Solutions
Cyber Threat Intelligence (CTI)
Bespoke intelligence: The key to proactive cyber defence
Introduction
Every organisation’s IT estate is unique. What’s more, every organisation operates in its own unique environment, with specific industry segments, partners, and third-party suppliers.
SecOps teams tasked with implementing effective controls to mitigate the dynamic nature of the cybersecurity risks facing modern businesses need to rely on bespoke, contextual intelligence.
Intelligence gathering, by definition, should be a bespoke framework built to align with the specific needs of the organisation, its workforce, and the external factors facing the organisation. A comprehensive intelligence framework provides a continual feedback loop of insight across the organisation’s entire digital footprint that enables security practitioners to make informed decisions about protection, risk mitigation, and vulnerability management.
Cyber threat intelligence (CTI) provides just that—the crucial intersection between establishing visibility over the most significant threats facing your organisation, and putting effective controls in place that meet your security objectives.
What is Cyber Threat Intelligence (CTI)?
Cyber Threat Intelligence (CTI) is both an approach and a technology. CTI technology provides an overlay of intelligence to enable SecOps teams to take a threat-led approach to cybersecurity by collecting, analysing, and distributing contextual information on potential risks and vulnerabilities the organisation might face.
Rather than trying to identify and mitigate all risks at all times, CTI allows SecOps teams to focus resources on the most critical risk areas based on timely intelligence relevant to their organisation, vertical sector, business size, and location.
The objective of CTI is to enable organisations to take a proactive approach to the identification, analysis, mitigation, and remediation of threats before they become active attacks. Risks and vulnerabilities can then be prioritised based on the likelihood of an attack and its potential severity.
The timely information provided by CTI is also a critical tool to support SecOps teams as they respond to active cyber attacks, making responses more effective by delivering key tactical intelligence on areas including attack vectors, playbook refinement and detection rules.
CTI is often broken down into three key categories:
Strategic
Threat intelligence that provides a high-level overview of the cyber threat landscape, aimed at giving the organisation a better general understanding of threat actors’ capabilities and motivations, as it relates to their business.
Operational
Threat intelligence that focuses on the tools, techniques and procedures (TTPs) deployed by threat actors to help SecOps teams identify, mitigate and respond to active threats to their organisation.
Tactical
The most granular level of threat intelligence, offering information and details on specific threats, indicators of compromise (IOCs), vulnerability exploitation information, attack vectors and malware analysis.
For example, CTI might provide an alert that it has identified a new variant of the Mimikatz malware exploit being actively used to target the UK manufacturing sector. The intelligence report might outline:
- Specific TTPs are associated with the Mimikatz variant, including information on how attackers initiate, spread laterally and exfiltrate information.
- A list of IOCs associated with the Mimikatz attack, such as: file hashes, IP addresses and known domains.
- References to other incidents or campaigns targeting similar organisations.
- Recommendations for mitigating the risk of the attack such as: system patching, configuration updates or additional monitoring.
Organisations in specific sectors utilising CTI are also likely to share relevant threat intelligence information with industry-specific Information Sharing and Analysis Centers (ISACs) and other trusted networks in a collaborative effort to build overall cyber resilience.
Cyber Threat Intelligence (CTI): The key to proactive cyber defence
Why is Cyber Threat Intelligence (CTI) important?
One of the key resources from the National Cybersecurity Centre (NCSC) designed to help board members govern cyber risk more effectively, the Cyber Toolkit for Boards, highlights a threat-led cyber risk management approach as best practice for organisations.
“Understanding the threats faced by your organisation will enable you to tailor your organisation’s approach to cybersecurity investment accordingly. You need to prioritise what threats you are trying to defend against; otherwise, you risk trying to defend against everything and doing so ineffectively.”
Taking a cyber threat intelligence approach to cyber risk management provides a vast range of benefits to organisations of all sizes and in all sectors. In many sectors, such as critical national infrastructure (CNI), it’s vital. It enables SecOps teams to:
- Respond to new and emerging threats quickly and appropriately.
- Focus their attention on key areas for improvement or remediation, maximising the productivity of limited resources.
- Communicate risk clearly and accurately across the organisation and build a culture of risk awareness and management among staff.
- Minimise risk within the organisation’s IT security environment and optimise overall cyber posture.
The NCSC recommends that all organisations consider acquiring a deeper level of threat intelligence, but this is particularly important for larger organisations with more complex IT infrastructure.
Traditionally, cyber threat intelligence was aimed primarily at the Security Operations Centre (SOC) within an organisation and used by teams responsible for monitoring, analysing, and responding to cybersecurity threats. SOC analysts are well practiced at analysing the information from threat intelligence feeds and turning this into proactive defence measures or actionable context for threat hunting.
Modern cyber threat intelligence, now far more consumable than it once was, is being used across the organisation to apply contextual intelligence to areas including:
- Third-party supply chain management: CTI is being used by organisations to improve the overall security and resilience of supply chains. In the wake of high-profile supply chain cyber attacks, such as the late 2020 Solarwinds attack, organisations have realised supply chain vulnerabilities present a significant security and compliance risk. Through due diligence, risk assessment, vendor selection, and even security training, CTI is now a core tool used to secure and monitor the supply chain ecosystem.
- Brand reputation: Teams responsible for managing brand reputation are also utilising CTI data to take a more proactive approach to monitoring and protecting brand assets. The real-time nature of CTI means it can be used as an early warning system to identify threats to brand reputation, from negative discourse on social media to brand impersonation on phishing websites. CTI can also be a valuable asset for competitor analysis and compliance monitoring.
Dark web mentions: Organisations need to know immediately if their data is being sold on the dark web. CTI-based dark web monitoring can identify discussions, activities, and data dumps that relate to your brand but that would not be visible or accessible in public forums. CTI helps you better understand hidden or underground threats and will immediately alert you if a group or individual is selling your organisation’s information, your customers’ personally identifiable information (PII), supplier information, or any other related information with the potential to damage your brand reputation.
How does Cyber Threat Intelligence (CTI) work?
CTI feeds are easily accessible by teams across the organisation. The combination and curation of multiple sources of intelligence delivered via CTI has made it a critical tool for IT security teams. The holistic intelligence it provides also means it is fast becoming a source of substantial value to those looking at third party supply chain management, brand reputation and dark web mentions.
This intelligence can be delivered in a number of ways, based on the preferences of the organisation and of individual teams. This includes:
Portal
Application Programming Interface (API)
Analyst
Using an application portal is the most common way for most teams to consume CTI. A portal will allow teams and individuals to customise their preferences and actively search for the intelligence they need.
The aim of CTI is to give the organisation a more complete understanding of the risks it is facing at a strategic, operational and tactical level. The objective is to provide contextualised, enriched data to help the organisation make more informed decisions about threats, prioritise risk more effectively, and take a threat-led approach to mitigation.
Access to CTI provides detailed insights into:
- New vulnerabilities.
- Update or patching releases.
- Indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) being used by adversaries.
- Government directives and advice.
- Updates and overviews of the latest breaches around the world, including sector-specific context, analysis of leaked information, and insight into local and global law enforcement perspective.
- Analysis on the authenticity of an emerging threat (e.g. potential for false flag operations).
- Updates on list of leaked company data on the dark web and other sites.
- Global law enforcement activity (E.g. Arrests, indictments, sentences, announcements).
- Updates on the known exploitation of ongoing zero-day vulnerabilities (E.g. MOVEit), including how specific groups are targeting affected organisations and TTPs once they have used the vulnerability to gain entry.
- ‘Hacktivist’ activity updates.
What you need to know
-
What is the role of threat intelligence in cybersecurity?
Threat intelligence in cybersecurity identifies and analyses potential threats, providing insights to proactively defend against cyber attacks and strengthen overall security measures. -
What are the four types of cyber threat intelligence?
Cyber threat intelligence includes strategic, tactical, operational and technical intelligence. Each type focuses on specific aspects, aiding in comprehensive threat analysis and mitigation. -
How does threat intelligence contribute to incident response?
Threat intelligence enhances incident response by offering real-time data on cyber threats. This proactive approach allows quicker detection, analysis, and mitigation of security incidents, minimising potential damage.
Delivering cybersecurity with the power of Evolve
BlueFort’s Evolve allows you access to flexible and on-demand cyber skills and expertise to help you deploy any new solution and fill in any cyber skills shortage you may have.
Why work with BlueFort?
BlueFort is the UK’s leading independent Security Solutions Partner (SSP). Our unique combination of people and technology is focused on simplifying your cybersecurity journey. With a curated suite of tools, products, and skills, BlueFort partners with CIO’s, CISOs, and SecOps teams to simplify, consolidate, and optimise their cybersecurity environment.
BlueFort’s carefully tested suite of tools and technology simplifies the chaos of the cyber landscape, while its in-house experts provide a rapid and immediate solution to the cybersecurity skills shortage, reducing pressure on internal security teams and delivering ongoing, on-demand cyber resource flexibility.
With CTI, BlueFort will initially provide an accurate picture of your current external attack surface and then continue to provide contextual updates on critical vulnerabilities as your IT environment changes, with guidance and support on remediation and mitigation.
Our goal is to create an organic discovery solution for your security organisation—removing manual processes and reducing noise to establish continuous visibility of all data, threats, remediation opportunities, and the effectiveness of existing protection.
“Without Evolve, we would have to get in additional resource for bespoke deployments and we would certainly have to spend a lot of time in the research phase to make sure we are buying the right technology. We use BlueFort’s expertise to guide us down the right path – I wouldn’t hesitate to recommend them.”
Gary Lewis, Head of IT, Atrium Underwriters