Cybersecurity threats are evolving. CISOs and CIOs are faced with new threats that require an appropriate strategy to provide resilience to defenders.
This is how the CTI (or threat intelligence) services came into being and started to play their role in organisations with the objective of “collecting and organising all information related to threats in Cyberspace”.[1]
However, the vision of CTI is still unclear to some organisations. CTI responds to issues and a vision that are not always accurate. We have already devoted an article to why teaming up brings better security, let’s now look at the 4 major challenges of CTI.
CTI: an asset
A study by Forrester Consulting[2] mentioned “a considerable gap between the speed with which organisations detect ransomware and the speed of an attack”. The impact of such attacks on business (loss of revenue, loss of data, damage to reputation, etc.) is well documented. This study clearly demonstrates the importance of intelligence within a cybersecurity team.
By providing organisations with actionable threat intelligence alerts in real time, CTI teams help protect their assets. Our AI: CYBERIA algorithms monitor and identify both threats and threat actors, enabling teams to quickly identify targeted cyber attacks against organisations.
TEHTRIS CYBERIA is a global and collective Artificial Intelligence. It is the result of a combination of cutting-edge techniques in Machine Learning, Deep Learning, Active Learning and Reinforcement Learning.
With its extended monitoring of all components of the TEHTRIS XDR Platform, it becomes an ally for continuous monitoring of your systems, connected to TEHTRIS Cyber Threat Intelligence.
CTI is a tool for strategic decision making.
It adds a brick to the existing security arsenal. Thus it provides :
- time saving (it allows to optimise the relevant information for the analyst)
- decision support (faster and better decision making)
- help with customer communication
- assistance in risk assessment
- an input into crisis management
- help in reducing the average cost of a violation.
Threat intelligence is valuable information that will help to avoid or reduce risks. Contextualised information becomes intelligence.
Without context, information loses its usefulness and wastes the time of analysts drowning under the volume of data. With the help of artificial intelligence, CTI teams will be able to aggregate the different information flows and give them meaning. TEHTRIS’ self-intelligent learning automates both data collection and processing, and links information to provide structured data.
This will enable SOC teams to understand who their enemies are: what motivates a cybercriminal and what their attack techniques are. The integration of proactive threat intelligence increases incident response capabilities. With this information in hand, technical teams will know which penetration indicators to look for and can make the right decisions, avoiding wasted time.
The intelligence obtained must therefore be accessible and adapted to the operational environment (it will be necessary to constantly adapt to changing environments) and of course actionable. Thus, the SIEM must be integrated with the CTI.
The SOC can thus retrieve information on :
- catalogues of phishing URLs
- attack scenarios that will allow vulnerabilities to be corrected
- Reputation domains and IP addresses.
- information on malware
- information on command and control (C&C) areas
Threat intelligence will allow :
- to develop new detection rules and correlations.
- to discover data leaks.
The SOC (Security Operations Center) is therefore a beneficiary…and not the only one!
The CTI: a team effort
The initial vision of Cyber Threat Intelligence (CTI) is often to work only with the Security Operations Center (SOC) teams and to play a supporting role to the teams responsible for security operations and incident response. However, a good CTI today needs to interact with multiple departments within the company and interact with its entire cyber microcosm and the entire organisation, from the SOC threat analysts to the COMEX (executive committee).
The entire enterprise ecosystem needs to be connected to the intelligence teams. Collaboration between different teams allows for a unified approach to dealing with and responding to incidents and threat information needs to be combined with the surveillance infrastructure.
The CTI team should therefore be connected and share with other stakeholders such as :
- Vulnerability Operations Center (VOC) teams for partners
CTI allows the monitoring, qualification and prioritisation of vulnerabilities, put in context. Without risk assessment, defenders cannot make the right decisions.
- technical teams, from architects to incident response managers.
These teams are thus better equipped to neutralise the attack. Contextualisation will enable better analysis and anticipation of threats according to the sector of activity, current events or new technologies…
All contextualised information increases the effectiveness of new technologies such as anti-spam, anti-malware, EPP, EDR, etc. Analysts need real-time intelligence provided in a hyper-automated way. This is what the TEHTRIS XDR Platform offers. CTI is an asset for your anticipation.
- Management: CISO, CIO, CFO, Board of Directors
The information provided will help answer strategic and operational questions.
Strategic intelligence has a long-term objective. This data will allow management to model the threats that may target their organisation. The organisation will be able to map and assess trends through analysis of campaigns, threat groups and vulnerabilities. These results allow for the development of a robust protection plan, scenario planning and preparation.
This will enable management teams to reduce long-term risks.
Intelligence is collective
Acting as a “community” for collaborative cybersecurity is one of the major challenges of Cyber Threat Intelligence: sharing knowledge allows everyone to learn about attacks and thus to better protect themselves.
Such communities already exist, such as the Cyber Threat Alliance (CTA) of which TEHTRIS is a member or INTERCERT.
The objective of this Cyber Threat Alliance is to give each member access to quality cyber intelligence via a shared platform maintained by the consortium. This initiative allows for the qualitative harmonisation of usable cyber intelligence, to extend the practices of use to the greatest number, and thus to reinforce the capacities to fight cybercrime.
This sharing should not remain intra-company. It is important to share the same information (anonymised and respecting the interests of customers) with the cyber intelligence community.
This information needs to be shared to make the entire security ecosystem (governments and administrations, private sector organisations and their suppliers) more informed. In this way, companies can become aware of impending dangers and prepare themselves accordingly.
The next step is Extended Threat Intelligence (XTI), which provides an inventory of the external attack surface and shares contextual data. This new approach provides visibility without blind spots.
It is through this coordination that we are stronger.
A good CTI is a diverse team
In order to protect oneself effectively from computer attacks, one needs to know the techniques and methods of attack of cybercriminals. Technical teams are needed to do this analysis, but not only.
The political, economic and cultural context will require a wide variety of profiles that were not previously thought to be part of cybersecurity teams. For example, linguists, economists, political scientists, psychologists, etc. now have their place!
This perspective with other disciplines is essential to understand the issues and motivations behind certain threats. This complementarity of profiles becomes essential. The concept of multidisciplinarity must be integrated into your cyber strategy. Sharing the complementary knowledge of analysts coupled with the know-how of each member of the organisation will allow the best security solutions to be developed, seen from different angles.
The TEHTRIS XDR toolkit, which includes EDR, SIEM, NTD and SOAR, is natively equipped with integrated threat intelligence. This combination of technologies allows you to strengthen your security and improve your defence.
[1] Wikipedia
[2] Forrester. Automation and Unification Enable a Cohesive Attack Surface Defense.2022