuses on how and where an attack occurs, describing tools (tools), techniques (techniques) and procedures (procedures) or TTP used by the cyber criminal; it is usable by everyone. Tactics when it relates to a particular security event, describes malware or phishing emails, or mentions indicators of attack or compromise; it is intended in this case for a technical audience. It includes data to recognize malware or indicators of attack or compromise (IoA, IoC) – such as IPs, domains, file hashes. These can be easily implemented to raise perimeter, monitoring and response defenses to block attempts or mitigate compromised situations.
The three work plans of the intelligence that deals with cyber security must be considered holistically, since the mechanism is virtuous if the results of each level of research complement those of the others, refine or rectify them, redefining the underlying information and strategic objectives that must be as precise and clear as possible. Knowing yourself well as the enemy, therefore allows you to always adopt the most appropriate and effective countermeasures through a continuous security governance process, necessary to face the constantly evolving cyber threats.
In that case the CTI works asa defense, helping to monitor the entire corporate network to prevent attacks, detect threats and mitigate malicious events, developing a proactive attitude, improving risk management policies for a more informed and informed decision-making process.
Rottigni is Chief Technical Security Officer EMEA at Qualys