Six Steps to Build Value from Cyber Threat Intelligence (CTI)

Making the right decision requires an understanding of the problem at hand. Without information on that problem, you cannot hope to come up with a reasoned response: this is true in business, and it is true in cybersecurity.

As cybersecurity events continue to challenge every organization across the globe, a more intelligent and empirical approach must be used. Cyber Threat Intelligence (CTI) provides a framework to generate the actionable intelligence that tackles the onslaught of cyber threats banging on the door of the industry.

What is Cyber Threat Intelligence (CTI)?

“CTI is used by organizations to enhance their defensive posture by understanding threats in relation to their Cyber Operating Environment (COE)” - zvelo, January 2022

Cybersecurity events and operations generate a lot of information. This information takes many forms including unauthorized access, exfiltration of data, and identified vulnerabilities. This information can often be subtle and nuanced and finding threats and potential breaches can be like looking for a needle in a haystack.

Cyber Threat Intelligence or CTI is a discipline used to collate and analyze data based on cybersecurity intelligence that then helps to identify threats. However, context is everything in CTI deployment, and to be effective, CTI data must be tailored to an individual organization.

Effective deployment of CTI depends on using a process that comprises six core steps.

The Six Steps to Actionable Insights using Cyber Threat Intelligence

Effective use of Cyber Threat Intelligence relies on a six-part process comprising:

1. Planning & Direction	2. Collection	3. Processing
4. Analysis	5. Dissemination	6. Feedback

Stage One: Planning and Direction

Each part of the process works towards building up the profile of a threat. This then delivers actionable information to deal with that threat. Here is a deeper dive into each of the six process components:

A robust plan makes for a successful project. The CTI process begins with collaboration around planning and establishing the direction of the project. It is important at this first stage, that the CTI process reflects the needs of the organization; these needs vary across industry sectors.

The Planning and Direction of a CTI project should be a collaboration between external expert sources to help inform your cybersecurity strategy. From this, a tailored strategy can be developed to understand Malicious Cyber Actor (MCA) targets, attacks, and motives.

Some of the key questions that should be answered at this early stage are:

• What are your cybersecurity priorities?
• With security priorities in mind, what feeds and sources provide the best value?
• What infrastructure is needed to make the most of CTI data?

Stage Two: Collection

Once you have your plans outlined, the next stage is to collect data across the COE. These data are collected using various disciplines such as Signals Intelligence, Open-Source Intelligence, Geospatial Intelligence, etc.

There are three ways to collect CTI data:

Third-party data

An organization can buy data from third parties. This may be free or at cost, but data quality is important to avoid false positive noise.

Self-sourced data

Internal data provides more control over the data collected and can come from a variety of internal sources.

Combination of third-party and self-sourced

This method employs a mix of internally sourced and procured data. Research from zvelo shows that whilst this combined approach to data sources is unlikely to result in 100% CTI coverage, organizations should “maximize sources as much as possible.”

Zvelo researchers suggest that a tripartite of the following data rules produces the best results:

• Volume: higher volumes of data lead to more actionable and accurate insights.
• Volume: higher volumes of data lead to more actionable and accurate insights.
• Visibility: you must be able to see what it is you want to collect.
  In practice, this can be complicated as cybercriminals can use obfuscation tactics.
• Location: geographic data is important to collect to inform appropriate responses.

Stage Three: Processing

Processing is about taking raw data and turning it into useful information that, in this case, reveals cybersecurity threats. The first stage of the CTI process defined what the organization's cybersecurity priorities were. These priorities now inform this next stage.

Processing of CTI data requires that the data is aggregated and normalized. This normalization follows a common schema that helps accuracy during the analysis stage of the CTI process.

There are three common methods used to process data:

• Rules-based: uses simple business logic rules
• Artificial Intelligence and Machine Learning (AI/ML): the optimal use of AI/ML-based systems is to use human supervised as this reduces bias and false positives that can occur.
• Manual: time and resource-intensive so tends to not be used in modern data-rich environments.

Data validation is a crucial part of robust processing in CTI.  Using a zero-trust approach to validating data helps to ensure data quality.

Stage Four: Analysis

The root of CTI is in military intelligence. This discipline sets out three areas as core to understanding a situation or, in the case of enterprise security, the Operating Environment (OE): Priority Intelligence Requirements (PIR), what you need to know to complete the mission; Friendly Force Information Requirements (FFIR), what you need to know about your own forces; and, Commander’s Critical Information Requirements (CCIR), the key information needed to support decision making.

The analysis stage uses the processed data from stage three and prepares it for dissemination.

The data determined to meet the three core requirements is used. A best practice for any data deemed as not required (at this point) is to store it for possible later use.

There are three key types of analysis:

Manual: a human being uses their own experience alongside analysis tools to analyze the data. This technique is less used because of the potential for bias and the time and resources needed to complete an analysis task.

Fully-automated: this uses a rules-driven or AI/ML approach to data analysis.

Hybrid analysis: most organizations use this mix of manual and automated analysis as it provides a best of both worlds approach.

Stage Five: Dissemination

Once analysis is complete the next task in the CTI process is to disseminate the results. The scope of dissemination and timelines must reflect the needs of the consumer. The format is also an important consideration in CTI dissemination.

There are three format delivery types to choose from:

1. Structured Threat Information Expression (STIX™):
2. Malware Information Sharing Platform (MISP)
3. Custom Schemas

Expedient dissemination of CTI data to consumers is important.
To ensure this is done in a timely manner, there are three types of delivery available:

Flat File Downloads: customers can download files in formats such as text files and JSON.

API: allows the customer to create pull requests.

Feeds: pushes CTI data to the customer in an agreed format.

Stage Six: Feedback

This final stage is important as it allows the CTI process to be optimized.

Feedback is between the intelligence producer and the intelligence consumer. Feedback must be a collaborative, push-and-pull process for it to generate actionable updates. Feedback offers valuable assessments that can improve product performance and effectiveness.