The last couple of years Threat Intelligence Platforms (TIP) have been increasingly more popular in many global Security Operation Centers (SOC). With this technology there comes a unique value that can be provided to Cyber Security Services within an organization.
With the support of a TIP platform and a Cyber Threat Intelligence-informed focus it allows to be combined into a “Cyber Threat Intelligence Program” which provides Intelligence (as a process and product) to inform decisions within a series of cyber security services of the organization.
Why have a Cyber Threat Intelligence Program?
A. Cyber Threat Intelligence (CTI) helps with the collection and analysis of information about threats and adversaries. Producing threat models that provide an ability to make knowledgeable decisions for prediction, preparedness, prevention, detection, hunting, response and forensic actions against various cyber-attacks.
B. Cyber Threat Intelligence (CTI) focuses on threat modeling, supporting leadership to evaluate and make informed forward-leaning strategic, tactical, and operational decisions on existing or emerging threats to the organization.
C. Cyber Threat Intelligence (CTI) helps the organization’s to identify and mitigate various business risks by converting unknown threats into known threats and helps in implementing various advanced and proactive defense strategies
D. With the constant innovative TTPs used by threat actors, cyber threats are becoming major risks to any business sector. To thwart these threats, it is important for the organizations to incorporate and leverage actionable Cyber Threat Intelligence (CTI) to strengthen their existing security posture.
What are popular Cyber Threat Intelligence (CTI) strategies?
As a general start point, the organization should develop their Cyber Threat Intelligence (CTI) Strategy based on their business risk levels and regulatory, compliance or business requirements. Popular words used in common literature when it comes to CTI might include:
1.Cyber Threat Intelligence driven Security Services
2.Cyber Threat Intelligence lead Security Services
3.Cyber Threat Intelligence centric Security Services
4.Cyber Threat Intelligence informed Security Services
The first three seem to suggest that CTI is the primary driver for making decisions within it’s cyber security organization. I believe this is the wrong perception and focus should be shifted to using intelligence to inform policy not drive it.
Highlighted that a threat-centric biased approach is risky and should be augmented with:
General asset-centric baseline controls
Self protection of assets
Compliance driven countermeasures
Split between CTI feeds, Quantitative and Qualitative threat models.
What must be highlighted before starting a Cyber Threat Intelligence program is that there should be a foundational core SOC context in place to be able to profit of the value of a Cyber Threat Intelligence Program:
1. Established Security Incident Management process.
2. Established Core SOC technologies (Example: SIEM, SOAR, EDR, IDS, IPS).
3. Established Technologies should be able to receive and apply automated Indicator of compromise (IOC’s) feeds.
- This is an over-simplification of the types of CTI, in reality the implementation of these types may vary per organization.
- Within the literature of SANS and EC-Council Operational and Tactical is swapped around.
- SANS talks about Strategic, Tactical and Operational, but EC-Council also talks about Technical CTI for the sake of simplicity this has been left out of the diagram.
A Cyber Threat intelligence-informed SOC strategy is highly beneficial for your cyber security organization in terms of combating targeted cyber threats.