In today’s digital age, the question isn’t whether you’ll experience a cybersecurity attack, but when this might occur. Cybercriminals strike when you least expect it, with devastating consequences for your day-to-day operations. If your organization is lucky, it can block the attacker and limit further damage.

For many, that’s not the case. Getting back to business as usual can take days or even months. So it’s important to detect signs of malicious activity ahead of a damaging attack, predict what will happen, and take preventive action. That’s the value of cyberthreat intelligence (CTI).

CTI is about collecting information that helps information security teams create a strong defensive strategy. Modern organizations are increasingly recognizing the value of cyberthreat intelligence, with many planning to invest more in their threat intelligence in coming years. However, there’s a difference between recognizing value and reaping the benefits.

Most organizations today stick to the most basic form of threat intelligence (e.g., threat data feeds, IPS, firewalls) without taking full advantage of what intelligence has to offer. When properly addressed, actionable CTI opens a world of opportunities. Here’s how.

What is CTI?

Cyberthreat intelligence is what cyberthreat information becomes once it has been collected and analyzed using advanced algorithms. By gathering large amounts of data about current cybersecurity threats and trends, and performing analytics on these data, cyberthreat analysts can derive usable intelligence that helps their customers to better detect and prepare for cyberthreats.

Security teams then consolidate the data into an intelligence report that’s circulated and shared with other departments. The end goal is to mitigate attacks by understanding how threat actors operate.

Why is threat intelligence important? Like all forms of intelligence, CTI adds value to cybersecurity. It strengthens an organization’s capability to minimize cyberrisk, manage threats, and feed intelligence back into all products that protect the attack surfaces.

How does CTI work?

Aside from identifying vulnerabilities in software and hardware, the report includes indicators of tactics, techniques, and procedures (TTP). Traditionally part of military jargon, TTPs are a key concept in cybersecurity and describe how cyberattackers orchestrate, execute, and manage operational attacks.

Tactics defines what a cyberattacker’s goal is and the general strategies used to gain access to an organization’s systems and information (e.g., social engineering or physical infiltration). Techniques explains how the cyberattack is conducted (e.g., phishing users via email attachments). Procedures describes a step-by-step orchestration of the attack, and often the best way to build an attacker’s profile. This might include scanning a website for vulnerabilities, writing an SQL query that includes malicious code, then submitting it to an unsecured web form to gain control of the server.

Who needs CTI?

The short answer is everyone. Cyberthreat intelligence is for anyone with a vested interest in the cybersecurity infrastructure of an organization. Although CTI can be tailored to suit any audience, in most cases, threat intelligence teams work closely with the security operation center (SOC) that monitors and protects a business on a daily basis.

Research shows that CTI benefits people at all levels of government (national, regional, or local), from security officers, police chiefs, and policymakers to information technology specialists and law enforcement officers. It also provides value to many other professionals, such as IT managers, accountants, and criminal analysts.

The CTI life cycle

The creation of CTI is a circular process known as an “intelligence cycle.” In this five-stage cycle, data collection is planned, implemented, and evaluated; the results are then analyzed to produce intelligence, which is later disseminated and reevaluated against new information and consumer feedback. The circularity of the process means that gaps are identified in the intelligence delivered, initiating new collection requirements and launching the intelligence cycle all over again.

Three types of CTI

Broadly speaking, intelligence is split into three areas to suit the wide range of intelligence organizations need. This can range from low-level information on malware variants being used in attack campaigns to high-level information intended to inform strategic investments and policy creation. By studying these needs, it’s often possible to make informed strategic, operational, and tactical assessments.

Strategic intelligence: This type of threat intelligence is intended to provide a broad picture of how threats and tactics (including actors, tools, and TTPs) change over time. Generated on demand as a report, this bird’s-eye view of the threat landscape facilitates high-level decisions in real time.

Operational intelligence: This is focused on understanding adversarial capabilities, infrastructure, and TTPs, and then leveraging that understanding to conduct more-targeted and prioritized cybersecurity operations. This can’t be done by machines alone; human analysis is needed to convert the data into a digestible format.

Tactical intelligence: This is about understanding high-level trends and adversarial motives, and then leveraging that information to engage in strategic security and business-making decisions. It offers support to operations on a tactical level, and its collection can almost always be automated.

Strategic, operational, and tactical CTI are at the fore of the revised ISO/IEC 27002 with a view to helping organizations collect and analyze “information relating to information security threats.” This control addition is incredibly important. Not only does it standardize the need for threat intelligence, but the intelligence being consumed also will help organizations inform security strategies and deliver appropriate mitigation actions. The result is intelligence that is “relevant,” “insightful,” “contextual,” and “actionable” all around an organization’s security perimeter.

Integrated intelligence for your organization

A good intel solution helps organizations easily consume intelligence, take action, and maximize the effectiveness of their intelligence investment. The job of an advanced threat intelligence platform—TIP for short—is to automate the threat investigation process, deliver actionable intelligence, and provide deeper visibility into the global threat landscape. Armed with this level of automation, your cybersecurity team can begin analyzing the threats that are most relevant to your organization.

For optimum results, select a CTI platform with the following characteristics:
• Multisource data correlation, i.e., the ability to aggregate internal and external data sources to provide an organization with comprehensive visibility into cyberthreats
• Automated analysis and triage, which avoids the risk of having to contend with a deluge of redundant and low-quality data
• Data-sharing function, which automatically disseminates data throughout an organization’s security deployment
• Automation, to speed up the analysis and use of threat intelligence
• Actionable insights, to give hands-on advice on how organizations can protect themselves against the threats that CTI has brought to their attention.
• ISO/IEC 27001:2022—“Information security management systems”
• ISO/IEC 27002:2022—“Information security, cybersecurity, and privacy protection; information security controls”

What’s next for CTI?

Every day, cybersecurity teams are faced with vast quantities of information regarding potential threats. With data streaming in from websites, apps, back-office systems, user accounts, and many more entry or access points, handling threat intelligence becomes a formidable challenge. To navigate this landscape effectively, a sophisticated and integrated solution is necessary to sift through the noise, discern patterns, and anticipate emerging trends.

A robust CTI platform doesn’t only streamline the process. It also enables teams to continually reassess their priorities within their specific context so they can swiftly adapt their defense strategies. Investing in comprehensive security measures for your digital assets has numerous benefits, from cost savings associated with outsourcing IT staff to enhanced incident response capabilities.

And the peace of mind it brings is priceless.

Published by ISO.