Cyber Threat Intelligence (CTI) is threat data or information that has been "aggregated, transformed, analysed, interpreted, or enriched to provide the necessary context for decision-making processes".
National Institute of Standards and Technology (NIST)
Threat intelligence (TI) is evidence-based knowledge — including context, mechanisms, indicators, implications and actionable advice — about an existing or emerging menace or hazard to IT or information assets. It can be used to inform decisions regarding the subject's response to that menace or hazard.
Gartner
Strategic TI is information that provides a broad, high-level view of current attack trends, risks and attacker motives. It helps decision makers prioritise resource allocation and security spending, and is usually consumed in the form of reports.
Tactical TI is intelligence on how threat actors are executing attacks and how incident responders can prepare for & mitigate threats. It includes attacker Tactics, Techniques and Procedures (TTPs), vectors and indicators.
Operational TI is information about possible attacks against an organisation, and the infrastructure, resources and capabilities of attackers. It is usually externally sourced through OSINT (Open Source Intelligence) feeds & dedicated CTI providers with access to closed chat forums.
Qualitative TI focuses on a limited set of subjects but covers these subjects in great detail. It involves the in-depth investigation of specific attack campaigns, threat actors or malware families, and is oriented towards enriching an organisation's existing knowledgebase.
Quantitative TI has a wider area of focus and covers a large number of subjects that may include threats, techniques and malware targeting a certain sector or region. It involves bringing together information from a range of sources much of which may be available publicly.
Internal
Internal TI includes everything that is collected from various network and endpoint monitoring and security tools used within the organization, an addition to internal processes, reports and other documentation, such as:
External
External TI comes from external sources like public TI feeds, blogs, news sites, commercial TI vendors or industry-specific TI communities and groups dedicated to information sharing. These may include:
Threat intelligence is an important component of all stages of cyber defence.
Ultimately, actionable threat intelligence helps with proactive defence and overall better decision making. Integrating relevant CTI into your security tool stack improves all areas of your cyber defence.
While threat intelligence is critical to the success of any cyberdefence program and the data it is culled from is sometimes widely and readily available, it can be challenging to turn raw data into useful, relevant intelligence. Some of the issues the cyber security community has had to deal with over the years are:
Security Orchestration, Automation and Response (SOAR) technologies have helped solve many of these challenges by enabling organisations and security teams to ingest & automatically correlate data from various internal and external CTI sources. This makes data usable for different security functions.
The automatic correlation and enrichment of different indicators and artifacts facilitates the integration of relevant threat intelligence into detection and response tools to operationalise it.
Managed Detection and Response (MDR) providers like LinearStack leverage a variety of tools, processes and human expertise to derive actionable threat intelligence out of threat data. Relevant CTI is built into detection tools for speedier investigations and deeper, more thorough root-cause analysis.
MDR services also use orchestration and automation technology with streamlined, playbook-driven processes to ingest, analyse, correlate and filter threat data, and add context to alerts and artifacts. This automated enrichment of threat indicators with additional context, which is a feature built into most modern XDR platforms, allows incident responders to reduce response time significantly.
As your MDR provider, we work closely with your internal teams to understand your business priorities, IT infrastructure and critical assets so we can deliver relevant CTI collated specifically to meet your unique needs. We ensure that you get actionable, timely threat intelligence that can be integrated into your detection and response tools & processes for faster detection, streamlined investigation, and more effective response.
Our follow-the-sun MDR service is designed to augment your cyber defence capabilities with best-in-class detection and response technology and skilled security professionals who protect you from threats 24/7.
Call us at 0800 008 795 or email us at info@linearstack.co.nz to book a free consultation with one of our security experts. We can walk you through our Managed Detection and Response process and demonstrate how our analysts stop advanced threats every day to help organisations like yours stay protected.
Read more here https://www.linearstack.co.nz/managed-services/managed-detection-response