Over the past decade, we have seen a significant increase in cyberattacks. Cybercriminals are using an ever-growing set of techniques, tactics, and tools to compromise their victims’ systems.
Understanding the motivations of the adversaries, their tactics and techniques has become a fundamental strategy of the organizations, mainly the defenders better known as blue team members.
In this series of articles, our goal is to share with you the foundations of the effective management of cyber threat intelligence and then guide you in the process of converting threat information into intelligence information, that is, information that is actionable to significantly improve the security posture. of the organization you defend.
In this first article we will talk about the fundamental concepts that every defender must be clear about. We will start by defining threat, threat information, then we will deep dive into intelligence and finally close with clarifying the difference between threat intelligence and cyber threat intelligence.
In terms of information security, a threat is a possible negative action or event facilitated due to a vulnerability that gives rise to an unwanted impact on a computer system or application.
A threat can be an “intentional” negative event (for example, hacking: an individual cracker or a criminal organization) or an “accidental” negative event (for example, the possibility of a computer malfunction, or the possibility from a natural disaster such as an earthquake, fire, or tornado).
It is an individual or group that can take the action of the threat, such as exploiting a vulnerability to make a negative impact. Some examples of actors are:
Cyberterrorists, Actors sponsored by the government / state, Organized Crime / Cybercrime, Hacktivists, Script Kiddies, “Insiders”, in a next installment we will define each actor, their motivations.
Threat information from external sources or the famous “Threat Feeds” often consist of an updated list of URLs, IP addresses and domains known to have in common that were compromised and / or used by the actors of the threat. But they have almost no context. To go deeper into this topic, I recommend reading about the pyramid of pain created by David Bianco. https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html. It is important to remember that useful information is also generated from our organization, both technical and business. In a future installment, we will detail the sources that allow us to obtain this information.
When we speak of intelligence, we generally refer to information that has been enriched and analyzed to make it actionable. In a future installment we will detail the following types of intelligence: HUMINT, SIGINT, FININT, GEOINT, CYBINT, and OSINT.
Threat intelligence is the analysis of adversaries, their motivations, tactics and techniques and how they are carrying out crimes that could be replicated in our organization. The value is obtained when it is capable of generating actions.
The analysis of how adversaries or cybercriminals use their strategies since they use the capabilities offered by the Internet. Like threat intelligence whose value is to be able to convert information about threats into actions to strengthen the security posture, not only including a set of atomic compromise indicators, but also learning from external and internal information and implementing effective controls.
Organizations increasingly recognize the value of threat intelligence, however, there is a difference between recognizing the value and receiving the value. Most organizations today focus their efforts on the most basic use cases, such as integrating threat data with the existing network at the firewall level without taking full advantage of the insights that intelligence can provide.
In this first installment we have covered the fundamentals to start our journey on this interesting and fascinating topic, in the next installment we will talk about what are the benefits that a company obtains when it adopts a threat intelligence process, where it is suggested that the function of threat intelligence within organizations, the type of companies that are rapidly moving to this model, which is not new but which in recent years has taken on great relevance.
If you want to receive the deliveries of the cyber threat intelligence series directly to your email, I invite you to register for our newsletter.
For more information on how we can help you effectively use threat intelligence, you can write to us at firstname.lastname@example.org
At REMOS Consulting We are specialists in defensive security (Blueteam). We offer collaboration services for strategic and operational information security management; we focus on promoting information security as a strategic pillar and enhancing the capabilities of its technical teams and business areas.