An overview of Threat Intelligence in Cybersecurity

What is threat intelligence?

If we google it, it will say that “Threat intelligence is information that an organization uses to understand the threats that have, will, or are currently targeting the organization. This info is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources.

Why it is important?

By using the same example as before: the thief and the house. We may want to know if he is a mad person, if he works alone or how he chooses which house to compromise, and which tools it uses to achieve the rob. By knowing this we can set up defenses to prepare, prevent and identify anything that could make our house vulnerable. For example: Paying a security guard to do not leave the house alone for a long time, or maybe set up security cameras and alarms to monitor your perimeter, are some examples that we can do in such a scenario.

Figure #1. Zero-day timeline

Pyramid of pain (For the attacker)

When working with threat intelligence there is a cool pyramid of pain, which is “a model for the effective use of Cyber Threat Intelligence in threat detection operations, with a particular emphasis on increasing the adversaries’ cost of operations.” SANS

Figure #2. Pyramid of pain
  • Setup your own honeypot networks to understand the techniques
  • Reverse engineer malware to understand system artifacts
  • Use dark web monitoring service

Types of Threat Intelligence

There are 4 types of threat intelligence, each of them focusing on different phases, from the strategic to the operational part. Let’s check those in detail:

  • Technical: Refers to all the IP Addresses, URLs, Hash Values and this can be received from thread feeds, honey pots, and malware analysis. Basically provides information above an attacker’s resources that are used to perform the attack. You can use Threat hunting in your SOC for this type.
  • Tactical: Directly related to the TTP, procedures, toolkits, exploits, and frameworks usually consumed by cyber security professionals to understand the technical capabilities and goals of the attackers alongside the attack vectors. You can use correlation and detection in your SOC for this type.
  • Operational: This is all about human intelligence, provides info above specific threats against the organization. For example, the Threat actors, malware campaigns, are useful for predictions.
  • Strategic: Long-term impact, is related to high-level information about cyber security posture, threats, details regarding the money impact of various cyber activities. Is mostly within the kind of a report that primarily focuses on high-level business ways. Here you can have a countermeasure planning.
Figure #3. Types of Threat Intelligence

Attack frameworks & Intrusion analysis models

There are different models such as MITRE, Cyber kill of Chain, and Diamond model to be able to understand the TTP and perform intrusion analysis. The good thing is that you do not have to choose any of those, they are complementary!

Figure #4. Diamond Model
Figure #5. Cyber kill Of Chain

How Threat Intelligence information is consumed and shared?

As mentioned at the beginning of this post, Threat Intelligence is like a big database of Indicator Of Compromise (IoC) Which can be public (open source) or sold by different companies using a subscription bulletin.

  • Abuse.ch
  • OSINT Framework
  • shodan.io
  • IBM X-Force Exchange
  • Anomali ThreatStream
  • Palo Alto Netoworks AutoFocus

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josué Carvajal

Josué Carvajal

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH