In the world of cybersecurity, things are ever changing. Organizations are targeted every day by new attempts to steal information or money, or simply cause chaos. While basic cybersecurity hygiene is a must at all levels of an organization, including training people to recognize social engineering attacks, many organizations need a higher level of situational awareness beyond just knowing what sorts of attacks they might face. They need to have situational awareness of the cyber threat landscape. In fact, situational awareness is one of the domains required of Department of Defense suppliers and contractors at certain levels in the Cybersecurity Maturity Model Certification (CMMC) model. Situational awareness, both in general and as required by CMMC, makes the use of cyber threat intelligence necessary.
So just what is cyber threat intelligence, anyway?
The obvious answer is intelligence about cyber threats, right? Really, though, it’s a bit more than that. At its most basic, cyber threat intelligence is information that allows cyber teams to identify and respond to cyber attacks. Spotting known indicators of compromise, such as IP addresses, file hashes, or domain names, shows that there’s been malicious activity within a network, and allows a team to take action by, for example, blocking future traffic to those sites.
While indicators of compromise are crucial, it’s important to put them in context, and that’s taking cyber threat intelligence to the next level. By using known intelligence about threat actors and their tactics, techniques, and procedures (TTPs), cybersecurity teams can look for suspicious activity, identify traffic to known-bad sites, and take defensive action.
Where does cyber threat intelligence come from?
Well, you see, when a threat actor and a piece of malware love each other very much… just kidding.
Cyber threat intelligence can come from several different sources, and is often delivered in the form of a feed.
- Public sources come from governments and other open source organizations. These feeds tend to be broad and not specific to any one industry.
- Commercial sources come from companies that are selling data they have gathered on their own.
- ISACs and other sharing communities provide threat intelligence to their members. ISAC feeds focus on the most relevant threats to the industry the ISAC serves. Sharing communities may be industry-specific, or comprised of critical partners or companies in an enterprise supply chain.
- Internal sources are exactly what they sound like: your own tools and systems. Intelligence from your own network could come from a phishing email reported by an employee, or from the logs of your SIEM, endpoint, or other tools.
Can I do anything with cyber threat intelligence besides block IP addresses all day?
Absolutely. Cyber threat intelligence can help you become proactive about threats by giving your analysts information they need to develop a theory of attack. A theory of attack is exactly what it sounds like: an idea of how your organization might be targeted by hackers. A key part of developing a theory of attack for a threat analyst is consulting the organization’s threat repository to learn about threats that similar organizations have faced, and the tactics threat actors have used in the past. The analyst can then work with security engineers to find weaknesses in the organization’s existing security structure and implement controls to mitigate the threats in the theory.
Another important thing to do with cyber threat intelligence is share it. When you receive a feed of intelligence, you’re able to immediately take action on the indicators in that feed even if you haven’t yet seen them in your own network. For many feeds, such as the DHS/AIS feed, you’re able to share back the data you’ve seen to make the entire community more secure. Active participation in cyber threat sharing can be a compliance requirement in some industries, including defense supply chains as seen in CMMC. But even without a compliance requirement, it’s always considered a best practice!
Ready to learn more about cyber threat intelligence and how Celerium’s solutions empower your team to use it effectively and efficiently? Our Proactive Cyber Defense whitepaper can help you learn about highly relevant intelligence and how to make the most of your internal systems, as well as developing theories of attack. Check it out today!