Cyber threat intelligence understands and analyzes real-world threats and adversaries to share data and knowledge utilizing the traditional intelligence cycle to evolve from data, through information, to intelligence. It may be tactical, operational, or strategic in nature, informing activities ranging from remediation to threat hunting and strategic organizational risk management.
Understand the Adversary
Understanding the adversary is one of the first steps in preparing a threat-informed defense. This paper describes how incremental developments in ransomware since 1989 have led to the emergence of a ransomware business model. This business models allows the highly damaging ransomware infections seen today. To learn more about this evolution and common initial access vectors used by ransomware groups, read the Evolution of Ransomware paper.
Defending Against Ransomware: A Cyber Threat Intelligence Primer
A Cyber threat intelligence capability can help organizations take a threat-informed defense approach to protecting itself from a wide range of malicious cyber activity, including ransomware. A robust CTI program will generally follow the “intelligence cycle” – Planning and Direction, Collection, Processing, Analysis and Production, and Dissemination and Feedback – to ensure it is meeting the expectations of stakeholders and maturing to meet evolving demands. This guide is intended to assist organizations interested in establishing a CTI program and those maturing an existing capability.
Monitoring Threat Intelligence
The goal of cyber threat intelligence (CTI) is usually to help an organization focus on understanding their greatest threats by providing analyzed intelligence to assist network defenders and decision-makers in making more informed, threat-based decisions. CTI should be actionable and applicable to both near- and long-term information needs for network defenders and decision-makers. CTI should enable activities and actions at the tactical, operational, and strategic levels, ranging from activities such as specific rules network defenders implement within their environments, to enabling proactive adversary hunting methodologies, and progressing to informing strategic decision-making about limited budgetary and personnel resource allocations. A variety of unclassified, commercial, and open-source threat intelligence public and private resources provide insight for organizations to the latest threats.
- Department of Homeland Security – United States Computer Emergency Readiness Team
- DHS CISA Cyber Alerts
- Office of the Director of National Intelligence – The National CounterIntelligence and Security Center
Cyber Threat Intelligence Sharing
JOIN COMMUNITY GROUPS
When possible and appropriate for their circumstances, organizations should share cyber threat intelligence with peer institutions and government entities. Official forums exist to facilitate this, such as HS-ISAC. These sharing relationships can also be an excellent source of threat intelligence for your organization.