Editor’s Note: This is an edited version of an article originally posted in October 2023. It has been updated with some new information about ANY.RUN’s threat intelligence products.
Cyber Threat Intelligence (CTI) — often referred to as “Threat Intelligence” or “Threat Intel” — is the practice of gathering and analyzing data to identify, understand, and counter existing and potential threats.
In cybersecurity, threat intelligence serves a similar function to reconnaissance in military operations. It provides insights into the specific threats facing your organization, the TTPs attackers are likely to employ, and the IOCs that can help in detection.
The intelligence can be either:
- Strategic, looking at long-term trends and emerging threats.
- Operational, concerned with TTPs and effective defense strategies.
- Or tactical, focusing on immediate IOCs like IP addresses or file hashes.
What makes threat intelligence a crucial aspect of your cybersecurity?
The malware threat landscape is highly dynamic, with some estimates indicating that a new malware variant is released every minute.
Beyond keeping up with these rapid changes, your organization may also face targeted threats from APT groups. These actors typically deploy custom attacks tailored specifically to exploit vulnerabilities in your organization.
Even if you have strong SOC, DFIR and CSIRT teams, a purely reactive approach isn’t enough. You need current, context-rich intelligence from external sources to drive effective responses. Threat intelligence provides:
- Proactive defense: Integrating IOCs such as hashes and IP addresses from threat feeds allows you to update SIEM, firewall, and EDR rules. This enables early detection and automated blocking of known threats before they penetrate the network.
- Faster incident response: During a breach, aligning indicators of intrusion with TTPs, and linking those TTPs to an attacker or threat profile, is crucial. This approach allows the CSIRT team to quickly understand the attacker’s tactics and pinpoint vulnerable systems, facilitating faster containment and remediation.
- Better strategic planning: CTI gives CISOs and Intel analysts critical data on threats tailored to your organization, both emerging and persistent. This data helps shape a security strategy focused on the most likely threats you’ll encounter.
Threat intelligence provides context for likely threats
Simply tracking most common malware types or families isn’t enough for effective threat intelligence, because this approach lacks the specific insights needed to understand the risks your organization actually faces.
Instead, effective threat intelligence strategies focus on gathering detailed, targeted data. They aim to answer key questions like:
- Who is likely to target my organization?
- What malware and TTPs will they probably use?
- What parts of our network are most at risk?
- What IOCs can help us detect an attack?
- How can we fortify our defenses against these particular threats?
Tools, people, and information comprising threat intelligence
Threat intelligence impacts every team, tool, and process in your organization’s cybersecurity framework. This data often comes from multiple sources, such as OSINT, commercial threat feeds, and internal logs and historical data. Here are some ways how different teams use it:
Data source | Team | Benefit | Type |
---|---|---|---|
Threat feeds | SOC | Expand automated threat coverage and detection | Tactical |
TI Lookup | SOC | Related events and IOCs | Technical, Tactical |
Contextual IOC databases | CSIRT | More accurate and speedy threat identification | Tactical |
Forensic Data | CSIRT | Faster and more accurate incident response | Operational |
Detailed threat reports | Executive | Better risk assessment | Strategic |
Tactical vs Strategic vs Operational threat intelligence
Threat intelligence data can be further categorized into three groups: tactical, strategic, and operational.
Tactical threat intelligence focuses on immediate threats and technical indicators. It provides actionable data like IP addresses, hashes, and URLs that security teams can use for immediate defense measures. Mainly geared toward SOC analysts and incident responders, it helps in quick detection and mitigation of attacks.
Operational threat intelligence sits between tactical and strategic, focusing on the “how” behind attacks. It offers context around TTPs used by attackers. Useful for threat hunters and mid-level security managers, it helps in understanding the motivation, capabilities, and methods of potential threats, allowing for more informed defense strategies.
Strategic threat intelligence is concerned with long-term security planning and risk assessment. It provides insights into broader threat landscapes, like emerging attack vectors or geopolitical factors that may influence threats. Strategic TI usually involves CISOs and high-level decision-makers and shapes the overall security strategy of a company.
Technical Threat Intelligence: what is it? There is a fourth type of threat intelligence – technical. It refers to machine-readable IT data, such as indicators of recent threats, that is delivered to the SIEM and TIP system through threat intelligence feeds.
6 steps of the threat intelligence lifecycle
Like incident response, threat intelligence is a complex process. To keep the initiative focused, it follows a cyclical approach that involves setting objectives, taking specific actions, and then reviewing and iterating.
The most common framework outlines 6 steps to create a continuous loop for improving your security posture:
- Requirements: In this phase, the threat intelligence team lays out a roadmap for a specific intelligence operation. They outline required actions and set measurable objectives, such as creating a report about the TTPs of a new adversary.
- Collection. Security analysts and engineers pool data from pre-determined sources like threat feeds, dark web forums, or internal logs. A successful criterion could be acquiring relevant IOCs within a set timeframe.
- Processing. Data scientists and engineers work to structure raw data. The aim is to transform it into machine-readable formats like STIX or human-readable formats like spreadsheets and diagrams. The focus is on filtering out false positives efficiently and compiling a dataset suitable for analysis.
- Analysis. Malware analysts examine the processed data, utilizing analytics platforms, sandboxing, and lookup services. They correlate events and map IOCs to TTPs. The goal is to add context. Potentially disjointed lists of indicators are transformed into cohesive description of attack patterns.
- Dissemination. Incident response and SOC teams receive the finalized intelligence. They use the information to update security systems like IDS, IPS, and firewalls.
- Feedback. Post-action reviews usually involve all teams. Feedback is used to adjust future intelligence requirements and operations.
Threat Intelligence and ANY.RUN
If you’re already using ANY.RUN or part of our community, you know we specialize in cloud-based interactive sandboxing. With over 16,000 daily submissions, mostly new malware strains, our sandbox community is on track to accumulate over 50,000,000 unique IOCs quarterly in 2024.
We’re leveraging this rich dataset to help organizations improve their proactive security using our Threat Intelligence products:
If you’re interested in ANY.RUN’s Threat Intelligence solutions, don’t hesitate to contact our sales team. They can provide pricing details and answer any questions you have about the product.
0 comments