Cyber Threat Intelligence (CTI)
Threat intelligence generally refers to the analysis of attackers' tactics and procedures, often summarized as TTPs (Tactics, Techniques, and Procedures). For example, the MITRE ATT&CK matrix contains a comprehensive overview of frequently used tactics and techniques as well as an assignment of TTPs to known groups.
The central aim of threat intelligence is to obtain information about attacks and their methods at an early stage. Effective protective measures can then often be derived from this. This can be information to prevent an attack (preventive measures, e.g. signatures for the IPS/IDS) as well as information to quickly detect a successful attack (reactive measures, e.g. Indicator of Compromise (IoC) for a SIEM). Security Operations Centers (SOC) in particular rely on threat intelligence to extract the necessary information from the wealth of data.
Types of Threat Intelligence
Threat intelligence usually distinguishes between general, non-technical information that can be used by management, for example, to assess the risk and changes in the general information security situation, and specific technical information that can be used, for example, in IT operations to detect attacks.
Strategic | Tactical | |
Long-term | Summarized information on changing risks and threats | Information on the general approach and methodology of attackers (TTPs) |
For high-level management, decision-makers | For the CISO, the SOC, IT management | |
Operational | Technical | |
Short-termImmediate Use | Information on specific attacks currently being carried out and their approach | Information about specific signatures, IP addresses, domains and associated Indicator of Compromise (IoC) |
For IT management, IT operations, administrators | For the SOC and incident response teams |
Building Blocks of Threat Intelligence
Effective cyber threat intelligence today generally consists of two components.
Firstly, threat intelligence must be obtained from your own log files. This can be done by evaluating log files in SIEM systems, in particular for unusual behavior and suspicious events. This can be done by analyzing network traffic or firewall log files for suspicious communication, e.g. from compromised clients with a C&C server. Threat intelligence can even be obtained through honeypots, which record unusual data and can detect new attacks or exploits.
On the other hand, there are threat intelligence communities in which data on threats gathered by the community is collected and exchanged. By sharing knowledge, the community as a whole can react more quickly to attacks, implement effective and efficient security measures and thus better protect itself.
Common Security Advisory Framework (CSAF)
The Common Security Advisory Framework (CSAF) is an open-source framework standardized by OASIS for the communication and automated distribution of machine-processable vulnerability and mitigation information. CSAF allows manufacturers and users to automatically provide and retrieve information on individual vulnerabilities in order to determine whether their own systems are affected.
It is foreseeable that the automated processing of security information will become a critical component of cyber threat intelligence and vulnerability management. In conjunction with Vulnerability Exploitability eXchange (VEX) documents, companies can check directly and without manual effort whether and to what extent they are affected by newly discovered vulnerabilities.
Threat Intelligence in ISO 27001:2022
Incidentally, threat intelligence has now also arrived in the relevant information security standards.
The new version of ISO 27001:2022 specifically requires in Annex A 5.7 Threat Intelligence: "Information about threats to information security should be collected and analyzed to gain knowledge about threats".
Cyber threat intelligence must therefore be implemented at the latest during recertification in accordance with the new standard. This should not only focus on internal threat intelligence, but also include external threat intelligence.
Our Service
Threat intelligence allows you to protect yourself and your company better and more efficiently against current threats.
We advise you on the selection of suitable solutions for obtaining threat intelligence as well as on the selection of a suitable threat community and the exchange of information. We support you in the implementation and integration of your threat intelligence systems and the integration of automated processes such as CSAF and VEX. If necessary, we support you in setting up your own security operations center (SOC).