8.5. Threat Intelligence¶
8.5.1. Introduction¶
8.5.1.1. Causes¶
The new generation of attackers often launch targeted network attacks on enterprises and organizations. Such highly targeted attacks are generally carefully planned, with complex attack methods and approaches, and serious consequences. In the face of this kind of attack, there is a serious asymmetry between offense and defense. In order to eliminate this asymmetry as much as possible, Threat Intelligence came into being.
8.5.1.2. Definitions¶
Threat Intelligence, also known as Security Intelligence, Security Threat Intelligence.
There are many definitions of threat intelligence. Generally, it refers to information related to cyberspace threats extracted from security data, including threat sources, attack intentions, attack methods, attack target information, and knowledge that can be used to address threats or respond to hazards. . Threat intelligence in a broad sense also includes intelligence processing, analysis and application, and collaborative sharing mechanisms. Related concepts are assets, threats, vulnerabilities, etc., which are defined as follows.
General threat intelligence needs to include threat sources, attack purposes, attack objects, attack methods, vulnerabilities, attack characteristics, and defense measures. Threat intelligence can play an early warning role in advance, assist in detection and response when a threat occurs, and can be used for analysis and source tracing after the event.
Common cyber threat intelligence services include hacker or fraudulent group analysis, social media and open source information monitoring, targeted vulnerability research, customized human analysis, real-time event notification, credential recovery, incident investigation, fake domain name detection, and more.
In terms of threat intelligence, representative vendors include BAE Systems Applied Intelligence, Booz Allen, RSA, IBM, McAfee, Symantec, FireEye, etc.
8.5.3. Intelligence sources¶
In order to achieve the synchronization and exchange of intelligence, each organization has developed corresponding standards and norms. There are mainly national standards, US federal government standards and so on.
In addition to countries, enterprises also have their own sources of intelligence, such as manufacturers, CERTs, developer communities, security media, vulnerability authors or teams, public accounts, personal blogs, code repositories, etc.
8.5.4. Threat Framework¶
The more influential threat frameworks mainly include Lockheed-Martin’s Cyber Kill Chain Framework, MITRE’s ATT&CK Framework (Common Knowledge base of Adversary Tactics and Techniques), and ODNI’s CCTF Framework (Common Cyber Threat Framework, Public Cyber Threat Framework), and the NSA’s TCTF Framework (Technical Cyber Threat Framework).