Cyber ​​Threat Intelligence: what are we talking about?

04/04/22

The use of English in the tech-rich world we live in is a constant, as is the speed of light in physics.

It often happens to speak among experts of cybersecurity, perhaps from different countries, assuming that we understand each other only because we use English terms such as, for example, "cyber threat intelligence". 

The question we ask ourselves today is: when we say "Cyber ​​Threat Intelligence" does everyone know what we are talking about? Let's try to understand it together starting from the term "Threat". 

Consulting a bilingual dictionary we discover that the word "Threat" means "threat". If we place ourselves in the cyber world, we can refer to the definition of the National Institute for Standard and Technology (USA - NIST SP 800-30 / 150 and CNSSI-4009): which defines "Cyber ​​Threat" as: 

"Any circumstance or event capable of adversely affecting the operations of an organization (mission, functions, image or reputation), the organisation's assets, individuals, other organizations or the Nation through an information system through unauthorized access, destruction, disclosure , modification of information and / or denial of service. "

To understand what is meant by "Threat Intelligence" we use the Kaspersky website: 

"Threat intelligence allows you to identify and analyze cyber threats targeting a company, sifting through huge amounts of data, examining it and contextualizing it for real problems and possible solutions." 

Putting the concepts together, we can say that for Cyber ​​Threat Intelligence means "the research and analysis of cyber threats directed against a company, an organization, a State and their contextualization in search of real problems and their solutions".

The main objectives of the Threat intelligence are:

- know your opponents (activists, criminal organizations, governments, competitors ... Attribution);

- what tactics (why) and techniques (how) can be used against our company;

- what are the controls to be put in place based on the threats and how to mitigate the risk (possible solutions). 

There are many tools used to make cyber threat intelligence; the MITER provides us with several and to learn more there are some excellent articles that we recommend, including "Fighting the bad guys in a structured way"by Marco Rottigni and"Know the opponent's cyber tactics"by Orazio Danilo Russo.

Having clarified the terminology, let's move on to a practical example that helps to understand the concepts just expressed.

Suppose we are the head of a company that deals with the production and sale of rubber gloves that we sell on the national territory and beyond. The CISO (Chief Information Security Officer) in coordination with the CTO (Chief Technology Officer) of the company has chosen an antivirus for the workstations and for the production control machines and has entered into a contract with a company providing security services .

The role of the company providing the security services is to collect the data of all the devices of our company, to analyze them, correlate them, contextualize them, in search of real and direct threats against our company and suggest the various possible ways of mitigation and / or solutions to the problems and threats identified.

The choice of one or more solutions, among those proposed, depends on many factors, one among many the cost / effectiveness ratio.

An example: suppose that from the first data collection on the network stations it emerges that some stations have an old operating system, not updated or no longer supported. Among the solutions that could be suggested we will surely find:

- update the operating system;

- change the operating system no longer supported;

- change the offending machines.

Of course, the solutions listed will solve / mitigate only some of the problems relating to corporate security, in fact there are different types of threats and not all of them have the same effect on a company or organization. We must always keep in mind that no matter how good and careful we are, it is not possible to eliminate all threats!

The choice of the solution to be implemented will be up to the company, which usually acts on the basis of economic but also contingent criteria. In our example, it could happen that the machines identified are used in a production cycle that cannot be interrupted without compromising the entire process and therefore it is not possible to put into practice all the suggested solutions. There Cyber ​​Threat Intelligence it has its importance but it is only a piece of corporate security. 

For this reason it is not possible to delegate everything externally, except in very special cases. It is up to the CISO and the CTO, who know the company, the production processes and the operational context, to make the correct decision based on various factors, including the Cyber ​​Threat Intelligence.

Alessandro Rugolo, Annalisa Diana

We thank all the friends of SICYNT for the suggestions that have allowed us to improve the article, making it understandable to all.

To learn more:

CNSSI-4009.pdf (rmf.org)

Guide to Cyber ​​Threat Information Sharing (nist.gov)

SP 800-30 Rev. 1, Guide for Conducting Risk Assessments | CSRC (nist.gov)

https://www.kaspersky.com/resource-center/definitions/threat-intelligence

Introduction to Cyber ​​Threat Intelligence (CTI): A Definitive Guide for The Beginners - Hackers Terminal

The MITER Corporation

Photo: US Air Force / web

rheinmetal defense