Cyber Threat Intelligence [CTI] Feeds – The devil is in the details
Whether your firm is looking for a cybersecurity vendor to meet your needs or your employees are undergoing a training program, it is important to understand how cyber Threat Intelligence Feeds form the backbone of a cybersecurity action plan. So what are these threat intelligence feeds? Before that, let us understand what ‘threat intelligence’ is. In layman’s terms, threat intelligence can be defined as any data that helps in a better understanding of the cyber landscape and various threats associated with it.
Table of Contents
CTI feeds comprise data coming from a wide range of IoC (indicators of compromise) feeds like:
- Unhuman web traffic behavior
- Malicious URLs
- Anomalous account activity
- IP address related attacks
- Malware hashes
- Malicious Emails and a lot more.
The continuous stream of data from these feeds helps us understand the current state of the network, threats, and risks associated with it, and document various IoCs (Indicators of Compromise). It is these feeds that the SOC (Security Operation Center) continuously monitors and uses to identify any infiltrations, attempts, and attacks on the systems and the networks. With time and proper data evaluation, cyber threat intelligence feeds can be used to develop strategies to counter-attack cyber threats and understand hacker tactics, procedures, and techniques.
In the due course of this blog post, we shall learn more about types, evaluation, features, benefits, and a lot more about cyber threat intelligence feeds.
Types of Threat Intelligence Feeds – Data that forms the bricks
Cyber threat intelligence feeds can be briefly classified into 4 types:
While many choose to only list the top three, the ‘Technical Intelligence Feed’ plays a critical role if your cybersecurity vendor is serious about protecting your systems and network.
1. Strategic Threat Intelligence Feed:
Often dubbed as a high-level intelligence feed, the Strategic TIF helps in understanding why a certain attack is carried out by the threat actors. Non-technical in nature, it is usually served to the c-suite of the company, helping them to better understand the reasons and intentions behind an attack. Analysts outside the cybersecurity field are often engaged to give a holistic perspective of the cyber-attack. Many cybersecurity experts believe that Strategic TIF can impact the high-level business decision makings of a company.
Common sources for Strategic TIF include the following:
- ISAOs – Information Sharing and Analysis Centers
- ISACs – Information Sharing and Analysis Organizations
- CTI Vendors – Computer Telephone Integration Vendors
- OSINT – Open Source Intelligence
Though the final product is non-technical, researchers and analysts go through tons of data, putting it through hundreds of analyses to suggest effective strategic intelligence.
2. Tactical Threat Intelligence Feed:
Simply put, the Tactical TIF deals with the TTP (Tactics, Techniques, and Procedures) of the attackers. Often consumed by Network Operations Center (NOC) employees, Security Operations Center (SOC) employees, IT service managers, and cybersecurity architects, this type of cyber threat intelligence feeds help in analyzing the various tactics, techniques, and procedures deployed by the threat actors.
These feeds comprise, but are not limited to human intelligence, data on malware attacks, cross-industry cybersecurity statistics, incident and attack reports, and other threat-related data. Using this data, a comprehensive process involving patching vulnerable systems, changing security merchandise, and improving defense mechanisms is carried out.
3. Operational Threat Intelligence Feed:
The notion: “Perception without Conception is blind; Conception without Perception is empty”, is true when it comes to analyzing threats and risks of cyberspace. Without a proper context that involves the nature of the attack, type, timing, intent, and level of sophistication, it is difficult to arrive at a logical perception of how to protect key assets like data and infrastructure.
Often experienced hackers and hacking groups interact in private chat rooms and away from analysts and security experts scouting the web. The researchers must keep track of online events, campaigns, and other cyber-attacks to find more valuable intelligence on hackers and their methods. Researchers and cybersecurity experts often face the problem of CAN:
- Concealment – Hackers using codenames and VPNs to avoid detection
- Access – Hacking chat rooms or groups often demand user identification or use encryption
- Noise – High volume of data to analyze (chat rooms and social media)
4. Technical Threat Intelligence Feed:
Despite its shorter period, the Technical TIF provides key insights into the tools, resources, and other variables a threat attacker has used. Often limited to a specific IoC (incident of compromise), the Technical TIF includes control channels, tools, command channels, IP addresses, hack checksum of malware, phishing email headers, and other technical data. Understanding and applying proper analysis to this feed helps in rapid response to threats.
The Technical TIF is consumed by Incident Response and the Security Operation Center (SOC) teams. Most of this feed is read using a Machine Learning program and is fed directly into security systems and other installations. This helps in preventing many threats at their very source promptly.
Evaluation of Threat Intelligence Feeds – The Lens that adds context to data!
Cyber threat intelligence feeds truly provide critical information that can help companies mitigate cyber-attacks. But how does one evaluate a particular feed? Usually, the feeds come from internal and external intelligence:
1. Internal Intelligence
- Hybrid Cloud
- IoT Devices
- Next-Generation Firewall (NGFW)
- IPS / IDS – Intrusion Prevention System / Intrusion Detection System
2. External Intelligence
- Commercial Providers
- Industry-led Communities
- Private Communities
Evaluating the threat intelligence feed:
Without adding context, cyber threat intelligence feeds are nothing but a bunch of data outputs. Context brings the intelligence from the feed. But how do we add one? What are the factors that we need to look at while evaluating a threat intelligence feed? Let’s learn.
1. Timely detection
When it comes to cybersecurity, every second is critical during a cyber-attack. The faster a threat is identified, the greater can be the damage control. Even in the case of a threat intelligence feed, a real-time feed is priceless. It can often prevent many cyber-attacks. But currently, according to a survey from 24 cyber threat intelligence feeds and analyzing data of over 1.3 million indicators, the average delay was reported to be 21 days.
Surprisingly, 56% of participants in a survey felt that threat intelligence becomes stale within a few minutes, and even seconds at times. Despite that, the participants saw it as a parameter that builds the reputation of the source. This no way means intelligence, and companies should keenly monitor for such false promises by their CTI feed providers.
2. Geographical Location
Many CTI feeds show a strong bias towards a particular nation or a particular geographic region. Everyone knows that a threat actor sitting in Latin America can attack a Singapore-based company via Europe or North America. Such is the cyber landscape. Many CTI feeds simply report too many threats from a particular nation. On the contrary, that particular nation does not even feature in other feeds. It’s always wise to balance cyber threat intelligence feeds from different vendors.
From late 2020, Iran has turned out to be the new hub for adversaries. The hacking groups from Iran deploy the ‘lock-and-leak’ attacks, where the adversary encrypts the target enterprise’s network and then leaks the data of the victim through an actor-controlled entity. Along with Iran, China has been leading the race when it came to vulnerability exploitation. There was a six-fold increase in vulnerability exploitation from China-based nexus.
3. Worry about collateral damage
Collateral damages can be pretty expensive if not the threat intelligence feed is not analyzed properly. When a single IP address is reported as malicious, it not only affects a single process but all the other processes running on that IP address.
This effect is evident, especially in the case of shared hosting. If one IP address is blocked due to an isolated C&C [Command and Control] domain, every domain hosted by that entity gets blocked. This can have serious implications and can cost the company dearly. Cybersecurity experts feel that CTI feeds with no pre-filtering does more harm than good.
4. Low overlap data
Are the CTI feed providers covering enough? Data emerging from feeds show a clear negative. Low overlap data suggests that feeds are not covering enough, leaving a vast region unmonitored. This raises the question, ‘is the coverage provided on malicious ecosystems even significant’? Though no one can truly answer this question, given that recent incidents have shown the merit of CTI feeds, this is an area that needs to be vastly improved. Out of the 24 cyber threat intelligence feeds analyzed as a part of a survey, there was no overlap between any two CTI feeds.
Importance & Benefits of CTI Feeds
Importance of CTI Feeds:
Unarguably hackers are finding novel ways and techniques to infiltrate the systems and networks. On a parallel note, cybersecurity experts and researchers are trying to discover new means and define new methods to understand existing data feeds in securing our present and the future. Hence, Cyber Threat Intelligence feeds help enterprises in:
- Staying up-to-date on various threats, new methodologies deployed by hackers, and the volume of threats.
- Help understand industry-specific threats, frequency, and new threat vectors
- CTI feeds greatly help in making proactive decisions in mitigating current and future threats
- They greatly reveal the triads – Tactics, Techniques, and Procedures, of threat actors
- These feeds reveal previously unknown attacks and vulnerable points. This helps the Incident Response and SOC teams to quickly act upon and provide security patches.
- Provides actionable information and timely alerts
Most of the data generated across IoCs can be read by machines (by leveraging Machine Learning) and thereby reducing the burden on human analysts. This data can directly be fed into the installations, further securing the network perimeter. Many CISOs (Chief Information Security Officers) believe that, with the right analysis and insights of cyber threat intelligence feeds, they provide the right context and help the c-suite in making decisions critical strategic decisions.
Benefits of CTI Feeds:
Cyber Threat Intelligence (CTI) Feeds is a continuous stream of data from various IoCs. This is similar to the analogy of a flowing river and tributaries joining it along its course. Various data coming from both internal and external intelligence becomes a part of the CTI feeds, which help in protecting an enterprise from present and future cyber-attacks. These CTI feeds also have the potential to unearth a previous attack that might have gone unnoticed.
The IR and SOC teams use these critical feeds to constantly monitor and guard the systems. The best part of a CTI feed is, that it is constantly updated from feeds globally on new threats and exploits, thereby preparing enterprises ahead of a previously known attack. Following are the key benefits an enterprise enjoys from dependable cyber threat intelligence feeds:
1. Minimizing the risk factor
Even before a hacker or a cyber-intruder attempts to infiltrate your system, cyber threat intelligence feeds help in identifying the vulnerabilities and prevent exploitation. Timely warnings and alerts are key to secure systems and networks. It greatly minimizes the risk factor of a possible cyber-attack.
2. Gathering actionable data (IoCs)
Data with context is highly valuable in today’s world. Using proper tools and deploying suitable analytical skills, the CTI feeds provide highly actionable data. They provide key data like IP addresses, malicious URLs, C&C servers, and other resources used in a cyber-attack. The enterprise can scan for any such data seen in a previous cyber-attack and take a necessary course of action by like blocking that connection. This prevents the likelihood of a similar cyber-attack.
3. Avoid Data breaches and Secure your network
By understanding threat natures and the threat vectors, courtesy of CTI feeds, and taking preemptive measures, it is very possible to avoid data breaches and secure the network. Owing to constant surveillance for any malicious URLs, links, domains, and IP addresses that are preying on the network, the CTI can be cynical and prevent them from accessing the network.
4. Evaluating security posture
With regular updation of new threats, new methods, and new tactics, the cyber threat intelligence feeds can provide us with valuable information in evaluating the security posture of the network. It helps us to analyze which assets are at risk and information on vulnerabilities found in apps, tools, software, and processes. With time updates and patches in place, cyber threats can be countered at large.
5. Using Cyber Threat Intelligence Feeds before, during, and after the attack
Cybersecurity researchers and experts use CTI feeds before, during, and after a cyber-attack. By using it before the attack, one can mitigate many cyber threats. If the security perimeter is broken and the network is compromised, the researchers use CTI feeds to minimize detection time and understand the possible orchestration of attack sequences. This helps them to limit affected areas and secure sensitive information. On the other hand, post an attack, the CTI feeds become a part of a larger database, paving the way for cyber forensics, analysis, and evidence collection.
6. Exchange of CTI Feeds
Enterprises from the same industry or different industries and geographical regions can exchange various CTI feeds with each other. This helps the entire ecosystem to better understand the practices of threat attackers and the countermeasures that need to be put in place. Using the feeds, the enterprises can take a preemptive measure and block the indicators on which a threat has been issued.
Threat Intelligence Lifecycle:
Cyberspace is growing, cyber threats are evolving, and even cyber security is catching up. The same is the case with the Threat intelligence lifecycle [TIL]. The TIL begins with gathering intelligence feeds from various IoCs and utilizing the intelligence in preventing a threat. It is not a one-time process, but a continuous ongoing one. The use of Machine Learning plays a key role in the TIL, helping it strengthen the organization’s security posture. The following are phases involved in the Threat intelligence lifecycle:
- Data Collections – Collecting data across various IoCs
- Data Processing – Leveraging effective use of Machine Learning
- Data Analysis – Technical & Non-Technical reports
- Dissemination – Presenting results of the analysis to all stakeholders
- Feedback – Collecting feedback from stakeholders and everyone involved
- Adjustments – Accordingly making necessary changes in the security measure and posture
An effective TIL depends on learning and adapting. This leads to strengthening the security of an enterprise.
Here is the list of key threat actors in recent times:
|Types||Threat Actors List|
|Ransomware attacks||Carbon Spider, Pinchy Spider, and Wizard Spider|
|Internet-faced device attacks||Wicked Panda and Aquatic Panda|
|Lock-and-leak attacks||Pioneer Kitten, Nemesis Kitten, and Spectral Kitten|
|Cloud environment targeting||Cozy Bear and Fancy Bear|
How valuable is your Cyber Threat Intelligence Feed?
Every investment you make should yield a positive result. Only then it is worth your time and money. This is given by the value it brings over time. How valuable is your investment in CTI feeds? If so, what are the parameters you are looking at before opting for such a service? Is it consumable by your team? Does it bring a context of its own?
For an enterprise to consider any CTI Feed, two aspects should be looked upon:
Many CISOs get carried away by the trending phrases in the cybersecurity ecosystem, thanks to great marketing campaigns. But very few marketers talk about the product, its importance, and its benefits. We at Sectrio make every attempt to educate our clients about the product, before recommending them the same. Likewise, you need to reassess whether the CTI feeds you are investing in are relevant to you are not. Do look out for:
As an enterprise, you should be aware of how your CTI feed provider is collecting the data. At the same time, is your provider confident about the data that is being provided to you? How noisy is it? These are the questions you need to come up with when thinking about accuracy.
This largely depends on the enterprise’s assets, security posture, and operational environment. If the CTI feed is from the same or a similar sector, the feeds thus gathered make sense and can be applied.
Providing timely cyber threat intelligence feeds can be a game-changer. The timeline generally involves from the moment a threat has been detected, curated, and shared with the enterprise by the CTI feed provider. Once this timeframe is understood, the organization can use this information to make a risk assessment and accordingly take decisions.
Every investment comes with its ROI, and means and ways of evaluating it. The same is the case when it comes to CTI feeds. Are the feeds received useable? If so, to what extent and volume? Enterprises should evaluate whether they will be able to make timely and appropriate decisions, by assessing the available information. Usability often focuses on:
The first and foremost factor that impacts usability is whether the data is consumable or not. Data is said to be highly consumable when it is accessed, processed, and injected into all other processes in an automated manner. Enterprises should also keep a tab on whether large volumes of data can be derived consistently or not.
If data from a certain feed is not actionable, it is a complete letdown of the entire process. Any feed with timeliness and content should also possess the characteristics that help in making the information useful in making a decision. Can be used for threat analysis? Or for defense analysis? These things can only be answered if the data is given a character – internally and externally. Transparency and context play a critical role in giving a feed its character.
3. Machine Readable
With thousands of alerts shown on the security dashboard, it is almost an impossible task for the human security team to keep every alert. With Machine Learning, a laborious task can be completed in a matter of hours, which otherwise might demand numerous man-hours. To make the best use of Machine Learning for CTI feeds, one should look at the format (XML, JSON) and data structure of the data being provided.
On a final note…
eCrime has turned out to be the motivation for nearly (49%) of the attacks. While 32% of attacks were unattributed, and 18% of attacks were targeted. Only 1% of attacks consisted of the ‘hacktivist’ type. On a closing note, here is an interesting fact for you. 4 in 10 companies reported a security breach in the last 2 years in a survey. Out of those, 80% of companies felt they could have prevented the breach if they had a threat intelligence report. Is your company one among them?
Every enterprise goes through a phase where it feels its investments are not paying enough dividends. This is either due to ill-informed decision-making or a lack of information. At Sectrio our experts take the first step in helping you understand cybersecurity, its threats, leveraging Cyber Threat Intelligence feeds, how to best apply them, and reap benefits from them. We are just a call away.
Try our threat intelligence feeds for free for the next two weeks.
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo