Discussion work

Threat Intelligence

1

What Is Threat Intelligence?

Threat intelligence is knowledge that allows you to prevent or mitigate

cyberattacks. Rooted in data, threat intelligence gives you context that helps you make

informed decisions about your security by answering questions like who is attacking you,

what their motivations and capabilities are, and what indicators of compromise in your

systems to look for.

“Threat intelligence is evidence-based knowledge, including context, mechanisms,

indicators, implications, and action-oriented advice about an existing or emerging menace

or hazard to assets. This intelligence can be used to inform decisions regarding the

subject’s response to that menace or hazard.”

---- Gartner

Threat Intelligence Defined

2

Threat Intelligence (TI) is an area of cybersecurity that focuses on the collection and analysis of information

about current and potential attacks that threaten the safety of an organization or its assets.

TI is based on the collection of intelligence using open source intelligence (OSINT), social media intelligence

(SOCMINT), human Intelligence (HUMINT), technical intelligence or intelligence from the deep and dark web.

TI's key mission is to research and analyze trends and technical

developments in three areas:

• Cybercrime – attackers aim to profit by converting stolen data into cash

• Hactivism – attackers aim to damage the reputation of the organization

• Cyberespionage – attackers aim to exert political influence or improve

the strategic capabilities of their host nation sponsors

Threat Intelligence Defined

3

Threat Intelligence (TI) is an area of cybersecurity that

focuses on the

collection and analysis of information about current and

potential

attacks that threaten the safety of an organization or its

assets.

TI is based on the collection of intelligence using open source

intelligence (OSINT), social media intelligence (SOCMINT),

human Intelligence (HUMINT), technical intelligence or

intelligence from the deep and dark web.

TI's key mission is to research and analyze trends and

technical

developments in three areas:

• Cybercrime – attackers aim to profit by converting stolen

data into cash

• Hactivism – attackers aim to damage the reputation of the

organization

• Cyberespionage – attackers aim to exert political

influence or improve

the strategic capabilities of their host nation sponsors

4

Threat Intelligence and Cyber Security Strategy

• Threat Intelligence (TI) is a specialized tool in the cyber security strategy.

• Many organizations implement in- house Threat intelligence strategy as one of the key elements of a strong defense posture in an enterprise.

• The analysis of the potential as well as the existing threats and deriving some valuable insights help security teams to anticipate threats quickly and act upon decisively and effectively to confirmed security breaches. That is the value add of TI to prevent further attacks.

5

Threat Intelligence program Requirements

❑ Knowledge of past, current and emerging Threat vectors as well as external and internal sources of threat

❑ Thorough understanding of key business information (i.e. critical assets, IT systems, etc.)

❑ Reliable and reputable sources of Threat information including data feeds into sources where possible

❑ Visibility into endpoint information (i.e. memory, registry, running processes, etc.)

❑ Access to passive DNS logs, Proxy logs, Firewall logs, IDS logs, Email logs, etc.

❑ Centralized storage location for information through a Threat Intelligence Platform or Excel sheet

❑ Understand fundamentals of a Threat Intelligence program including key threat evaluation characteristics

❑ Understanding of Regions of Operations

The Type of Threat Intelligence

6

As demonstrated by the threat intelligence lifecycle, the final product will look different

depending on the initial intelligence requirements, sources of information, and intended

audience. It can be helpful to break down threat intelligence into a few categories based on

these criteria.

Threat intelligence is often broken down into three subcategories:

Strategic

• Broader trends typically meant for a non- technical audience

Tactical

• Outlines of the tactics, techniques, and procedures of threat actors for a more technical audience

Operational

• Technical details about specific attacks and campaigns

Machine Learning for Better Threat Intelligence

7

Data processing takes place at a scale today that requires automation to be comprehensive.

Combine data points from many different types of sources — including open, dark web, and

technical sources — to form the most robust picture possible.

1. To structure data into entities and events

2. To structure text in multiple languages through natural language processing

3. To classify events and entities, helping human analysts prioritize alerts

4. To forecast events and entity properties through predictive models

Threat Intelligence Use Cases

8

The diverse use cases of threat intelligence make it an essential resource for cross-functional

teams in any organization. Although it’s perhaps the most immediately valuable when it helps you

prevent an attack, threat intelligence is also a useful part of triage, risk analysis, vulnerability

management, and wide-scope decision making.

Threat Intelligence Use Cases

Incident Response

Security Operations

Vulnerability Management

Risk Analysis

Fraud Prevention

Security Leadership

Reducing Third-Party

Risk

9

The Threat Intelligence Lifecycle

1. Planning and Direction

• Produce actionable threat intelligence is to ask the right question.

• One important guiding factor at this stage is understanding who will consume and benefit from the finished product.

2. Collection

• Gather raw data that fulfills the requirements set in the first stage.

• Collect data from a wide range of sources — internal ones like network event logs and records of past incident responses, and external ones from the open web, the dark web, and technical sources.

3. Processing

• Recorded Future uses machine learning and natural language processing to parse text from millions of unstructured documents across seven different languages and classify them using language-independent ontologies and events, enabling analysts to perform powerful and intuitive searches that go beyond bare keywords and simple correlation rules.

Raw data is not the same thing as intelligence — cyber threat intelligence is the finished product that

comes out of a six-part cycle of data collection, processing, and analysis. This process is a cycle because

new questions and gaps in knowledge are identified during the course of developing intelligence, leading

to new collection requirements being set. An effective intelligence program is iterative, becoming more

refined over time.

10

The Threat Intelligence Lifecycle (Cont.)

4. Analysis

• The goal of analysis is to search for potential security issues and notify the relevant teams in a format that fulfills the intelligence requirements outlined in the planning and direction stage.

5. Dissemination

• It also needs to be tracked so that there is continuity between one intelligence cycle and the next and the learning is not lost.

• Use ticketing systems that integrate with your other security systems to track each step of the intelligence cycle

6. Feedback

• when the intelligence cycle comes full circle, making it closely related to the initial planning and direction phase.

• After receiving the finished intelligence product, whoever made the initial request reviews it and determines whether their questions were answered.

How Data Can Help Protect Against Security

Compromises by Employees and Third-Party Partners

11

Cybersecurity compromises caused by insiders like employees and trusted

business partners don’t garner the same attention as those perpetrated by

criminal hackers. Most business leaders simply don’t see insiders through the

same sinister lens as they view cybergangs or nation-state actors.

But executives would do well to shift their attention from boundless cybercriminals

to the core of the business: their employees. In fact, 28% of all breaches involve

employees, according to the Verizon 2018 Data Breach Investigations Report.1

The report also found that the number of internal breaches soared 148% between

2013 and 2017.

Source: AI-Insider_Threats

12

How AI Helps Curb Insider Threats

One of the most powerful advantages of AI is that its value and capabilities will expand over time. That’s because AI

“learns” as it ingests and analyzes more data, which improves its ability to detect suspicious activity. As AI learns

patterns of activities, it creates new threat indicators for behavioral anomalies that are not typically identified by

traditional detection tools. This enables the technology to begin to predict threats and their potential impacts—before

they occur.

Source: AI-Insider_Threats

13

Challenges Of Using AI For Insider Threats

Despite the hype, AI remains an emerging discipline. In fact, only 12% of enterprise

organizations have extensively deployed AI-based security analytics, while 27% have done so

on a limited basis, according to Enterprise Strategy Group.3 Among those who have adopted

AI, more than one-third (34%) cited improved security as a top use case.

But as with any new technology, change invariably brings challenges.

Among organizations that have adopted AI, many use prepackaged soft ware that is not

tailored to individual requirements and environments. Smaller businesses, in particular, often

employ off -the-shelf solutions that do not fully integrate with existing IT and threat-intelligence

systems. Lacking in-house expertise, these companies typically don’t enhance or modify

packaged solutions. Big organizations, on the other hand, are more likely to have data-science

resources to help them customize and integrate AI.

Source: AI-Insider_Threats