Imagine a new zero-day vulnerability under exploitation that can impact your organization without a CVE score, and your scanner cannot detect it.

Imagine having many devices exposed over the internet with different vulnerabilities not detected by your vulnerability scanner.

Imagine that your employees used the same password on social media and in your organization also. What if the social media was breached? Your password might be on the Dark web or other data leaked sharing forum. Your organization might be compromised if you are not aware of the breached.

Imagine that your competitor company was compromised, and you might be the next.

Imagine that your company confidential information was leaked on the Dark Web, and you need to find the confidential data

Imagine that your employees are putting pictures containing confidential information about your company over the social media such as Twitter, Facebook, LinkedIn and you are not aware of that.

Imagine that the threat actors made the copy of your website, and your employees s are connecting to it without knowing

Imagine that your employees are receiving a lot of phishing emails daily and are responding to it.

There are thousands of reasons that we still can mention, but let’s limit here.

As security expert when you think about all the imaginations cited, you might think about an option to detect and protect your organization against these imaginations.

A Cyber Threat Intelligence or CTI was created to find the solution against such imaginations.

Before talking about the Cyber Threat Intelligence, we should talk about “Intelligence cycle”

Intelligence Cycle

The intelligence cycle is set of steps that we use to conduct the intelligence. 

The Intelligence Cycle is divided in different phases:

Direction or Planning – This phase is the first phase and is very important.

In this phase, you set your goals, procedures, prioritize based on the asset evaluation result.

Collection – This is where, you will be gathering data to meet your goals set up in the previous phase. You will need to use different tools to achieve this goal.  For example: used of open source or private source to find all the devices that belong to your organization over the internet.

Analysis or Processing– After collecting the data, you must process and analyze all the data you have collected.  You need a specific tool to do that, you will need also to interpret the data at this point. Note that if the data collected, processed and analyzed failed, the results will not be accurate. For example: Collecting and analyzed a bunch of date from the Dark Web by entering your company keyword in order to find the relevant data related to your company. If the tool used did not collect correctly the data and the analysis did not meet the requirement from the planning phase, the result would not be relevant.

Production – Once you get the analysis and processing parts done, the next step will be to prepare the report with the details following with some recommendations. For example: The cyber threat intelligence report about the data collected, processed and analyzed from the Dark Web, the vulnerability assessment report, the report about the threat actors that can target your organization.

Dissemination – When you report is ready, the next step will be to report it to the management level or the C level based on the decision taken in the planning phase.

Some companies might report to different teams. For example: The vulnerability assessment report could be sent to the vulnerability management in order to verify if the vulnerability scanner engine did not detect the findings. This might also help to determine the efficiency of the tool.

The report about data leaked could be sent to the CISO to take the decision based on the recommendation put in the report.

Feedback – The last part and where the report will be verified from the management level or C level like the CISO. If the report did not meet the company requirements, the report might be criticized to improve it. For example: When you send a technical report to the CISO about the data breached on the Dark Web, the CISO might not understand all the terms, as the CISO is not a technical person. It is better always to know where the report will be sent and how to meet the company requirements before reporting it.

Cyber threat intelligence

Cyber threat detection is the process of detecting and analyzing different threats that can impact the organization.

Cyber threat detection without the intelligence cycle will be very difficult, as the data are becoming much bigger over the internal network and the internet, we need to find a proper approach to find the relevant data. That’s one of the reasons, both were merged to bring the idea of cyber threat intelligence.

Cyber Threat Intelligence is the combination of threat detection tool plus the intelligence cycle to detect and analyze threats, vulnerability and risk that can impact an organization.

As you might read at the beginning of this article, the Cyber Threat Intelligence is made of imaginations. The imaginations will help you to find different threats, vulnerabilities and risks that can impact your organization.

With the different explanations provided above, we may provide a general definition for Cyber Threat Intelligence. The Cyber Threat Intelligence is the process of planning, collecting, processing, analyzing, producing, disseminating and providing the feedback about different threats, vulnerabilities and risks that can impact your organization by using different tools (open sources or private sources).

The threats, vulnerabilities and risks could be anywhere where your infrastructure and data reside. It is very important to find and prioritize your assets and data. You need to have a proper data evaluation and asset evaluation in place to achieve this goal.

Cyber Threat Intelligence Report

As we already mentioned, we need to report the Cyber Threat Intelligence result obtained during the “Production phase”. While creating a report, the report should be based on some frameworks such as Diamond model and Cyber kill chain (Google to find more about the topics).  The frameworks will help you standardize the report and make it much easier to understand.

Cyber Threat Intelligence tools

As discussed earlier, the Cyber Threat Intelligence consists of collecting and analyzing data to find more relevant data. Let’s give the name of some tools used by the Cyber Threat Intelligence team.

One of the biggest repositories related to Cyber Threat Intelligence tools is OSINT Framework , the website contains different tools used by Cyber Threat Intelligence teams, we can also cite other tools such as:

• Maltego Homepage – Maltego
• Recorded Future Recorded Future: Securing Our World With Intelligence
• Threat Quotient ThreatQuotient | ThreatQ | Threat Intelligence Platform
• Nixintel  Nixintel’s OSINT Resource List – start.me

In conclusion, based all the details explained, the Cyber Threat Intelligence is very important for any organization to protect his own environment. It will help you to be more proactive to protect your organization against different cyber-attacks. If you have not implemented a CTI team it is the time for you to start. 

Bangaly Koita

Bangaly Koita is a SOC Analyst and  Cyber Security researcher . As a passionate in cyber security,  he spends most of the time  writing articles and making videos online to share his knowledge and experience to the vast community of IT but in general Cyber Security. Feel free to contact me in case.

osintafrica.net

The post Why do we need a Cyber Threat Intelligence? first appeared on osintafrica.