Table of contents
Threats are diverse. So is Threat Intelligence
When it comes to information on the cyber-battlefield, what is called Cyber Threat Intelligence (CTI) can vary widely, between the raw streaming of observables, up to the fully contextualised curation of bespoke threat models.
Indeed, for a CTI practice to be effective, analysts must take into account the full spectrum of indicators that might apply to their organisation and leverage intelligence products that are not only informative but also actionable. This means both breadth of scope and depth of data.
list of Observable types based on STIX: security data can come in a wide diversity.
On the field, Operational Security analysts are tasked with providing timely and efficient detection and response to their stakeholders. This means that every piece of intelligence they gather must be operationalized. For instance, it must be timely: if you provide information about a threat after the attack has already happened, that information is far less valuable. It’s also important for your intelligence to be accurate—if it’s not, it can yield more harm than good, for example by triggering overreactions.
Intelligence should also be relevant: if you’re talking about threats that are rarely or never used against your own exposure profile, then your security operators won’t want to pay attention. They need information that will help them make decisions—in other words, they want contextualised information.
To this end, we recommend organising cyber threat intelligence into a T-shaped approach: analysing threats broadly as well as being able to dig deeply into specific ones, and curating sources to provide a balanced portfolio.
The T-shaped CTI has cyber threats in your crosshairs
To achieve both comprehensive coverage and optimisation of resources, we believe in a balanced and structured approach to Threat Intelligence that we have called the T-Shaped CTI. Organisations must balance breadth of scope—being able to articulate any kind of threat, across any type of vector—with depth of data—being able to leverage every single piece of information coming from the trenches.
T-Shaped Intelligence combines breadth and depth
The first component, breadth, represents the different kinds of threat components that an organisation can monitor and use for investigation. As threat actors try to leverage every possible technical asset they can get their hands on, CTI cannot consist of only one kind of indicator (such as IP addresses or file hashes), but must embrace everything as well as providing the context that will help sort out the relevance and timeliness of this information.
The second dimension—depth—refers to the ability to leverage a volume of telemetry on the most common types of indicators. IP addresses are the most widely used type of indicators, since every intrusion attempt is likely to require at least one at least once when moving through networks. But their versatility and fluidity also makes the sheer volume overwhelming when handled improperly. To avoid that, it is paramount to wield tools that not only provide the volume, but also context and user friendliness.
SEKOIA.IO CTI: Modelling and metadata at the heart of actionability
Since 2008, we believe that to make cyberattacks painless, intelligence is key. We have created an environment that harmoniously combines the advanced skills of our in-house researchers with technology to accelerate the intelligence cycle at light speed and leverage the results for a wide use of threat intelligence.
By actively monitoring both our own custom trackers and honeypots, open intelligence sources (OSINT) , we are able to finely model the activity of attackers, in near real time. This enables us to provide our customers with detailed information at the various required levels: from technical indicators for low-level hunting and investigation, up to strategic insight supporting the decision making of the security organisation.
This enrichment approach is a perfect complement of telemetry/data that technology partners can provide. The threat intelligence from SEKOIA is always fully modelled and contextualised. This means that beyond technical indicators, we provide metadata enabling security teams to sort through relevant information quicker. And our native threat modelling is compliant with the latest open standards like STIX 2.1—to which we incidentally contributed as a member of the OASIS technical committee.
Joining forces for the benefit of security teams
What does it mean for security analysts? It means that curating a balanced portfolio of CTI is an expertise that they can outsource to SEKOIA. We partner with various data brokers to continuously enhance our coverage without compromising on the quality of our feeds. For instance, we can rely on additional network telemetry obtained from trusted partners. From indicators giving away specific attackers groups, to insights into their Tools and Procedures and beyond, threats will have far less room to hide.
Thanks for reading. You can also read this article where we share information about our CTI allowed us to track and detect cobalt strike?
You can also read this blog post :