Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Operationalizing Threat Intelligence

You're reading from   Operationalizing Threat Intelligence A guide to developing and operationalizing cyber threat intelligence programs

Arrow left icon
Product type Paperback
Published in Jun 2022
Publisher Packt
ISBN-13 9781801814683
Length 460 pages
Edition 1st Edition
Arrow right icon
Authors (2):
Arrow left icon
Joseph Opacki Joseph Opacki
Author Profile Icon Joseph Opacki
Joseph Opacki
Kyle Wilhoit Kyle Wilhoit
Author Profile Icon Kyle Wilhoit
Kyle Wilhoit
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Section 1: What Is Threat Intelligence?
2. Chapter 1: Why You Need a Threat Intelligence Program FREE CHAPTER 3. Chapter 2: Threat Actors, Campaigns, and Tooling 4. Chapter 3: Guidelines and Policies 5. Chapter 4: Threat Intelligence Frameworks, Standards, Models, and Platforms 6. Section 2: How to Collect Threat Intelligence
7. Chapter 5: Operational Security (OPSEC) 8. Chapter 6: Technical Threat Intelligence – Collection 9. Chapter 7: Technical Threat Analysis – Enrichment 10. Chapter 8: Technical Threat Analysis – Threat Hunting and Pivoting 11. Chapter 9: Technical Threat Analysis – Similarity Analysis 12. Section 3: What to Do with Threat Intelligence
13. Chapter 10: Preparation and Dissemination 14. Chapter 11: Fusion into Other Enterprise Operations 15. Chapter 12: Overview of Datasets and Their Practical Application 16. Chapter 13: Conclusion 17. Other Books You May Enjoy

Tactical, strategic, operational, and technical threat intelligence

When thinking about CTI, it's easy to assume that it is one discipline. On the surface, an analyst collects data from several sources, analyzes that data, and synthesizes intelligence, which, ultimately, helps the organization take action. However, closer inspection reveals there are really four distinct types of CTI.

Tactical CTI

Tactical CTI is the data and information related to the Tactics, Techniques, and Procedures (TTPs) used by threat actors to achieve their objective. Ultimately, tactical CTI is intended to inform defenders, threat detection and response engineers, incident responders, and other technical teams throughout the organization in order to motivate an action of some sort. Unlike strategic CTI, tactical CTI is almost exclusively used by technical resources. Usually, tactical CTI is consumed directly by those responsible for defending an organization.

The most common deliverables include targeted reports, threat feeds, and API feeds of malicious observables. Many of the reports that are generated focus on the technical details pertaining to a malware family, threat group, or campaign of activity. Some examples of what might be included in tactical CTI reports include the following:

  • Targeted industries
  • The infection vector of the threat actor
  • The infrastructure used by the attacker
  • Tools and techniques employed by the threat actor

To produce tactical CTI, a combination of open source and vendor-provided intelligence and data is most often used. To create tactical threat intelligence, the producer should employ an active collection and enrichment process. Some examples of sources of tactical CTI include the following:

  • Malware analysis details
  • Honeypot log analysis
  • Internal telemetry data
  • Scan data (such as Shodan.io)

Next comes strategic CTI.

Strategic CTI

Strategic CTI is often non-technical threat landscape information that is related to risk-based intelligence and, typically, includes relevant industry vertical intelligence. Strategic CTI is most often used by senior decision-makers throughout organizations.

The most common deliverables include reports or briefings. It's common for the data sources for strategic CTI to be open source and include a wide variety of sources. Take a look at the following:

  • Local and national media
  • Government policy documents
  • Industry reporting
  • Content produced by industry organizations
  • Social media activity

Let's move on to operational CTI.

Operational CTI

In an ideal world, CTI would enable preventative action to be taken before a threat actor compromises an organization. Operational CTI is intelligence unearthed about possible incoming attacks on an organization. Operational intelligence is typically technical and strategic in nature and includes information pertaining to the intent, capabilities, and timing of impending attacks. This provides insight into the sophistication of the threat actor or group, helping dictate an organization's next steps. Operational CTI helps enable defenders to block activity before the activity even takes place, but due to this, operational CTI is, most often, some of the hardest to generate.

The most common deliverable for operational CTI is spot reports with technical indicators and context extracted from other strategic intelligence. There are many sources that can generate this type of CTI, including the following:

  • Intercepting the chat logs of threat actor coordination
  • Social media
  • Chat rooms and instant messaging rooms (such as Discord or Telegram)
  • Underground forums and marketplaces
  • Public and private forums and message boards

Next, let's take a look at technical CTI.

Technical CTI

Technical CTI is exactly what it sounds like – technical indicators related to an actor's tools, malware, infrastructure, and more are used to conduct their activities. Technical CTI differs from tactical CTI because technical CTI most commonly focuses on Indicators Of Compromise (IOCs), and tactical CTI relies on analyzing TTPs.

For example, say tactical threat intelligence indicates that the financially motivated criminal group FIN7 has attacked the banking industry in the United States and Europe. Technical threat intelligence would provide the specific hashes, infrastructure, and other details pertaining to the specific attack.

Ultimately, technical CTI is intended to inform defenders, threat detection and response engineers, incident responders, and other technical teams throughout the organization. The most common deliverables include the following:

  • Feeds or reports including malicious hashes, infrastructure, and other file attributes
  • Changes to a system infected with specific malware; for example, registry modifications
  • Confirmed C2 infrastructure
  • Email subject lines
  • Filenames or file hashes

Sourcing technical threat intelligence comes from a litany of locations, for example, consider the following:

  • Information security industry blogs and white papers
  • Malware analysis
  • Industry trust groups
  • Threat feeds

To wrap up, in the following table, let's examine the distinct differences when comparing and contrasting each intelligence type, their respective audiences, and length of intelligence value:

Table 1.2 – A table comparing intelligence types

Table 1.2 – A table comparing intelligence types

Within each of the CTI types, there is often a conversation about Subject Matter Expertise (SME) and relative team function. In the following section, we're going to explore the concept of SME within each CTI type.

Subject matter expertise

The concept of SME is a common conversation among threat intelligence circles. When setting up a threat intelligence program, it's important to consider the possible positives and negatives associated with dividing relative team functions among three broad SME focus areas: vulnerability and exploitation, cyber (criminal and nation-state), and brand:

Table 1.3 – Intelligence SME types

Table 1.3 – Intelligence SME types

While CTI functions employing subject matter experts don't fit every team structure, it's an important consideration to take into account when constructing a team focused on CTI. In the following section, we're going to dive into the importance of CTI and its relative uses and benefits to an enterprise.

You have been reading a chapter from
Operationalizing Threat Intelligence
Published in: Jun 2022
Publisher: Packt
ISBN-13: 9781801814683
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image