Threat intelligence is evidence-based knowledge about existing or potential threats that includes context, mechanisms, indicators, consequences, actionable recommendations and can be used to make response decisions.
Gartner, McMillan (2013) from Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study
Threat intelligence raises awareness of threats and more adequately selects protective measures that are suitable for the landscape of threats relevant to the organization (taking into account the specifics of its activities/sector of the economy, industry).
Threat intelligence also improves the quality of detection and response to threats both proactively and reactively.
Today, most organizations focus their efforts only on the installation of technical security tools, such as IPS / IDS, ME, SIEM, but do not fully use the collected data for analytics.
The Planning Stage of the Threat Intelligence Life Cycle
Definition of the list of assets;
Definition of the list of threats;
Determine the list of sources of information.
Internal: Firewall, IDS, SIEM, AV;
External: Community Information.
The Collection Stage of the Threat Intelligence Life Cycle
The Processing and Analysis Stage of the Threat Intelligence Life Cycle
Once the raw data has been collected, it must be converted into a format suitable for analysis. To what extent the found threats are applicable to a particular organization (region and sector).
The Dissemination Stage of the Threat Intelligence Life Cycle
The final step in the threat intelligence life cycle involves determining whether changes to the threat inventory need to be made.
Goal: To gain a broader understanding of threats.
Tactical intelligence is short-term, technical in nature, and identifies simple indicators of compromise (IOC - Indicators Of Compromise).
IOC: IP addresses, URLs, hashes, domains, filename/path, registry value, usernames, e-mail addresses.
Questions to ask:
Goal: Track active APT factions to better understand the opponents behind the attacks.
Behind every attack are questions:
Tactics, Techniques, and Procedures (TTPs) - The goal is to define behaviors that can be used to protect against certain strategies and threat vectors used by attackers.
Operational intelligence requires human analysis of information. Operational intelligence requires more resources than tactical intelligence but has a longer lifespan because attackers cannot quickly change their TTPs.
Attackers don't operate in a vacuum - there are almost always higher-level factors in place to carry out cyberattacks. For example, nation-state attacks are usually tied to geopolitical conditions.
Strategic intelligence shows how global events, foreign policy, and other long-term local and international movements can potentially affect an organization's information security.