Cyber Threat Intelligence: knowing your opponent better, in order to anticipate.
For Jacques de La Rivière, CEO of Gatewatcher, Threat Intelligence is a real added value within detection systems. The detection solutions published by Gatewatcher and qualified by the ANSSI (French Cybersecurity Agency), are easily interfaced with threats knowledge flows. Together with next generation detection engines, Gatewatcher products are able to detect the most sophisticated attacks.
It's no secret that knowing your opponent is a key factor for a company's security. For some years now, Cyber Threat Intelligence has become an essential tool for companies wishing to set up a real cyber risk strategy. In this blog article, we’ll have a look at the Threat Intelligence definition, and on the key axes to set up a cyber-threats intelligence program in a company.
What is Cyber Threat Intelligence (CTI)?
Cyber Threat Intelligence aims at collecting and organising all information related to cyber-threats in order to draw a portrait of attackers and identify trends (affected sectors, methods and techniques of exploitation...). The CTI allows to better know and defend oneself, to anticipate and to detect the beginnings of an attack.
The term Threat Intelligence appeared in early 2011, when the first APTs (Advanced Persistent Threats) were widely publicised. Some organisations and state entities have been using this concept for a longer time.
The information collected may be of different types: markers, IOCs (compromise indicators such as hash, domain names or IP addresses), historical attacks, re-use of architecture, use of services, specific techniques and methods (common signatures, identical registrant).
Many means of collection exist, including open source intelligence (OSINT), commercial and community data flows, Social Media Intelligence (SMI or SOCMINT), human intelligence (HUMINT) and the ability to analyse and correlate or the information from Deep and Dark Web.
In a global desire to develop standards reusable by the greatest number, the means of information sharing tend to harmonise. CTI information is communicated through open source initiatives such as Structured Threat Information Expression (STIX) or Trusted Automated eXchange of Indicator Information (TAXII) developed in 2012. The Malware Information Sharing Platform (MISP) or OpenCTI, a project launched by the ANSSI, in partnership with CERT-EU, are also other tools for managing and sharing knowledge in cybersecurity analysis. This exchange of information also makes it possible to generate detection rules for supervisory tools such as IPS.
How to set up a Cyber Threat Intelligence program within your organisation?
Implementing a new tool and new ways of working first requires asking the right questions. In fact, all collected data are not significant, so the Cyber Threat Information Program must be framed upstream of the project.
First, the stakes and consequences of an attack on the security of the company must be defined: what must be protected? What information would an attacker want to seize or destroy?
When the answers to these questions have been formalised, the objectives of setting up an CTI program within your organization must be determined. They must be clear and achievable, but must also be easily measurable through pre-established indicators and criteria.
Once the needs expressed and the objectives set, comes the time of data collection with the establishment of different "sensors", for example by exploiting open sources accessible on the Internet (OSINT).
Then you have to go through the data processing phase to simplify their exploitation by the analysts. All information collected (IOC, malware, geopolitical context, attacker methods) must be contextualized and enriched to become real intelligence. It is at this point that we enter the analysis phase, which still relies today largely on the expertise of the analyst. At the end of their work, they will produce a report, which should be distributed to the right people, at the right time and in the right format.
How to detect the most crafted attacks?
Download our whitepaper about the latest rising threat : Hybrid Malware.