Cyber Threat Intelligence (CTI)
What is Cyber Threat Intelligence?
TLDR: CTI is the gathering of information about current or potential organizational threats.
Cyber Threat Intelligence (CTI) is a crucial aspect of cybersecurity that involves collecting, analyzing, and disseminating information about potential and existing cyber threats. It aims to provide organizations with actionable insights into the tactics, techniques, and procedures (TTPs) used by threat actors to compromise systems, steal data, or cause harm.
Levels:
| Level | Who | What |
|---|---|---|
| Strategic | Senior executives, board members, decision-makers | High-level view of threat landscape, long-term trends, impact on business strategy and risk management. |
| Operational | Mid-level managers, security teams, incident response teams | Translates strategic insights into actionable guidance, focuses on ongoing threats, threat actor groups, and tactics. |
| Tactical | Security analysts, technical teams, network administrators | Detailed information about specific threats, IOCs, malware samples, immediate defensive measures and responses. |
Intelligence Pyramid (Diamond Model)
A framework used to formulate comprehensive analysis and understanding of cyber threats.
Layers
- Actors - focuses on identifying and understanding the individuals, groups, or entities behind the cyber threats. It involves studying their motivations, intentions, and goals.
- Infrastructure - involves examining the tools, techniques, and resources that threat actors utilize to carry out cyber attacks. It includes analyzing the infrastructure they use, such as command and control servers, malware distribution points, and communication channels.
- Capability - emphasis is on understanding the technical skills and abilities of threat actors. This includes their expertise in developing malware, exploiting vulnerabilities, and executing sophisticated attack techniques.
- Victim - victim layer pertains to the targets of cyber attacks. Analysts study the characteristics of the victims, the sectors they belong to, and the potential impact of attacks on their operations and data.
Threat Actors
- Nation State Actors
- Disrupt or compromise other target governments, organisations or individuals to gain access to intelligence or valuable data. They have been known to create significant international incidents.
- Cyber Criminals
- Individuals or teams of people who commit malicious activities on networks and digital systems, with the intention of stealing sensitive organisation data or personal data, and generating profit.
- Hactivists
- Operate within the social or political sphere, breaking into and causing damage to computer systems and networks. Targets of hacktivists can vary dramatically
| Aspect | Hacktivists | Cybercriminals | Nation-State Actors |
|---|---|---|---|
| Motivation | Social or political causes | Financial gain | Political, economic, or strategic goals |
| Tactics | Website defacements, DDoS | Data theft, fraud | Espionage, disruption, cyber warfare |
| Targets | Organizations, governments | Individuals, businesses | Governments, organizations, critical infrastructure |
| Techniques | Public protests, data leaks | Malware, phishing | Advanced persistent threats, zero-days |
| Skills and Resources | Varies, from basic to advanced | Moderate technical skills | Advanced technical capabilities |
| Attribution Challenges | Often claim responsibility | Hides behind anonymity | Can be attributed, but complex |
| International Impact | Can raise global awareness | Financial losses | Geopolitical implications |
| Examples | Anonymous, Lizard Squad, Lulsec, Cult of the Dead Cow | REvil, Magecart, Fin7, Carbanak | APT28 (Fancy Bear), Lazarus Group |
Well-Known Threat Actors:
| Group Name | Threat Actor Type | Description |
|---|---|---|
| APT1 (Comment Crew) | Nation-State | Linked to China, extensive cyber espionage. |
| APT19 (Codoso Team) | Nation-State | Associated with China, targeted attacks. |
| APT33 (Elfin) | Nation-State | Allegedly tied to Iran, espionage and data theft. |
| APT34 (OilRig) | Nation-State | Attributed to Iran, cyber espionage. |
| APT41 | Nation-State | China-based, espionage and financially motivated cybercrime. |
| APT29 (Cozy Bear) | Nation-State | Linked to Russia, cyber espionage. |
| APT28 (Fancy Bear) | Nation-State | Also associated with Russia, cyber espionage. |
| APT40 | Nation-State | Linked to China, maritime and naval industries. |
| MuddyWater | Nation-State | Linked to Iran, known for espionage campaigns. |
| Hidden Cobra (Lazarus Group) | Nation-State | Linked to North Korea, espionage and financial theft. |
| Syrian Electronic Army (SEA) | Hacktivist | Pro-Assad group from Syria, media manipulation and defacements. |
| GhostSec | Hacktivist | Originating from Anonymous, counter-terrorism activities. |
| TeaMp0isoN | Hacktivist | Known for high-profile defacements and hacktivist actions. |
| CtrlSec | Hacktivist | Turkish hacktivist group involved in cyber protests. |
| Global Liberation Army (GLA) | Hacktivist | Targets various organizations and governments. |
| Anonymous | Hacktivist | Globally recognized hacktivist collective, various protests and attacks. |
| Lizard Squad | Hacktivist | Involved in DDoS attacks and high-profile disruptions. |
| FancySec | Hacktivist | Anonymous-affiliated group involved in hacktivist actions. |
| New World Hackers | Hacktivist | Known for DDoS attacks against various targets. |
| The Unknowns | Hacktivist | Focuses on exposing security vulnerabilities in major organizations. |
| Maze | Cybercriminal | Known for ransomware attacks and data leak site creation. |
| Ragnar Locker | Cybercriminal | Ransomware group with a focus on data theft. |
| DarkSide | Cybercriminal | Involved in high-profile ransomware attacks. |
| TrickBot | Cybercriminal | Modular banking trojan used for malware delivery. |
| Emotet | Cybercriminal | Advanced malware delivery service distributing banking trojans and more. |
| FIN7 (Carbanak Group) | Cybercriminal | Involved in financially motivated attacks on businesses and banks. |
| REvil (Sodinokibi) | Cybercriminal | Known for ransomware attacks and data extortion. |
| Magecart | Cybercriminal | Group specializing in digital credit card theft through website compromise. |
| Evilnum | Cybercriminal | Targets fintech companies to steal financial data. |
| Carbanak Group | Cybercriminal | Involved in financially motivated attacks against financial institutions. |
Threat Vectors
Also known as Attack Vectors, Threat Vectors are pathways or methods utilized by Threat Actors to gain unauthorized access, deliver malicious payloads, or exploit vulnerabilities in a system or network.
| Threat Vector Categories | Examples |
|---|---|
| Phishing and Social Engineering | Phishing emails, spear phishing, pretexting, impersonation. |
| Malware and Exploits | Viruses, Trojans, ransomware, zero-day vulnerabilities. |
| Web-Based Attacks | Drive-by downloads, cross-site scripting (XSS), SQL injection. |
| Physical Attacks | Unauthorized physical access, tampering, theft of devices. |
| Supply Chain Attacks | Compromised third-party software, malicious updates. |
| Insider Threats | Malicious insiders, compromised accounts. |
| Wireless and Network Attacks | Man-in-the-Middle (MitM) attacks, rogue access points. |
| Brute Force and Credential Attacks | Brute force attacks, credential stuffing. |
| Physical and Social Manipulation | Dumpster diving, tailgating, shoulder surfing. |
| IoT and Connected Device Attacks | Vulnerabilities in smart devices, unauthorized access. |
| USB and Removable Media Attacks | USB drops, malware spread through removable media. |
| Cloud-Based Attacks | Data breaches through cloud services, misconfigured settings. |
Intelligence Cycle
Direction
Intelligence Requirements - Intelligence team takes direction from customer or organization.
Collection
Tasking to Sources and Agencies (SandA) - Data collection, turning data into information.
Analysis
Information is turned into intelligence.
Dissemination
Intelligence is provided back to the client, which begins the process anew, forming new direction.
Glossary & Acronyms
IOC - Indicators of Compromise
SandA - Sources and Agencies
Sterile Corridor
a deliberate separation between intelligence lifecycle phases, obscuring aspects of the intelligence activity to other members of the intelligence team.