Cyber adversaries today are smart, sophisticated, fast, and continuously growing in number. They can pose a serious threat to business and are difficult challenge for security operations center (SOC) personnel. Standard security tools protect against a wide range of known attacks but they simply cannot keep up skillful threat actors. SOCs needs better tools to protect the business. Cyber threat intelligence (CTI) services can help.
CTI is not one specific “thing.” CTI is a model by which cyber information is obtained and transformed into valuable evidence for security operations and decision making. CTI involves the analysis of cyber data resulting in actionable data points. CTI can help to reduce security incidents that present risk and potential disruption to business.
There are three types of CTI, Tactical, Operational, and Strategic, that are each useful for different purposes within our organization.
- Tactical – The assessment of real-time events/activities. Tactical CTI provides specific detail in response to a specific threat. For example, tactical CTI could lead to the implementation of a firewall rule to block a particular known C&C IP address.
- Operational – The assessment of specific events, such as a targeted threat campaign. It assesses threat vectors to help understand the tactics, techniques, and procedures (TTPs) used by threat actors. Operational CTI us helps to develop detection mechanisms and mitigation techniques.
- Strategic – Helps to form the overall viewpoint to guide policies. Strategic CTI is intended for the decision makers within our organization to help determine strategic focus areas and the most effective allocation of company resources.
Here is an example of a sample Threat Intelligence plan developed as part of the coursework for USD CSOL 580.