Cyber Threat Intelligence (CTI) Lecture PDF

Summary

This document provides an introduction to Cyber Threat Intelligence (CTI). It covers key concepts like vulnerabilities, exploits, and threats. It also explores the lifecycle of CTI and discusses practical applications.

Full Transcript

Introduction to
Cyber Threat
Intelligence
(CTI)
 Cyber Threat Intelligence
KEY CONCEPTS THE CTI
INTRODUCTIO TYPES OF CTI
OF CTI LIFECYCL
N
E

Questions CHALLENGES IN APPLICATIONS SOURCES OF
CTI OF CTI CTI
 Introduction to Cyber Threat

Intelligence
Definition of Cyber Threat Intelligence (CTI):
CTI is the process of:

Collecting Analysin Disseminati
ng
g

Information about potential and actual cyber
threats
Its purpose is to help organisations understand the threats they face,
enabling them to make informed security decisions
 Importance of Cyber Threat
Intelligence
Helps Enhances overall Reduces the risks
organisations cybersecurity posture and impacts of
anticipate and by making it proactive potential security
defend against rather than reactive breaches
cyberattacks Reactive
Proactive Responding to threats after
Anticipating threats, they occur. Implementing
building the capacity to security measures in response
respond to incidents to past incidents, focusing on
before they occur ensuring incidents don't
reoccur
 &

Threat Vulnerability
VU L NERABILITY

I’m Feeling
Google Search
Lucky
A vulnerability is a weakness in an IT system that can be exploited by an attacker to

deliver a successful attack.

They can occur through flaws, features or user error, and attackers will look to exploit

any of them, often combining one or more, to achieve their end goal.
EXPLOIT
I’m Feeling
Google Search
Lucky
An exploit is a piece of software, data or sequence of commands that takes

advantage of a vulnerability to cause unintended behaviour or to gain access.
THREAT
I’m Feeling
Google Search
Lucky
A threat is anything that can exploit a vulnerability to cause harm

to an asset
Example of a Vulnerability, Threat &
Vulnerability Exploit
CVE-2017-0144 refers to a critical vulnerability found in the Microsoft Server Message
Block (SMB) protocol (v1 & v2). SMB is used for file sharing, resource access over a network and
network communications.
Exploit
WannaCry Ransomware in 2017, WannaCry spread across the globe by exploiting EternalBlue;
computer exploit software vulnerability. The ransomware was delivered as a worm that leveraged
EternalBlue to automatically propagate across vulnerable machines in a network. Once it gained
access, it installed ransomware, encrypting the user's files and displaying a ransom note
demanding payment in Bitcoin for decryption.
Threat
Threat actors can exploit this vulnerability to gain unauthorised access to networked systems. It
allows remote attackers to execute arbitrary code on an affected machine by sending specially
crafted packets to a vulnerable SMBv1 server.
 Indicators of compromise (IoC)
Artifacts observed on a network or in an operating system that indicate a
possible breach
Unusual A few examples include:
Large amounts of Unknown Unusual activity from
inbound and
compressed files or data applications administrator or privileged
outbound
bundles in incorrect or within the accounts, including requests
network
unexplained locations system for additional permissions
traffic

Anomalous activity, Large
An increase in incorrect log-ins
such as an increase numbers of Suspicious registry or
or access requests that may
in database read requests for system file changes
indicate brute force attacks
volume the same file

Unusual Domain Unauthorized
Name Servers (DNS) Geographic irregularities, such as traffic from
settings changes,
requests and registry countries or locations where the organization
including mobile
configurations does not have a presence or do business
device profiles
 Tactics, Techniques & Procedures
(TTPs)
Tactics
High-level descriptions of behaviour
Persistence
Data exfiltration

Techniques
Methods adversaries use to achieve their
tactics
Phishing for gaining initial access

Procedures
Specific implementations of techniques
Using specific malware to deliver a
payload
Sources of Cyber Threat Intelligence

Network logs, security Threat intelligence feeds, open-
information and event source intelligence (OSINT), and
management (SIEM) Internal External information sharing
systems, incident reports Sources Sources organisations (ISACs)
These provide real-time data Provide broader context and
specific to the organisation’s external threats that could
environment impact the organisation

Malware analysis, Information gathered from
Technical
honeypots, and HUMIN human sources such as
Sources
sandboxing provide T cybersecurity researchers or
detailed technical industry experts
intelligence
TYPES of CYBER THREAT INTELLIGENCE

1 2 3 4

Strategic Operational Tactical Technical
The identification of Detailed analysis of the Details on the tactics, Information that
long-term or overall nature and purpose of techniques, and security teams get
aims and interests and the attacks and procedures used by from their intelligence
the means of achieving attackers, which helps threat actors. Helps feeds. Security teams
them in predicting future understand the methods use technical threat
attacks and enhancing attackers use intelligence to monitor
incident response plans for new threats or
investigate a security
incident
 Strategic-level intelligence is needed to help
Strategic CTI
decision-makers understand the long-term
Example
risk and guide future investments in

cybersecurity. Financial
 Example: A country's national financial Markets
infrastructure, including central banks and

stock exchanges, is at risk of nation-state

cyberattacks aimed at destabilising the
 Tactical CTI Example
 Tactical CTI is needed to respond quickly
and block the threat.
 Example: A manufacturing plant has
detected a rise in phishing attacks
Phishing Attacks
targeting its employees, with a focus on
stealing patented information from internal
systems.
 Operational CTI is required to support Operational CTI
proactive defence measures and incident Example
response planning.
 Example: A hospital's IT security team
Specific Defence
needs to defend its network against an
increasing threat of ransomware
attacks.
 Example: The technical team needs CTI to
Technical CTI
protect its systems and prevent further Example
exploitation.
 A web hosting company discovers that a zero-
day vulnerability in a widely used web server
Specific Actions
software (e.g. Apache or Nginx) is being
actively exploited in the wild.
 Cyber Threat Intelligence Lifecycle
Requirements and Planning:
Define the goals of the CTI program based on the
organization's needs
Determine what information is needed and how it will be
Data Collection:
used
Gather data from various sources - internal logs,
external threat feeds, and open-source
Data Processing:
intelligence (OSINT)
Convert raw data into usable format, eliminate
irrelevant or redundant information
Data Analysis:
Examine processed data identify patterns, correlations,
and anomalies, develop actionable insights to guide
security decisions
Dissemination:
Share the intelligence with the relevant
stakeholders
Feedback and Review:
Assess the effectiveness of the CTI program and Update
processes and intelligence requirements based on lessons
Practical Applications of Cyber Threat
Enhancing Incident Response:Intelligence
CTI helps organisations quickly identify the nature of an attack and respond
effectively.

Example: Using IoCs from CTI to identify infected systems during an incident.

Threat Hunting:
Proactively searching for signs of malicious activity within an organization's
networks.

CTI provides the necessary context and indicators to guide these hunts.

Risk Management:
CTI informs risk assessments by identifying relevant threats and helping to
prioritize security efforts.

Example: Adjusting security policies based on the emergence of a new threat
actor.
 Challenges in Cyber Threat
Data Overload:

Intelligence
The sheer volume of threat data can be overwhelming and lead to
analysis paralysis

It’s crucial to filter and prioritize the most relevant information

Accuracy and Relevance:
Not all intelligence is accurate or relevant to every organisation

Validating and contextualising intelligence is key to making it
actionable

Timeliness:
Threat intelligence must be timely to be effective

Delays in processing and sharing information can reduce its value

Integration:
Integrating CTI into existing security infrastructure and processes can
Questions?