8.5. Threat Intelligence

8.5.1. Introduction

8.5.1.1. Causes

The new generation of attackers often launch targeted network attacks on enterprises and organizations. Such highly targeted attacks are generally carefully planned, with complex attack methods and approaches, and serious consequences. In the face of this kind of attack, there is a serious asymmetry between offense and defense. In order to eliminate this asymmetry as much as possible, Threat Intelligence came into being.

8.5.1.2. Definitions

Threat Intelligence, also known as Security Intelligence, Security Threat Intelligence.

There are many definitions of threat intelligence. Generally, it refers to information related to cyberspace threats extracted from security data, including threat sources, attack intentions, attack methods, attack target information, and knowledge that can be used to address threats or respond to hazards. . Threat intelligence in a broad sense also includes intelligence processing, analysis and application, and collaborative sharing mechanisms. Related concepts are assets, threats, vulnerabilities, etc., which are defined as follows.

General threat intelligence needs to include threat sources, attack purposes, attack objects, attack methods, vulnerabilities, attack characteristics, and defense measures. Threat intelligence can play an early warning role in advance, assist in detection and response when a threat occurs, and can be used for analysis and source tracing after the event.

Common cyber threat intelligence services include hacker or fraudulent group analysis, social media and open source information monitoring, targeted vulnerability research, customized human analysis, real-time event notification, credential recovery, incident investigation, fake domain name detection, and more.

In terms of threat intelligence, representative vendors include BAE Systems Applied Intelligence, Booz Allen, RSA, IBM, McAfee, Symantec, FireEye, etc.

8.5.2. Related concepts

8.5.2.1. Asset

Information or resources that are valuable to an organization are internal intelligence and are discovered through asset mapping and other means.

8.5.2.2. Threat

Causes of potential harm to a system through unauthorized access, destruction, disclosure, data modification, and/or denial of service to portray.

8.5.2.3. Vulnerability

Assets or several asset weaknesses that may be exploited by threats such as attackers.

Vulnerabilities exist in multiple cycles, initially discovered by security researchers or attackers, and then appear in community announcements/official emails/blogs. As information continues to pass, vulnerability intelligence appears in places like the open source community, with PoC and vulnerability detail analysis. After that, automated tools began to spread on a large scale. Some loopholes would have social impact and were reported by the media. Finally, the loopholes were basically repaired.

8.5.2.4. Risk

Threats exploit the potential for harm to an organization by exploiting the vulnerability of an asset or group of assets.

8.5.2.5. Security Event

Scenarios in which the threat actually creates harm after exploiting the vulnerability of the asset.

8.5.3. Intelligence sources

In order to achieve the synchronization and exchange of intelligence, each organization has developed corresponding standards and norms. There are mainly national standards, US federal government standards and so on.

In addition to countries, enterprises also have their own sources of intelligence, such as manufacturers, CERTs, developer communities, security media, vulnerability authors or teams, public accounts, personal blogs, code repositories, etc.

8.5.4. Threat Framework

The more influential threat frameworks mainly include Lockheed-Martin’s Cyber ​​Kill Chain Framework, MITRE’s ATT&CK Framework (Common Knowledge base of Adversary Tactics and Techniques), and ODNI’s CCTF Framework (Common Cyber ​​Threat Framework, Public Cyber ​​Threat Framework), and the NSA’s TCTF Framework (Technical Cyber ​​Threat Framework).

8.5.5. Reference Links

• Executive Perspectives on Cyber Threat Intelligence

• Cyber Threats: Information vs. Intelligence

• Threat Intelligence Introduction and Market Analysis