The Role of Intelligence in Cyber Threat Response

1) The Reality of Cybersecurity Threats and Response

As technology develops and digitalization progresses, cybersecurity threats are becoming increasingly diverse and sophisticated. As a result, responding to these cybersecurity threats has become one of the most critical priorities for modern society.

Advances in modern technologies, such as artificial intelligence, big data, and cloud computing, have revolutionized our lives and business operations. However, on the other hand, these advancements have also provided cyber threat actors with new tools and opportunities, significantly increasing the complexity and frequency of cyber threats. The economic and security impacts of these threats are expected to continue rising.

In recent years, we have witnessed several high-profile cyber incidents. In 2021, vulnerabilities in open-source Log4J and Microsoft Exchange Server were exploited extensively; in 2022, the focus shifted to combating a surge in ransomware attacks; and in 2023, there were reports of cyberattacks using generative AI, including ChatGPT, to develop new threat tools.

The landscape is continuously evolving, and Cyber Threat Actors are now said to be leveraging generative AI to improve their attack tools rapidly. Despite generative AI’s built-in safeguards, attackers have found ways to create malware by breaking down the development process into smaller and more manageable tasks to exploit these programs. This has led to the rapid emergence of previously unknown threats.

Putting things into context, the evolution of the cybersecurity landscape can be categorized into five generations:

1. The first generation – Vaccine: The advent of computers and the emergence of viruses, which were effectively countered by antivirus solutions.
2. The second generation – Firewall: The appearance of firewalls in the Internet era generated new malware and network attacks.
3. The third generation – IPS: Attackers began exploiting application vulnerabilities.
4. The fourth generation – Sandbox: The realization that traditional signature-based defenses were insufficient as payload-targeted attacks became prevalent.
5. The fifth generation – Threat Intelligence: The current era is marked by large-scale intelligent attacks, ransomware, sophisticated malware, advanced supply chain attacks, and unknown threats. This generation necessitates an integrated security infrastructure, real-time threat information sharing, and the ability to defend against unknown threats. Threat intelligence plays a crucial role in this defense strategy.

2) What Is Threat Intelligence?

Now that we are in the fifth generation of the cybersecurity landscape, threat intelligence has become a fundamental component of the modern organization’s cybersecurity strategy. An effective threat intelligence strategy involves continuous collection and analysis of the information needed to identify and respond to threats.

 “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

• Gartner –

In other words, threat intelligence is knowledge based on various data and information to respond to threats.

To understand threat intelligence, it is essential to distinguish between “data,” “information,” and “intelligence.”

• Data: Raw, unprocessed metrics such as IP addresses, URLs, and hash values.
• Information: Analyzed and processed data that provides context but may not offer actionable insights.
• Intelligence: The result of analyzing and processing various data points to create meaningful information within a specific context, guiding decision-making and action.

The Pyramid of Pain

The “Pyramid of Pain”, introduced by security expert David J Bianco in 2013, illustrates how different levels of cyber threat indicators impact attackers. The pyramid emphasizes TTPs (Tactics, Techniques, Procedures) as the most effective method of preventing attacks. Blocking lower-level indicators, like hash values, IP addresses, and domain names, imposes minimal stress on attackers while blocking high-level indicators requires them to expend significant effort and resources. Using TTP indicators for defensive measures allows organizations to detect all steps of an attack from start to finish, posing a significant challenge to attackers.

In order to reach intelligence-level threat indicators, the threat intelligence lifecycle is commonly used. The threat intelligence life cycle refers to the process of transforming raw data into actionable intelligence for decision-making through a continuous, iterative process involving requirements, collection, processing, analysis, distribution, and feedback.

• Requirements: Establishing goals and a road map for threat intelligence.
• Collection: Gathering threat information from various sources.
• Processing: Preprocessing collected data into a format suitable for analysis.
• Analysis: Deriving answers for requirements.
• Distribution: Sharing analyzed results.
• Feedback: Receiving feedback on the distributed results.

This life cycle helps organizations systematically manage the collection, analysis, sharing, and utilization of threat intelligence to respond effectively to security threats.

The increasing sophistication of cyber threats and the rise of advanced persistent attacks necessitate the integration of threat intelligence into cybersecurity strategies. Existing passive responses based on fragmented data and information appear to be insufficient. Moreover, traditional security measures often detect less than 70% of threats, leaving a significant portion of unknown threats undetected and a portion of threat events likely to be false positives. Applying threat intelligence will help upgrade cybersecurity strategies, reduce false positives, enhance detection, and expand the effective detection area to over 90%.

3) AILabs Threat Intelligence Platform

AILabs, developed by MONITORAPP’s CTI Division, is an advanced threat intelligence platform that integrates unstructured data from various sources, stores it in big data, and performs multi-dimensional analysis using an AI-based engine.

The platform follows a lifecycle similar to general threat intelligence, involving a continuous and iterative process of requirements, collection, analysis, processing, distribution, and feedback. Its key features include an AI-based analysis and processing system and a web-based portal that provides valuable threat intelligence and performs proactive threat response, post-analysis, and information sharing of incidents.

Future developments in threat intelligence will likely evolve in various environments, involving further automation, enhanced AI capabilities, big data analytics, and advanced decision-making processes.

Continuous updates and collaboration are essential to keep pace with evolving threats and maximize the effectiveness of threat intelligence. While the nature of threats is changing along with technological advancements, it is crucial to continuously collect and analyze the latest information. In today’s digital environment, threat intelligence is not just a tool but a strategic approach that requires integrated efforts to protect against cyber threats.

About the Author

Kurt Xavier Schumacher is a Cybersecurity Professional working at MONITORAPP, a global cybersecurity company headquartered in South Korea that specializes in Security Appliances, Cloud-based Security Services, and Cyber Threat Intelligence. He is currently working as a Product Manager and Support Engineer and holds multiple industry certifications, such as the CCNA, CompTIA Security+, and AWS CCP.

Kurt can be reached online at [email protected] and at our company website https://www.monitorapp.com/