Welcome to the world of Cyber Threat Intelligence!
If you're new to cybersecurity, you might be wondering what CTI is and why it's important. In this article, I'll explain what it is, how it's used, and why it's important for cybersecurity teams to pay attention to it.
At a high level, CTI is the practice of collecting, analysing and disseminating information about threats to an organisation's cybersecurity. What gets disseminated could be anything from information about malicious software and hacking groups to phishing attacks and data breaches. Anything that could be useful for someone to know about cybersecurity threats.
The main goal of CTI is to help organisations stay one step ahead of potential threats. High-quality intelligence can enable teams to implement the right security controls, train employees on how to spot and avoid attacks, or even work with law enforcement to track down and prosecute cybercriminals.
Another important aspect of CTI is the sharing of information with other organisations. By sharing information about threats, organisations can work together to strengthen their cybersecurity postures. This is crucial in today's hyper-connected world, where a threat to one organisation can often have far-reaching consequences.
Types of Intelligence
There are three types of intelligence that can be used to help protect an organisation from attacks. Some of the main types include:
- Tactical intelligence: This type of intelligence is concerned with the specific tactics and techniques used by cybercriminals, including information about their goals, methods, and targets. Things like Indicators of Compromise and the MITRE ATT&CK framework fall into this category.
- Operational intelligence: This type of intelligence is about the current activities cybercriminals are undertaking, including information about their targets, tactics, and techniques. You can get a lot of information from cybersecurity companies that cover operational intelligence.
- Strategic intelligence: This type of intelligence is about the long-term plans and objectives of cybercriminals, including information about their motivations and overall strategy. A good example of this is reporting about things like the long-term objectives that China has in cyberspace.
What if you don't have CTI?
Cybersecurity programmes that run without any form of CTI are running blind. No matter what size of cybersecurity function your company has, it should have an element of CTI within it. We can all understand the power of intelligence through an analogy:
When you buy new windows for your house, you make sure they have locks on them, but what if someone (the intelligence team) told you that in your area, the primary threat is actually from the glass being cut with a diamond-cutting device? In that case, you’d be wise to prioritise finding glass that can withstand such an attack. Very simply, that is the power of intelligence.
How can you get involved?
You could become a Cyber Threat Intelligence Analyst or you could just take a keen interest in CTI. Many organisations don't hire CTI Analysts, they just make their Security Operations Centre staff carry CTI duties. The bottom line is to take an interest in the global cyber landscape and discuss its impact on your organisation.