Definition of Cyber Threat Intelligence
According to the Oxford dictionary, a threat is defined as “the possibility of a malicious attempt to damage or disrupt a computer network or system.” A Threat is a potential occurrence of an undesired event that can eventually damage and interrupt the operational and functional activities of an organization. It can affect the integrity and availability factors of an organization. The impact of threats is very high, and it can affect the existence of the physical IT assets in an organization. Their existence may be accidental, intentional, or due to the impact of some other action.
The threat intelligence, usually known as CTI, is defined as the collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyber attacks. It is the process of recognizing or discovering any “unknown threats” that an organization can face for necessary defense mechanisms to be applied to avoid such occurrences. It involves collecting, researching, and analyzing trends and technical developments in the field of cyber threats (i.e., cybercrime, hacktivism, espionage, etc.). Any knowledge about threats that result in the planning and decision-making in an organization to handle it is a threat Intelligence. The main aim of the CTI is to make the organization aware of the existing or emerging threats and prepare them to develop a proactive cyber security posture in advance before these threats could exploit them. This process, where the unknown threats are converted into the possibly known ones, helps to anticipate the attack before it could happen and ultimately results in a better and secured system in the organization. Thus, threat Intelligence is useful in achieving secured data sharing and transactions among organizations globally.
Threat intelligence processes can be used to identify the risk factors that are responsible for malware attacks, SQL injections, web application attacks, data leaks, phishing, denial-of-service attack, etc. Such risks, after being filtered out, can be put on a checklist and handled appropriately. Threat intelligence is beneficial for an organization to handle cyber threats with effective planning and execution along with a thorough analysis of the threat; it also strengthens the organization’s defense system, creates awareness about the impending risks, and aids in responding against such risks.
this image describes Intelligence versus Information versus Data
Data in its raw form generally exists in huge volume, defines an object or individual, does not include any context, and is unprocessed. Data itself is not sufficient to solve any problem. It is processed to information and further analyzed to get intelligence from it. This intelligence helps in making decisions to solve various organizational problems. Data can be categorized as either structured data or unstructured data. Structured data consists of numbers, text, etc., whereas unstructured data consists of images, video, audio, etc.
Information is the output of processed data that contains meaning and context. Information is the knowledge, which is produced when a bunch of raw data providing diverse facts about something is combined or interconnected with each other to bring out the broader knowledge about the subject or provide an answer to a query raised by users. It is general knowledge about things all around in the individual’s environment. It is not restricted and is openly available for everyone to accept and consume.
Intelligence is obtained by processing data and analyzing information. It is an interpreted information providing broader in-depth knowledge of the subject (organization, individual, or object) that supports decision-making and response actions. It helps organizations resolve complex problems and is also responsible for interpreting the information and converting it into useful actions or conclusions. In the process of extracting intelligence from information and data, the quantity of the output is reduced, and the value of the output is increased. For example, consider a remote host that is communicating with a server. Here, data is the connection request sent from the remote host to the server. From this data, we can obtain only IP addresses of the source and destination but no contextual information. While processing this data, we can obtain contextual information stating that multiple connection requests are received by the server within a short period. As a result, the server is stressed, and gradually its performance is reduced. Now we can obtain intelligence by analyzing the above information considering past and current experiences, and we can conclude that a distributed denial of service (DDoS) attack is being performed on the target server. Using this intelligence, an organization can immediately protect its IT assets from such attacks.
illustration of the Stages of Cyber Threat Intelligence
The concept of intelligence is somehow reflecting the concept of “knowns” and “unknowns” proposed by Donald Rumsfeld. According to him, there are three stages in achieving the intelligence: unknown unknowns, known unknowns, and known knowns. The threat intelligence process begins at unknown unknowns stage at which we do not have any idea about the threats and try to locate them. After obtaining the information about the threats, we move to the second stage called known unknowns. At this stage, we analyze the information and understand the nature of the threats, and with that data, we mitigate the threats and reach the final stage called known knowns. The implementation of these three stages of intelligence would lead to action and to achieve results. But the journey from the unknown unknowns to the known knowns is a tough job in case of cyber threats. From the above discussion, we could define CTI as “[t]he process of collecting the information about presumed attackers to understand their motive behind the attacks, the approach they might follow and analyze this information for securing the IT infrastructure of the organization in advance.”
Secure Your Organization’s Mind with Securemind.se