Over the past 20 years, the security landscape has changed greatly.  At the turn of the century, hackers or crackers existed but evolved to what we now call “Threat Actors.” Organized groups operated but there was very little visibility into their activities outside of 3-letter government agencies. Groups like the Honeynet Project documented their actions in the wild, which was the infancy of modern Cyber Threat Intelligence. The rising focus on indicators + adversary movements provided a window into the threat’s motives, tools, and tactics.

Today, cyber threat intelligence has evolved since its humble beginnings. There are a number of standards, numerous companies offering intelligence feeds, and threat intelligence platforms to manage it all.  Despite the growing maturity, cyber threat intelligence is commonly not well defined or understood, as it crosses many boundaries in the security world. What gets the most attention is the idea of attribution, putting a face or name on the individual or entity that was responsible for an attack.  While interesting, attribution is just the frosting on the proverbial threat intelligence cake.  The value of threat intelligence is learning who is targeting you and studying how they are going to do it before the attack happens.  If the attack succeeds, putting a name on the attacker will be of little consolation unless you are in the business of prosecuting – which is extremely rare.  Preventing a successful operation against your organization has alway been my primary goal of cyber threat intelligence.  It is impossible to thwart every adversary every single time but the true test is taking the defeated infections and studying them to better prepare yourself against future attacks.

The value of threat intelligence is learning who is targeting you and studying how they are going to do it before the attack happens.

This can be accomplished in a number of ways but the most traditional is by leveraging indicators of compromise. Why indicators? Primarily because it is the low-hanging fruit and easy for human and tool consumption.  If your security tools can detect these known quantities, they can prevent them.  The uphill climb for defenders is that indicators are easily changed. Registering a new burner email account for the next spearphish campaign or changing a single byte in a piece of malware to modify its MD5 hash can sidestep detection signatures.  It continues to be a cat-and-mouse game but the due diligence of indicators is still and will always be a necessary fight.  Identifying an adversary’s tactics, techniques, and procedures (TTP) is the utopia of defenders as most threat actors focus on specific attack styles. Security analysts become experts such that adversary indicators come and go, but their TTPs typically remain constant. TTPs provide a higher-level view of how an attack may look.  For example, an attacker targeting your industry may leverage Spearphishing with malicious Word documents that download a particular family of malware.  This information can be used to ensure your defenses are prepared.  Combined with Indicators, TTPs begin to show the true potential of cyber threat intelligence for augmenting your security infrastructure.

Striking a Balance

Traditional intelligence gathering also plays a role in its cyber counterpart.  Security operatives are infiltrating threat actor groups and their communication channels to get information from the source, rather than from an Incident Response engagement.  A treasure trove of information can be gained from these operations, including upcoming targets, new tools being used, and existing intrusions.  The challenge with this type of information is it is often unstructured and not digestible in a machine readable way.

This is the forefront of cyber threat intelligence: taking unstructured information and making it actionable in a time frame that is acceptable.  It is a challenging prospect due to all of the noise generated through different channels and forces analysts to filter data that is not relevant to an organization.  This is one of the areas where a threat intelligence platform can help – ensuring that intelligence is collected, aggregated, structured, learned from, and converted into action. If successful, an intelligence driven security operation can provide extremely valuable pro-active information that can prevent successful intrusions.  As a cyber security professional, that is our primary goal.