With the increase in ever more sophisticated cyber attacks, it has become essential to acquire and maintain knowledge of the threat and the attacker for companies and institutions.
To understand these new challenges, François Deruty, Chief Operation Officer at SEKOIA, gives us in this interview enlightened answers on what Cyber Threat Intelligence (CTI) is.
Table of contents
Cyber threat intelligence platform defines cyber threat research, analysis and modeling. It makes it possible to describe a threat or a computer attack through contextualized elements and/or indicators understandable by men or machines.
What is CTI used for?
Cyber threat intelligence platform is used to prevent and detect computer attacks. The CTI platform provides prior knowledge of this threat in order to anticipate it, i.e. take defensive countermeasures upstream and detect it in real time if necessary.
“To give you an image, I will reinforce my front door to which I will add locks and cameras. These extra locks allow me to deal with actors trying to force her every day. The CTI is used to detect when this takes place, it is a means of anticipation allowing me to see that people are trying to enter my home. » François Deruty, COO SEKOIA.IO.
Going back to the computing environment, locks can be blacklists because we know that certain items are used daily by attackers, items that are not trusted, which we will either blacklist or quarantine, the time to verify that they are legit. The CTI platform is used to model this set and to understand and detect these events.
Schematic representation of the types of threats at the entrance of the SEKOIA.IO CTI platform and the actions at the exit.
How to make the information usable?
Today, information is made usable first by contextualizing it as much as possible and modeling it in a format that is accepted by the greatest number of tools while making it quickly understandable by analysts (STIX is today the format that is most adopted by the community today).
The underside of manufacturing cyber threat intelligence
The concrete impact of the use of CTI in a company
A well-made Cyber Threat Intelligence platform allows the company to save time and peace of mind spirit.
The enemy of the cyber threat intelligence platform being the false positive, this knowledge of the threat and the attacker must make it possible to ensure that the slightest alert is generated legitimately so as not to “drown” the analysts. The goal is to reduce the number of false positives, to drop below the 5% mark and thus only report real incident alerts.
Cyber Threat Intelligence therefore brings real time savings for enterprise security teams. These soc teams are solicited on many subjects. The Cyber threat intelligence platform allows these teams to generate tranquility and free time. A return on investment is therefore quantifiable very quickly.
Criteria for a quality platform
Today, only one player has the capacity to provide a quality CTI. If the underlying question is to know “can a single actor make a CTI of so-called exhaustive quality?”. For this point, it is more difficult!
“To have the most exhaustive cyber threat intelligence platform possible, the fact of using several sources makes it possible to cross-reference information and thus have better confidence in the elements detected. If something is determined to be malicious and that information is confirmed by one or more other sources, we have a better chance that it is. At SEKOIA, we use many data sources which give us elements allowing us to cross-reference information. We also create our cyber threat intelligence, by investigating and enriching the information at our disposal. This internal capacity is essential to create a quality CTI thanks to our dedicated team of analysts specialized in this field. »
Does cybersecurity without CTI make sense?
“I don’t think so, but that’s my personal opinion. We cannot achieve optimal prevention and detection without threat intelligence.”
Information systems are constantly evolving, they are becoming very heterogeneous and are growing so quickly that it has become impossible to have exhaustive knowledge of them in real time. Due to a changing environment, it is more effective to focus on knowledge of the threat, with specialized soc teams whose job is to:
- Understand and analyze the different attack operating modes,
- Decline and disseminate it within the various information systems to be protected.
If you liked this article, you can also read our blog post: Threat Intelligence is not (only) on a spectrum.
You can find out how we track threats on SEKOIA.IO : https://www.sekoia.io/en/continuously-tracking-threats/
Chat with our team!
Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cybersecurity project in your organization? Make an appointment and meet us!