Written by Devin Partida
A successful breach can do serious damage to a business, costing a company millions of dollars in lost revenue, exposed intellectual property, downtime, reputation loss and fines. The right practices can help keep a company safe — but only if they know what threats to look for, and where their network is weakest. Cyber threat intelligence is the process through which companies identify weaknesses in their own networks. It’s essential in keeping modern networks safe from the growing threats posed by cybercriminals.
Cyber threat intelligence (CTI) is an emerging field dedicated to the study of cyber threats and risks. The application of CTI allows businesses to identify and prepare more effectively for cyber threats that they may face, even when the motives and desires of malicious cyber actors remain unknown. According to Gartner’s definition, threat intelligence is “evidence-based knowledge about an existing or emerging menace or hazard to assets.” This knowledge can be used to guide security policy and network designing, helping a business and its employees to account for vulnerabilities and strengthen the network against known threats. In practice, CTI may look like cybersecurity research, internal security audits and real-time network monitoring. It may also look like the application of data gathered by those workflows in the development of new security practices or the adoption of security technology. A critical component of CTI is security information and event management (SIEM) software, which provides a business with insights and log data of activities within its IT environment. Often, businesses also use CTI platforms that include features like global security feeds and AI-powered security analysis algorithms. These tools can help the business’s IT team more effectively, characterize the threat landscape, and monitor the business network. They may also integrate with an intelligent SIEM or similar technology, helping to unify a business’s cybersecurity stack.
Whether they’re acting alone, together or on behalf of a nation-state, hackers and cyber attackers typically rely on a few popular tactics and strategies. For example, a growing number of attacks rely on social engineering to take advantage of human weak points rather than technological vulnerabilities. Phishing attacks, one of the most common types of social engineering attacks, were used by hackers to gain access to the network of Colonial Pipelines. This access allowed the hackers to deploy ransomware and take the business’s network hostage. Identifying vulnerable assets and potential avenues of attack can allow businesses to implement new policies — like company-wide security training — that help reduce the risk of a successful attack.
While each business faces its own set of unique threats and vulnerabilities, the application of CTI for every business typically follows the same rough cycle of steps — sometimes called the “intelligence cycle.” These steps allow businesses to gain more understanding of the threats they face, as well as better understand what they don’t know. In turn, this allows them to ask better questions, beginning the cycle again with more information and new goals. The cycle typically looks similar to this outline:
Businesses typically begin by determining what kind of CTI they need. To do this, the business determines the scope of its CTI process and establishes objectives. These objectives should be clear, specific and lay out what kind of value the business wants to extract from its CTI cycle. Typically, this planning phase will be guided by a manager, like a CISO, and involve the business’s IT and cybersecurity teams.
Next, the business will gather data on its network and potential threats, using established objectives and scope as a guide. Key data sources may include network logs and metadata, threat hunting and threat detection data from cybersecurity researchers or information from interviews with subject matter experts. These data sources may identify specific security threats and threat actors. They may also provide insights into the effective use of tools like security information management (SIM) software, security event management (SEM) technology and SIEMs. The information will be a mix of data specific to the organization and threat research that comes from the industry at large. This mixture of internal and external research will help make it useful for insider threat detection. The scope set in the pre-planning phase will be extremely important during the data collection phase. Too much data can provide the business with false positives or negatives on potential threats while also making it harder to meet goals for both data quantity and quality.
Once gathered, that security data needs to be analyzed. Now, the business’s IT team will organize and break down the data collected in the previous phase. Data type and source will determine how the data should be processed. Network traffic analysis (NTA), for example, helps businesses to extract the most valuable insights from network traffic information. In other cases, it may be possible to simply review and condense data, highlighting the most important conclusions or insights. Interviews with cybersecurity experts, for example, can typically be processed in this way. This approach can break down a lengthy interview into easily understandable action points, recommendations or observations. Once the business has analyzed its data, it will organize uncovered insights into a form that people outside the research team can easily understand — like brief memos, slideshows or white papers, depending on the research team’s audience. These communications typically include some recommended actions the business can take to make its network safer.
The business will now put the insights it has uncovered into practice. The research team will disseminate reports and other writing generated during the previous phase to relevant team members and managers. They may offer presentations or host seminars to discuss their findings. The company will have a period of open discussion, where staff from outside the research team will be able to review the research and offer feedback. At this point, the management team will know what steps they can take to make their network more secure, optimize cyber threat hunting and improve their incident response strategy. After implementation of these new policies begins, the cycle can start over, with a new focus and scope.
CTI is essential for businesses wanting to keep their networks as secure as possible. Regular cycling through the CTI process will help businesses continually strengthen their knowledge of potential threats and threat actors — making it easier for them to develop a more sophisticated cyber defense.
Therefore, SIEM solutions are considered one of the most prominent components of cyber security.
Security data lakes are helpful resources for improving enterprise security. Once you’ve established your data lake, an advanced SIEM tool...