What is Cyber Threat Intelligence?
Cyber Threat Intelligence (CTI) is the set of information based on experiences and knowledge that allows detailed description of cyber threats. Depending on the description of these threats, we can commonly classify multiple types of CTI:
- Technical. Provides technical information about a threat, which can include IP addresses, malware hashes, names of created files or mutexes, domain names, strings, processes, and much more. It is mostly used to identify threats.
- Tactical. The tactics and techniques used, including tools that are used by the threat actor. Mainly focuses on Tactics, Techniques and Procedures (TTP).
- Operational. Details information such as the motivation or capabilities of a threat actor.
- Strategic. Can be used for the organization’s strategy, for example to perform a high-level risk analysis.
There exists a large number of CTI platforms (e.g., MISP, OpenCTI Anomaly ThreatStream, Harpoon, GOSINT, Yeti…). Although the numbe can be overwhelming, the vast majority try to pursue common objectives obviously, each having their own strengths. The main objective of CT platforms can be reduced to two points:
- Analyze, correlate, and process CTI information in order to make them useful.
- Provide the ability to share that information so that other entities can benefit from its use, by preventing and mitigating cyber threats.
Main drawbacks of CTI
CTI is quite often confused with Cyber Threat Information. Information can be defined by “A stimuli that has meaning in some context for its receiver” or “Organized or classified data, which has some meaningful values for the receiver“.
Intelligence depends directly on information, but it is not equal to it. Intelligence does not depend on the amount of information a system poses, but the amount of useful information that it could use to solve a specific problem. So, the keywords here are, usefulness (it has a meaning in some context), and quality (some meaningful values, not all values).
Quality over Quantity
This brings us to the first challenge we find regarding CTI. We have access to a vast quantity of information. There are thousands of feeds that generate enormous amounts of CTI events every day. And it is this, which seems beneficial, that requires a solution. Security experts are overwhelmed with the quantity of information, and it is increasing rapidly.
It is not necessary to worry about an Apache vulnerability if our infrastructure does not have any Apache server. It is not necessary to spend time in an alert if the amount of information it provides is not high enough to evaluate or act upon it. An expert is capable of drawing these conclusions, but it is time consuming. There must be an automatic way to identify which information is relevant for my business and which is not. This is one of the challenges addressed by PHOENI2X. Assessing what is important and what can be discarded. Ultimately, providing intelligence to information by using all the available context (e.g., Information about the infrastructure, security mechanisms available, vulnerabilities found, and information from social networks).
Preventing threats but disclosing information
Even if CTI is supposed to prevent from threats, sharing CTI can also be a threat for the entity sharing. We may be sharing information about threats occurring in our infrastructure so that others can prevent it, but this may give valuable information about our infrastructure that can be used to exploit a vulnerability. Platforms often have mechanisms that allow you to select which organizations to share the desired information with. MISP, for example, allows the creation of organizations, sharing groups, communities, to send information only to trusted partners. In PHOENI2X it will be added an additional layer of protection and a higher degree of granularity in the sharing process. Sensitive attributes of certain events can be encrypted or anonymized, choosing which users (belonging to sharing groups, organizations, or communities) can decrypt those fields. In the previous paragraph we mentioned the ability to decide which information is valuable and which is not, this is done by generating a score for each of the events that are received, this score may depend to a greater or lesser extent on the information that is held on the infrastructure, this means that sensitive information could be derived from the score obtained from that event. For this reason, additional layers of protection are not only beneficial, but necessary.
Why would I share CTI when I can just use it?
This question has been widely discussed to be one of the main gaps of actual CTI platforms. The system is based on the creation of a community, there are great benefits of using information coming from platforms like MISP, but there are no benefits to sharing. The more information we have access to, the better. However, if no one shares, the system does not work as it should. Therefore, the creation of CTI marketplaces has been discussed in recent studies. The goal is that through incentives, companies will be encouraged to share threat information that may be valuable to others. Another solution would be to limit the amount of information that an entity can obtain, depending on the amount of information that it shares.
What the future holds for us thanks to CTI?
The average time to identify and mitigate a threat is measured commonly in days, while the time of compromise is measured in minutes. We need faster ways to identify and mitigate a threat, but due to the overwhelming quantity of information that security experts have to handle, it is difficult to lower those times. Part of the solution could be reducing the quantity of data by filtering only the valuable information, but the next step, would be to automate responses. Repetitive, low-risk security incidents could be automated, leaving specialists with only those events that require high intelligence in analysis and response. Progress has already been made to achieve automated responses, for example, through CACAO Playbooks, a standardized way of writing security playbooks, that allow us to describe the steps and actions that must be followed in order to mitigate a threat. Standards such as STIX have moved in this direction, where an extension to the Course of Action SDO have been defined to include CACAO Playbooks, something similar has been done with MISP Security Playbook Objects.
PHOENI2X aims to address all the above-mentioned challenges, allowing the automated processing of CTI events with the final objective of generating and executing Security Playbooks, to enhance cyber resiliency for business continuity.
Authors:
Alejandro Antonio Moreno Sancho
Rodrigo Díaz Rodríguez
Cybersecurity Unit – Atos Research & Innovation