How to Use Cyberthreat Intelligence to Proactively Reduce Cyberrisk

In 2022, a good cybersecurity defense has many layers. One of these layers is more important today than it was several years ago. To defend a fort, one needs to know as much about the attacker as possible. In cybersecurity, that requires sufficient cyberthreat intelligence. A good general would never go into a battle without knowing the capabilities and strengths of their attacker. In the Art of War, Sun Tzu said:

Thus, what enables the good general to strike and conquer, and achieve things beyond the reach of ordinary people, is foreknowledge. Now this foreknowledge cannot be elicited from spirits; it cannot be obtained inductively from experience, nor by any deductive calculation. Knowledge of the enemy's dispositions can only be obtained from others.¹

Cyberthreat intelligence is the analysis of relevant threat data using various tools and techniques to collect meaningful information about existing or emerging threats targeting an organization in a way that reduces risk. Cyberthreat intelligence programs may yield information about industrial vertical attacks. One aspect of threat intelligence may be dark web reconnaissance, which can reveal stolen credentials and valuable network information that could be used to assist a threat group in breaching a network. The collection of cyberthreat intelligence allows organizations to make rapid, more informed security decisions and change their behavior from reactive to proactive to combat cyberattacks.

Cyberthreat intelligence can also be woven into an organization’s overall risk management program in conjunction with its cybersecurity program. When looking at an enterprise’s risk profile and business impact analysis, adding rapidly actionable items such as threat intelligence offers a definitive approach to reducing risk and adding a new layer to the many ever-changing layers needed to secure the network.

Why Gather Cyberthreat Intelligence?

Cyberthreat intelligence prepares organizations to be proactive with their intelligence capabilities by building logical defenses rather than being forced to react to unknown scenarios and adversaries. Without understanding security vulnerabilities, threat indicators, attack tools, and how threats are conducted, it is impossible to effectively combat cyberattacks. Using threat intelligence, enterprise security teams can prevent and contain attacks faster, reducing any expenses, downtime, and data loss in the event of a cyberattack. Threat intelligence can improve enterprise security across the board, including network, endpoint, end-user, and cloud security. This layer of security further reduces risk and should be utilized to the fullest extent whenever possible.

Without understanding security vulnerabilities, threat indicators, attack tools, and how threats are conducted, it is impossible to effectively combat cyberattacks.

What Are the Types of Cyberthreat Intelligence?

Cyberthreat intelligence can be categorized as strategic, tactical, technical or operational. To ensure robust data collection, it is worth examining the 4 categories of threat intelligence:

1. Strategic cyberthreat intelligence—Provides an overview of an organization’s threat landscape. It does not include technical details and can be used for executive-level security professionals to drive high-level organizational strategy based on the findings. Ideally, strategic cyberthreat intelligence provides information associated with vulnerabilities and risk around the organization’s threat landscape. It details preventive actions, threat actors and their goals, and the severity and impact of the potential attacks.
2. Tactical cyberthreat intelligence—Consists of specific details about threat actors’ tactics, techniques and procedures (TTP) and is mostly used to help an enterprise security team understand attack vectors. This type of intelligence provides insights into how to build a defense strategy to mitigate attacks. A tactical cyberthreat intelligence report includes details about vulnerabilities in the network perimeter infrastructure that attackers could penetrate and how to identify such attacks. The report findings are used to improve existing security controls/defense mechanisms and help cyberprofessionals identify and remove the vulnerabilities in the network.
3. Technical cyberthreat intelligence—Focuses on specific log details, artifacts or evidence of an attack and creates a baseline to analyze future attacks by scanning for indicators of compromise (IOCs) (e.g., Internet Protocol [IP] addresses, phishing emails, malware, malicious links). Technical intelligence must be shared soon after it is collected because IOCs such as malicious IP addresses or uniform resource locators (URLs) can change very quickly.
4. Operational cyberthreat intelligence—Is related to cyberattacks, events or campaigns initiated by threat groups. It offers specialized intelligence that assists enterprise security teams in understanding the nature, intent and timing of specific attacks. Because this usually includes very technical information such as which attack vector is being used, which command and control domains are being used, and which vulnerabilities are being exploited, operational cyberthreat intelligence can also be considered a type of technical cyberthreat intelligence. A common source of technical information is a cyberthreat data feed, which usually focuses on a single type of indicator, such as malware hashes or suspicious domains. Other information about specific attacks can come from closed sources such as the interception of threat group communications, either through covert infiltration or by hacking into the channels of communication. Often, dark web reconnaissance may be used for this process. In fact, a security analyst may be operating covertly on the dark web to gather such information. In some cases, the analyst may be an undercover virtual member of a threat group and can use information to protect their enterprise or clientele.
   Consequently, there are several obstacles to gathering operational cyberthreat intelligence:
   
   • Threat groups usually communicate over encrypted or private chat rooms, and gaining access to these channels is challenging and takes a considerable amount of time.
   • It is difficult to gather relevant intelligence from the extensive amount of chatter in chat rooms or other communication channels.
   • Threat groups may use confusing, coded or ambiguous language so that no one can understand conversations.
   
   Operational cyberthreat intelligence focuses on information about actual attacks. It gives detailed insights into factors such as technique, motive (often financial), timing and how an attack can be successful.

Cyberthreat intelligence solutions can also rely on machine learning (ML) processes and artificial intelligence (AI) for automated data collection and analysis on a large scale.² A solution that uses natural language processing (NLP), for example, is able to gather information from multiple language sources without needing human expertise to translate it.

Building a Cyberthreat Intelligence Program

Most cyberthreat intelligence programs combine thousands of cyberthreat intelligence feeds into a single feed. This enables the collection of consistent, concise and actionable details about cyberthreat events and allows cyberprofessionals to identify trends or changes in threat group activity. A good program consistently describes cyberthreat activity in a way that allows for efficient information sharing and threat analysis. It assists the enterprise security team by comparing the feed with internal telemetry and creates use cases with specific alerts.

A good [cyberthreat intelligence] program consistently describes cyberthreat activity in a way that allows for efficient information sharing and threat analysis.

After relevant cyberthreat information is extracted from collected threat data, it must be processed and analyzed in a structured manner to harden security controls and prevent future cyberattacks.

Enterprise Objectives for Threat Intelligence
Aligning enterprise security objectives with business objectives is paramount in creating a cyberthreat intelligence program. The data, assets and business processes (i.e., crown jewels)³ that need to be protected should be well defined and a detailed business impact analysis report for the loss of these assets should be created. This helps determine what type of cyberthreat intelligence is required and who should disseminate the information and be responsible for building defenses or alerting based on the collected intelligence.

Cyberthreat Intelligence Strategy and Application
Cyberthreat intelligence strategy requires highly detailed planning with the application of tools, techniques, and methodologies, followed by periodic and documented reviews to check the effectiveness of the plan. While developing the strategy, one must consider their cyberthreat intelligence capabilities and structure the program accordingly, which may include garnering support from different departments across the organization.

Cyberthreat Intelligence Frameworks

A cyberthreat intelligence framework creates the necessary intelligence to respond to cyberattacks by managing, detecting and alerting enterprise security of potential threats. It provides an actionable plan to deter, stop or mitigate the attacks by collecting the latest threat information.

Cyberthreat intelligence can be collected in a number of ways, including:

• Data collection using open-source intelligence (OSINT)—This includes data collection through open sources such as search engines, web services, website analysis and logs, emails, Whois lookups,⁴ domain name system (DNS) interrogation, or automated efforts using tools, frameworks or scripts.
• Data collection through cyber counterintelligence (CCI)—With this approach, relevant threat data is collected through honeypots, passive DNS monitoring, pivoting off an adversary’s infrastructure, dark web reconnaissance, malware sinkholes, and yet another recursive/ridiculous acronym (YARA) rules.
• Data collection using human intelligence (HUMINT)—This process involves collecting data through human-based social engineering techniques, interviewing and interrogation. The analyst may search social media platforms such as Facebook, Twitter, or LinkedIn to find information that could be used to attack the enterprise network. Such information may have been published by a well-intentioned employee, but it can inadvertently disclose valuable details that could be used to breach the enterprise network.
• Data collection through IOCs—Digital evidence data are collected from internal and external sources, and by creating custom threat IOCs.
• Data collection through malware analysis—Malware analysis is the process of understanding the origin, impact, intentions and capabilities of malware and how it functions by deploying analysis tools. Malware functions in many covert ways and gathers valuable information about users, accounts and networks.

Conclusion

It is important to observe how cyberthreat intelligence can prevent significant impact by exploring this hypothetical scenario. Consider the chief information security officer (CISO) at a fictional enterprise, Widgets Inc. As part of its defenses, it has implemented a robust cyberthreat intelligence program. Today, the CISO collected cyberthreat intelligence that shows that a specific threat group has infiltrated the network of another enterprise that sells widgets. The threat group exfiltrated valuable data about designing and building widgets and is offering to sell this information to anyone with enough cryptocurrency in a store on the dark web. Imagine the impact this would have on the organization. It is not a pretty picture.

As part of this intelligence, the CISO learned the breach occurred through a phishing email that originated from a specific IP address, with a specific subject line and email body verbiage. Since the CISO at Widgets Inc. has a robust cyberthreat intelligence practice, the organization could block this IP address and email subject at both the firewall and simple mail transport protocol (SMTP) gateways. Widgets Inc. could also send a warning to all users about the situation and the risk it poses.

With this type of approach, the threat group’s opportunity to victimize Widgets Inc. has been thwarted and they will be forced to target another enterprise. This is a simple scenario that illustrates the benefits of robust cyberthreat intelligence, but there are many other examples available.

The ability to proactively learn about the tactics and capabilities of an attacker provides an excellent opportunity to prevent the attacker from entering the fort or doing any damage to the fort’s walls.

Endnotes

¹ Tzu, S.; The Art of War, The Internet Classics Guide
² The Recorded Future Team, “Machine Learning: Practical Applications for Cybersecurity,” Recorded Future, USA, 14 March 2018
³ Barnett, P.; “Protecting the Crown Jewels: Securing Critical Assets,” Secureworks, 11 November 2021
⁴ Whois.com, Whois Domain Lookup

Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP

Is an incident response principal consultant for Secureworks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures and mechanisms to respond to security events of any size.