Why do we need Cyber Threat Intelligence?
The idea of Cyber Threat Intelligence stems from the need to perform cybersecurity operations in a proactive manner rather than the conventional reactive approach. What does that mean?
To understand this, let us walk through a typical cyber attack news story. It often goes something like this:
“A new malware called [fancy name] is quickly spreading across the internet by exploiting a vulnerability in [software product]….[security researcher or company] estimated that the cybercriminals could have stolen [personal data, corporate data or money] of [large number] [users or organizations] within the last [a short time period] …..The team behind [the affected product or online service] is scrambling to develop a fix for this malware to prevent it from spreading further. However, all the users are still waiting for [an official update or a patch release] while [large number] unaware users have already become victims of the cyber attack...”
It is all too common to see stories like this, some of which end up causing major losses to organizations and individuals who become victims of such cyber attacks. Even though the security community comes up with solutions to prevent further attacks of this kind, it is still too late for those who already got affected by it.
A better story
Is there a way to improve the above scenario? Thankfully, there is, due to the introduction of Cyber Threat Intelligence (CTI) as a key component of security operations. With robust CTI operations, the same incident could end up much differently.
“[A short time period] ago, company A found a threat signature on their network, they did a VirusTotal lookup, mitigated the risk on their network and shared this information with company B which was part of A’s Information Sharing network. Company B used this intelligence to identify and patch a vulnerability in their applications ….Company B soon released the official update with the security vulnerability fixed in their applications and an advisory for their Clients to mitigate the impact of any possible attacks due to it. They thanked company A for sharing the threat intel which gave them precious time to prevent a major attack campaign…..The quick action of the security community has potentially saved [large amount] dollars worth of damage and helped avoid disruption of [online service/ internet infrastructure]....”
In the second scenario, the cybersecurity community is acting based on early intelligence to highlight and help fix a flaw before it gets widely exploited as compared to the first scenario where the cybersecurity teams act after an attack has affected a large number of people. The second scenario may sound too optimistic however, it is quite realistic. But it is not the more probable scenario in most cases currently.
Fortunately, we can move towards the ideal scenario by incorporating the discovery, analysis, and sharing of cyber threat information as key components in the existing security operations of organizations. Now let us take a brief look at a couple of key technologies that are enabling this transformation.
Threat Exchange and Threat Management using STIX, TAXII
For enabling an effective CTI operation, we need a well-defined, efficient and universal standard for communicating cyber threat information between various individuals, organizations and machines. This is where technologies like STIX and TAXII comes into the picture. STIX, which stands for Structured Threat Information eXchange is a standardized language developed for communicating threat information among security operatives. Trusted Automated eXchange of Indicator Information, or TAXII in short, is an application layer protocol for communication of the threat information stored in a format like STIX.
With these two technologies and the tools built with them, organizations can develop a wide scope of CTI capabilities including Threat Collection, Processing, Analysis, Enrichment, and Exchange.
Organizations can use CTI platforms to communicate in real time with their peers to effectively identify relevant Indicators of Compromise (IOCs), connect the dots between IOCs, threat actors, and attack campaigns, and more.
One single organization cannot track and tackle every threat but the shared community nature of the CTI platforms enhances the capabilities of all the involved organizations through collaborative efforts.
The current era of rapid innovation in CTI related technologies is giving all the organizations an opportunity to set up an effective cyber defense at a much quicker pace than in the past. STIX and TAXII are two key drivers behind this positive momentum.
As the number of organizations conducting CTI operations grows, everyone receives greater benefits from the shared efforts.