Cyber Threat Intelligence
Introduction to Cyber Threat Intelligence
The Cyber Threat Intelligence course was one of the highlights of the University of San Diego (USD) Cybersecurity Operations and Leadership (CSOL) program. Using Cyber Threat Intelligence, the cybersecurity professional is able to extend beyond simply implementing defensive controls and hoping for the best. Instead, the professional can actively survey the threat landscape and align finite resources to mitigate attacks. This course challenged the student to prepare both reports and presentations. These both were targeted at executive-level audiences in an executive or board briefing scenario. The final project's recorded video presentation, PowerPoint slide deck, and written report are all included in this ePortfolio in the Final Report section below.
Reflection
Cyber Threat Intelligence (CTI) is a fascinating subject in that the practitioner gets a view into what the adversary is doing and how they can best protect against a broad range of attacks, both targeted (such as an Advanced Persistent Threat (APT)) and general in their scope. Intelligence, in general, is a fascinating subject. To broadly define it, intelligence (and specifically cyber intelligence) is the collection of data and information that allows the government or corporation to make better-informed decisions and align resources appropriately. Without cyber threat intelligence, we are simply guessing at what the adversary may do and implementing certain best practices. This is often inefficient in that even best practices can fall to targeted novel attacks. By implementing cyber threat intelligence, the professional hopes to ensure that a given attack succeeds once at most (and hopefully not at all). Technological attacks leave behind indicators (often referred to as Indicators of Compromise or IoCs) that serve as an attacker’s digital footprint. By combining this type of IoC information with information on attacker tools, techniques, and procedures (TTPs), the organization can benefit from CTI generated by others and automatically prevent instances of similar indicators (IP addresses, domain names, file hashes, process names, text strings, etc.) from harming the organization’s network. By automating these efforts, the analyst team can focus on novel attacks that are specifically targeted at the organization rather than on the “noise” of the Internet.
In this class, the student learned about the CTI lifecycle and created a fairly detailed plan to scope for, collect, analyze, deploy, and review CTI data in a cyclical process. In addition, various sources of CTI were examined, such as signals intelligence and open-source intelligence. Intelligence producers may be commercial entities, or intelligence can be provided for free in certain cases by well-meaning consortiums such as Information Sharing and Analysis Centers (ISACs). These ISACs may be targeted toward preventing threats affecting specific industry segments or verticals such as health care, retail, or financial services.
Cyber Threat Intelligence is a critical skill set for cybersecurity leaders to have in their toolkit. Organizations with the staff to support it should consider at least a basic CTI program that integrates intelligence feed information and looks at what adversaries are doing. Fortunately, several excellent resources exist to provide CTI and also provide information about attacker TTPs. The Lockheed Martin Cyber Kill Chain® and MITRE ATT&CK Matrices are two excellent resources the practitioner must be aware of and should look to employ in any cybersecurity practice. By taking both defensive and proactive approaches to securing the organization through CTI, the protected entity has a better chance of fending off cyber adversaries and reducing the organization’s risk profile overall. The modern cybersecurity professional is prepared to initiate and engage in programs that provide this type of value.
The Cyber Threat Intelligence course was one of the highlights of the University of San Diego (USD) Cybersecurity Operations and Leadership (CSOL) program. Using Cyber Threat Intelligence, the cybersecurity professional is able to extend beyond simply implementing defensive controls and hoping for the best. Instead, the professional can actively survey the threat landscape and align finite resources to mitigate attacks. This course challenged the student to prepare both reports and presentations. These both were targeted at executive-level audiences in an executive or board briefing scenario. The final project's recorded video presentation, PowerPoint slide deck, and written report are all included in this ePortfolio in the Final Report section below.
Reflection
Cyber Threat Intelligence (CTI) is a fascinating subject in that the practitioner gets a view into what the adversary is doing and how they can best protect against a broad range of attacks, both targeted (such as an Advanced Persistent Threat (APT)) and general in their scope. Intelligence, in general, is a fascinating subject. To broadly define it, intelligence (and specifically cyber intelligence) is the collection of data and information that allows the government or corporation to make better-informed decisions and align resources appropriately. Without cyber threat intelligence, we are simply guessing at what the adversary may do and implementing certain best practices. This is often inefficient in that even best practices can fall to targeted novel attacks. By implementing cyber threat intelligence, the professional hopes to ensure that a given attack succeeds once at most (and hopefully not at all). Technological attacks leave behind indicators (often referred to as Indicators of Compromise or IoCs) that serve as an attacker’s digital footprint. By combining this type of IoC information with information on attacker tools, techniques, and procedures (TTPs), the organization can benefit from CTI generated by others and automatically prevent instances of similar indicators (IP addresses, domain names, file hashes, process names, text strings, etc.) from harming the organization’s network. By automating these efforts, the analyst team can focus on novel attacks that are specifically targeted at the organization rather than on the “noise” of the Internet.
In this class, the student learned about the CTI lifecycle and created a fairly detailed plan to scope for, collect, analyze, deploy, and review CTI data in a cyclical process. In addition, various sources of CTI were examined, such as signals intelligence and open-source intelligence. Intelligence producers may be commercial entities, or intelligence can be provided for free in certain cases by well-meaning consortiums such as Information Sharing and Analysis Centers (ISACs). These ISACs may be targeted toward preventing threats affecting specific industry segments or verticals such as health care, retail, or financial services.
Cyber Threat Intelligence is a critical skill set for cybersecurity leaders to have in their toolkit. Organizations with the staff to support it should consider at least a basic CTI program that integrates intelligence feed information and looks at what adversaries are doing. Fortunately, several excellent resources exist to provide CTI and also provide information about attacker TTPs. The Lockheed Martin Cyber Kill Chain® and MITRE ATT&CK Matrices are two excellent resources the practitioner must be aware of and should look to employ in any cybersecurity practice. By taking both defensive and proactive approaches to securing the organization through CTI, the protected entity has a better chance of fending off cyber adversaries and reducing the organization’s risk profile overall. The modern cybersecurity professional is prepared to initiate and engage in programs that provide this type of value.