Over the last year, we have seen the cyber threat intelligence, CTI, community growing and diversifying; as a result, the way threat intelligence is being used has also evolved. However, a survey conducted by SANS, sponsored by ThreatQuotient, recently revealed that 1 out of 5 companies are still unsure of CTI’s value to their organisation.
CTI analyses information about the intent, capabilities and opportunities of adversaries in cyberspace. It is a valuable resource for organisations and individuals serving in roles requiring to be prepared for the wide range of threats that their organisation is facing. To help organisations realise the value of CTI, we compiled a list of benefits this resource can bring:
Tracking threat behaviours
Security organisations tend to consider intelligence as an indicator feed. They’re not wrong, but CTI can offer so much more value than that. Not only does it help to enrich alerts with technical details about specific attacks and campaigns, it is also a source of information around threat behaviours and adversary TTPs. Encouragingly, 27% of the SANS survey’s respondents perceived this as the greatest value to their threat detection and response. As organisations become more familiar with threat behaviours, adversary TTPs and how to leverage them, these figures will certainly continue to rise.
Another way to leverage CTI is to classify and share adversary behaviours across organisations, for example through utilising a framework like MITRE ATTA&CK. These frameworks help organisations to track the types of threat behaviours that are active within their industry, allows them to have a better collaboration process and subsequently prioritise actions that must be undertaken across architecture, security operation and response functions.
Identify digital footprint or attack surface identification
Organisations can also take advantage of this intelligence by identifying digital footprint or attack surface identification. This means that they are able to have a clear overview of all their external assets accessible from the internet, as well as assets that can be attacked and compromised by attackers. Eventually, being aware of these, combined with adversary TTPs, helps prioritise which threats and/or vulnerabilities should be taken care of.
It comes as no surprise therefore that 81% organisations have seen their security and response improve since they started producing or leveraging CTI. For those organisations who are unsure about the impact of CTI on their security and response, they should consider, and measure, the average resolution time of security incidents when CTI analysts participate and compare to those times to when they didn’t. This would help them to appreciate how much it has enriched the understanding of security incidents and response but also the process, allowing to resolve issues quicker.
Find a sharing partnership that will benefit your organisation
In recent years, we have seen a growing interest in collaborating and sharing information amongst security teams. As a result of this trend, multiple solutions have emerged providing organisations with the right tools to tackle cyber threats such as threat library, endpoint detection and penetration testing.
Beyond the data being shared, information sharing programmes have a wide range of benefits. From point-of-contacts to advocacy for security and best practices, participating in an information-sharing group provides a secure and confidential environment for organisations to increase situational awareness and reduce the impact on organisations.
Collaborate with governments and ISACs
We mention collaboration above, and CTI shows even more value as it isn’t limited to the private sector. Indeed, security teams also have the opportunity to share their intelligence and collaborate with their peers in the government and other public entities. Collaboration with the latter can be done through an Information Sharing and Analysis Centre, a non-profit organisation providing a central resource to gather information related to cyber threats to critical infrastructure. Such centre is based on a two-way sharing of information between the private and public sector.
Surprisingly, the SANS survey revealed that this smart way to make the most of the intelligence and better defend against threat has only seduced 40% of organisations. The biggest value propositions of CTI coming from governments and ISACs perceived by these were the timely and relevant threat information, points of contact at member organisations and advocacy in the community for security.
If ISACs enable a development of the expertise around threat intelligence, governments are in a good position too to bring the community together and support collaboration across industries; and organisations seem to be more reliant on it with 51% of the SANS survey’s participants taking advantage of this data source.
A growing interest from the public sector
Whilst sources of government CTI are multiplying, only half of the community is actually taking advantage of it. Yet, governments have matured their own understanding of private sector cyber threats over the last years. They can now give additional context and track adversary behaviours including their tactics, techniques and procedures, and don’t have to only rely on indicators of compromise anymore. The problem with IoCs is that they gained lot of attention on the market even though they simply indicate computer intrusions.
In a nutshell, they tend to be too generic to provide long-term and strategic intelligence value.
These are only few benefits organisations can get by leveraging CTI, but as the intelligence is growing to include TTPs, threat behaviours, attack surface awareness and strategic assessments, so is the maturity of the CTI process itself. Organisations are increasingly developing intelligence requirements, producing, consuming and sharing intelligence. Moving forward as a community, information sharing is the key to benefit organisations’ security posture.
By Anthony Perridge, VP of International at ThreatQuotient.