For a project, I watch the presentation by Katie Nickels on The Cycle of Cyber Threat Intelligence, by SANS Digital Forensics and Incident Response, and decided to do a review. The presentation was really good, I was already familiar with a lot of the terms and topics but was somehow better able to make a connection to those that intertwine through a deeper in-depth analysis of the intelligence life cycle.
A cyber threat intelligence analyst is responsible for proactively discovering, assessing, and mitigating potential cyber risks to an organization’s assets, networks, and systems. This position entails acquiring intelligence from a variety of sources, assessing trends, and offering actionable insights to improve the organization’s cybersecurity posture. This is done by constantly “analyzing information about the hostile intent, capability and opportunities of an adversary that satisfies a requirement.” In order to be a successful CTI analyst, you will need to be proficient in understanding the Intelligence Life Cycle, which involves 5 key foundations or phases: Planning and Direction, Collection, Processing and Exploitation, Analysis and production, and finally Dissemination, to further continue the Intelligence cycle all over again, to create and plan out intelligence. We can define intelligence as the collection and processing of information about a competitive entity and its agents, needed by an organization or group for its security wellbeing.
The role of a Cyber Threat Intelligence Analyst is critical in strengthening an organization’s resilience to cyber threats. By staying on top of emerging threats and vulnerabilities, these specialists enable firms to install defensive measures ahead of time, reducing the risk of data breaches, financial losses, and reputational harm. A Cyber Threat Intelligence team can be an invaluable asset to an organization; however, it is more effective and efficient if placed in a centralized location. Here it can easily support more than just one team, whether it may be the Security Operations Center(SOC), or Incidence Response, system engineering and IT, business operations, or even vulnerability management, thus providing intelligence on which ever specific division or unit that requires it.
This specific role relies heavily on intelligence sharing resources that that can stem from a utilizing threat intelligence database with TTP’s, IOC’s and signatures, to contributing to said database with analysis and findings of a new discovery(malware, IOC’s, TTP’s etc.). There are several different techniques used to share or gather intelligence. These include and are not limited to:
Information Sharing and Analysis Centers (ISACs): Financial Services ISAC (FS-ISAC) and Healthcare ISAC (H-ISAC) facilitate cyber threat intelligence sharing within their respective sectors, fostering collaboration among industry peers to enhance cybersecurity resilience.
Open-Source Intelligence (OSINT) Platforms: Twitter and Reddit serve as valuable sources for monitoring cyber threats and activities of threat actors. Security professionals leverage these platforms to gather insights, share findings, and stay informed about emerging threats.
Government Agencies: Department of Homeland Security (DHS) and National Security Agency (NSA) provide cyber threat intelligence and guidance to both public and private sector entities. They collaborate with organizations to enhance cybersecurity posture and mitigate threats, including the Cybersecurity and Infrastructure Security Agency (CISA). MITRE att&ck framework/ database, NVD and CVE.
Commercial Threat Intelligence Providers: FireEye Mandiant and Recorded Future offer subscription-based services for curated threat intelligence feeds tailored to organizations’ industry and risk profile. These providers deliver actionable insights and recommendations to help organizations proactively identify and mitigate cyber threats. (Virus Total)
There exist a wide variety of tools that can be employed and incorporated by a CTI analyst, yet a significant if not all trace back to one or more phase or function of the threat intelligence life cycle:
Planning and direction: This phase involves evaluating the intelligence requirements( what is needed, whether it falls under strategic, operational, or tactical intelligence), threat modelling(knowing what you have in your organization that someone else may want, attack surfaces ), and even collection management( gathering of information and intelligence, collection you now have and what you may use it for). Security Information and Event Management (SIEM) Systems such as Splunk Enterprise Security, IBM QRadar, and LogRhythm are centralized platforms which serve to aggregate, correlate, and analyze security event data from an organization’s infrastructure.
Collection: At this phase, CTI analysts focus on gathering intelligence from various sources, including intrusion analysis(Lockheed Martin kill chain to observe TTP’s, threat identity), malware analysis(virus total), domains(data pivoting), external and internal datasets, and even TLS certificates(Censys.io, Scans.io, Circl.lu). SIEM systems cover internal threats, while Cyber Threat Intelligence Feeds like Intel471, Recorded Future, and Cisco Talos provide real-time updates on emerging threats, indicators of compromise (IOCs), malicious IP addresses and malicious infrastructure.
Processing and Exploitation: At this phase, there’s a need for structured models(turn data into buckets, allowing for extraction of data and identification of patterns). Analysis tools include the cyber/Lockheed Martin kill chain, Diamond model, MITRE ATT&CK model, veris, which helps to organize the data in preparation for analysis. Collected intel can be stored in Threat Intelligence Platforms(TIP’s), like CRITS, MISP, THREAT_NOTE or YETI. ThreatConnect, Anomali ThreatStream, and Recorded Future are TIPs that facilitate the aggregation, enrichment, and dissemination of threat intelligence.
Analysis and Production: During this phase analysts must be aware of biases that may affect their analysis. Vulnerability scanners(Qualys Vulnerability Management, Tenable Nessus, Nmap and Rapid7 InsightVM for internal threats), Wireshark( for packet analysis), Cuckoo Sandbox, Virus Total, and FireEye Malware Analysis are tools used for analyzing and understanding the behavior of malicious software samples.
Dissemination: here you can implement effective report writing, so you can give different assessments of different confidence levels.
In conclusion, Cyber Threat Intelligence Analysts require technical expertise, analytical acumen, and strong communication skills. Through utilizing intelligence sharing resources and a range of tools, they play a crucial role in safeguarding organizations from evolving threats, ensuring business continuity, and protecting valuable assets.
The Cycle of Cyber Threat Intelligence : https://www.youtube.com/watch?v=J7e74QLVxCk