Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on our agenda. Some basic blacklists and virus databases were enough against most of the attackers.
CTI (Cyber Threat Intelligence) has become indispensable nowadays. We need more and more information about attackers day by day to gain advantage in this fight. At the same time, we see that a lot of people confuse threat intelligence with fraud. People seem really confused about what to expect from threat intelligence. In this post, I try to mention the needs and usage for CTI.
IoCs: Of course, IoCs are one of the most important things that we are waiting from a CTI product. We are feeding our tools with IoCs and this is the simplest thing for our security intelligence. It is possible to find open source IoCs on many historical threats on the internet. Our expectation from a CTI product should be that it gives us the latest IOCs on threats. While evaluating a CTI tool, it should be observed how much IOC it gives compared to its competitors. Some CTI vendors are mostly using Open IoCs, so it is important to check this value before paying money. Meanwhile, the accuracy of the IOCs is also an issue that should not be overlooked. There will be no point in pushing so many wrong IoCs into our systems every day, even those false positive IoC will cause us to waste time. And time is the most important value in a battle.
TTPs: According to Pyramid of Pain – we discussed in the related post deeply – TTPs are the most valued information for defenders. Sun Tzu says that “if you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Of course this is very meaningful. If you do not know what tools, techniques and tactics your enemies are using, it d be very difficult to win a battle. For a defender, the most valuable information are these TTPs and tools that the enemy is using. From a CTI vendor, this must be one of your most important expectations.
Threat Groups: As mentioned before, attackers now works together, they come together and join forces. And while a group is successful on technique with specific tools and malwares, they rarely change these TTPS and tools. So, it is very important to know who is targeting your geography, country and sector. With these information, organizations get really useful IOCs for themselves, and can design their defense according to these attackers’ TTPs. According to this, maybe tracking the threat groups are also the most important thing for the first two bullets (IoCs and TTPs). You can take random IOCs and install them on your systems, but this is never the same as working with the information of attackers you know who they are.
Vulnerabilities: are critical because attackers use these vulnerabilities to infiltrate. It is vital to be aware of vulnerabilities as quickly as possible after they appear. Meanwhile, the information whether these vulnerabilities are exploitable or not, and their criticality and knowledge of affected systems should also be among the things you expect from CTI. Of course, you need a proactive patch management to use these information in success.
Dark Web Tracking: Every day, a lot of information about companies is offered for sale on the dark web or different attackers and groups come together by communicating here. It is not possible to track all forums and portals in dark web continuously for a security team. One of the expectations from the CTI should be the constant monitoring of the dark web and access to information about threats to the organization.
CTI is not Fraud Detection: Fraud is an important subject to save customers our and users. There are many fraud techniques that fraud teams need to be aware of but CTI is not fraud. As mentioned at the beginning, people seem really confused about what CTI and fraud are. Some CTI vendors provide fraud data to their customer. It is undisputed very valuable. But a CTI product should not be evaluated solely on the fraud information obtained. For a good CTI investment, the above issues should be evaluated.