What is CTI, and why is it important?
The concept of CTI is as old as war. Understanding a threat actor's intentions, capabilities, objectives, resources, and thought process leads to a better-informed defender. Ultimately, the end result of intelligence could be as simple as updating a firewall block policy with a feed of known malware Command & Control (C2) infrastructure. Additionally, it could be a dossier on threat actors targeting your organizational industry vertical. Ultimately, a better-informed defender can make actionable changes in an organization's risk profile by better directing all lines of business within an organization.
Ask any IT security professional what CTI is, and you'll likely get different definitions. The definition of threat intelligence almost always varies from organization to organization. This is often due to the differing motivations within each organization for having a threat intelligence program. We're not going to wax poetic about the differing threat intelligence definitions, so instead, we'll focus on the definition as it relates to this book.
If we were to distill down what CTI is, simply put, it is data and information that is collected, processed, and analyzed in order to determine a threat actor's motives, intents, and capabilities; all with the objective of focusing on an event or trends to better inform and create an advantage for defenders. Many organizations face challenges regarding CTI functions – such as a flood of alerts generated from an automated API feed. A properly executed CTI collection and enrichment program can help assist with those challenges.
Data, information, and intelligence
When talking about CTI, it's important to differentiate between data, information, and intelligence. It's important to understand the distinct differences between data, information, and intelligence so that you can store, analyze, and determine patterns more efficiently. As an example, a URL is a piece of data that contains a domain – the registrant data for that domain is information, and the registrant being commonly associated infrastructure with the Threat Actor Group (TAG) APT29 would be considered intelligence.
Important Note
This is the first time we've used the acronym of TAG. To clarify our vernacular, a threat actor is a person or entity responsible for malicious cyber activity. A group of threat actors working in unison is called a TAG and, often, is identified directly through naming conventions such as APT29, which was referenced earlier. We'll be covering more on TAG naming conventions in Chapter 2, Threat Actors, Campaigns, and Tooling.
Data is a piece of information, such as an IP address, malware hash, or domain name. Information is vetted data, but often lacks the context that is needed for strategic action, such as an IP address with no malicious/benign categorization or contextualization. And finally, intelligence is adding a layer of analysis and context to that information and data and, therefore, making the intelligence actionable, such as a feed of malware hashes associated with cybercrime actors operating out of Europe.
To help in adding context, examples of each can be found in Table 1.1:
The process of converting data into threat intelligence includes a combination of collection, processing, analyzing, and production, which will be explored later in the chapter.
Understanding the importance of threat intelligence and the differentiation of data, information, and intelligence is paramount to a structurally sound CTI program. Now that we've looked at those important aspects, we're going to dive into understanding the difference between the different types of intelligence: tactical, strategic, operational, and technical.