🛡️

Cyber Threat Intelligence Program Overview

Mar 10, 2025,

View transcript

Lecture Notes on Building a Cyber Threat Intelligence (CTI) Program

Intended Audience

  • Leadership & Key Decision-Makers
    • CTI Directors & Team Leaders
    • Cybersecurity Executives & Senior Leaders
    • Chief Information Security Officer (CISO)
    • Chief Information Officer (CIO)
    • Security Operations Center (SOC) Manager/Director
  • Intelligence & Security Practitioners
    • Threat Intelligence Analyst
    • Incident Response (IR) Manager/Specialist
    • CTI Team Lead/Manager
    • Cybersecurity Manager
    • Security Architect
    • Network Security Engineer
  • Risk, Compliance & Business Resilience
    • Risk and Compliance Manager
    • Business Continuity Manager
  • IT & Infrastructure Leaders
    • IT Director
  • Cybersecurity Stakeholders
    • SOC Analysts, Incident Responders, and Cybersecurity Researchers

Purpose of the E-Guide

  • Operationalizing threat intelligence
    • Filter through alerts to prioritize risks.
    • Enhance protection with actionable intelligence.
    • Integrate threat intelligence into broader security operations.

Introduction

  • Defense without intelligence is likened to knowing nothing about the enemy.
  • Challenges: Complexity of mapping risks and aligning with theoretical models.
  • Objectives: Provide insights into the unique threat landscape to outwit adversaries.

What is CTI and its Components?

  • CTI Definition: Systematic collection, processing, analysis, and dissemination of information about cyber threats.
  • Key Components:
    • Data: Pieces of information such as IP addresses.
    • Context: Circumstances affecting security posture.
    • Intelligence: Conclusions drawn from data.

CTI Feeds & Data

  • CTI Feeds: Automate integration of data sources with security systems.
  • Types of Data:
    • IoC (Indicators of Compromise)
    • Malware signatures
    • TTPs (Tactics, Techniques, and Procedures)
    • Reports and Vulnerabilities
    • Compromises and Dark web information

Levels of Data

  • Strategic Intelligence
  • Operational Intelligence
  • Tactical Intelligence

CTI Data Flows

  • Integration with cybersecurity processes
    • Log Management
    • Monitoring
    • Incident Response
    • Vulnerability Management
    • Threat Hunting
    • Fraud Protection

Types of Threat Actors

  • Nation-State Threat Actors
  • Unskilled Attackers/Hackers
  • Insider Threats
  • Hacktivists
  • Organized Crime
  • Shadow IT

MITRE ATT&CKÂŽ & Group-IB Threat Intelligence

  • Framework for describing attack tactics and techniques.
  • Stages of a Cybercriminal Campaign Lifecycle:
    • Reconnaissance
    • Resource Development
    • Initial Access
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
    • Discovery
    • Lateral Movement
    • Payload Deployment
    • Data Exfiltration & Impact

CTI Lifecycle

  • Stages:
    • Planning
    • Intelligence Gathering
    • Intelligence Processing
    • Intelligence Analysis and Grading
    • Sharing Intelligence
    • Feedback & Optimizations

Indicators of Compromise (IoCs) and the Pyramid of Pain

  • IoCs: Artifacts indicating potential threats.
  • Pyramid of Pain: Hierarchical approach to disrupt cybercriminals.

Building CTI Maturity

  • Advancing up the Pyramid of Pain increases cost for attackers.
  • Enriching Raw Intelligence: Transitioning from consuming to creating intelligence.

Forming a CTI Cross-Functional Team

  • Key Roles:
    • CTI Team Lead
    • CTI Analyst
  • Functions of the CTI Team
    • Data Collection
    • Analysis
    • Vulnerability Intelligence
    • Reporting
    • Security Awareness
    • Threat Feed Management
    • Policy and Strategy Development
    • Information Sharing

Writing Intelligence Reports

  • Importance of Effective Reporting: To keep employees informed and guide stakeholders in security investments.
  • Basic Template for Reporting Needs: Tailored based on organizational requirements.

Practical Application of CTI and Group-IB TI Platform

  • Real-Time Monitoring and Visibility
  • Situational Awareness & Context
  • Proactive Defenses
  • Simulation, Emulation, and Offensive Operations
  • Threat Response
  • Threat Hunting
  • Risk Assessment
  • Post-Incident Analysis
  • Prioritization of Resources

Choosing the Right Tools and Technologies

  • Considerations for Selecting Tools:
    • IOC Ingestion
    • Visualized Intelligence
    • Scalability
    • Integration
    • Threat Actor Profiling

Threat Intelligence Collection and Insights

  • Threat Landscape: Specific to platform and infrastructure type.
  • Building Threat Profiles: Refines intelligence to identify key threat actors.

Operationalizing Threat Intelligence

  • Automation: Essential for continuous threat intelligence gathering.
  • CTI ingestion and optimization workflow
    • Collection
    • Processing & Enrichment
    • Data Routing
    • Automated Threat Response
    • Feedback & Intelligence Management

Feedback and Optimization

  • Methods for Gathering Feedback: Post-Incident Reviews, Simulations, Automated Feedback Collection.
  • Solution Brief for more in-depth insights.

View note sourcehttps://docs.google.com/document/d/1Uf2b7BSdn5-C7uVFIe7isvoO_zLtSjg1AXD0N-5txcA/edit?tab=t.0