Cyber threat intelligence

According to CERT-UK, Cyber Threat Intelligence (CTI) is an "elusive"^[1] concept. While cyber security comprises the recruitment of IT-security experts, and the deployment of technical means, to protect an organisation's critical infrastructure, or intellectual property, CTI is based on the collection of intelligence using Open Source Intelligence (OSINT), Social Media Intelligence (SOCMINT) , Human Intelligence (HUMINT) or intelligence in the deep and dark webs. CTI's key mission is to research and analyse trends and technical developments in three areas:

• Cybercrime
• Cyber activism
• Cyber espionage (Advanced Persistent Threat or APT)

Types of CTI

According to UK's Centre for the Protection of National Infrastructure (CPNI), there are four types of threat intelligence:^[2]

• Tactical: Attacker methodologies, tools and tactics
• Technical: Indicators of specific malware
• Operational: Details of specific incoming attack
• Strategic: High level information on changing risk (strategic shifts)

In the financial sector, the CBEST^[3] framework of the Bank of England assumes that penetration testing is no longer adequate to protect sensitive business sectors, such as the banking sector. In response, the UK Financial Authorities (Bank of England, Her Majesty’s Treasury, and the Financial Conduct Authority) recommend several steps to guard financial institutions from cyber threats, including receiving "advice from the cyber threat intelligence providers operating within the UK Government."^[4]

The challenge of attribution

Behind any cyber threat there are people using computers and networks. During or after a cyber attack technical information about the network and computers between the attacker and the victim can be collected. However identifying the person(s) behind an attack, their motivations, or the ultimate sponsor of the attack, is difficult.

References