“Cyber Threat Intelligence”: what should I share?

“Cyber Threat Intelligence”: what should I share?

Try to look for it; it is not going to be easy. Searching a good definition of “Cyber Threat Intelligence” (CTI) is one of those activities that can easily go on for hours without obtaining a fully satisfying result. This holds true not just for single experts and academic researchers, but for entire organizations as well. In fact, even CERT-UK – the team responsible for dealing with national-wide security incidents in the United Kingdom – refers to “Threat Intelligence” as an “elusive concept”. Nevertheless, it is surprising how often you hear about Cyber Threat Intelligence and the importance of sharing. But then, what exactly should you share?

With the goal of building communities and trusted ecosystems, the topic of Cyber Threat Intelligence has been of paramount importance since the beginning of the CONCORDIA project. The group of security experts gathered within the consortium has tackled the discussion at different levels (from a technical perspective to a legal one) and tasked itself to better characterize CTI representation as well as overall sharing challenges and opportunities. After a year, a lot of work is still left to do but we have started laying the basis for a common European-wide view on the topic and a set of guidelines to make it concrete over the time span of the project.

Among the discussed points, it is worth noting that one key characteristic of CTI seems often underestimated while being broadly accepted as a necessary condition within the security community: Cyber Threat Intelligence needs to be “actionable” in order to be called as such. In this context, the adjective actionable emphasizes the prospect of an actual (re)action against a given threat. This means that, no matter the type of Cyber Threat Intelligence you share, this should always carry insights suggesting how to act upon the referred threats instead of being merely informative.

The reason why this characteristic seems underestimated comes from the most common type of CTI: Indicators of Compromise (IoCs). IoCs are information such as IPs, URLs or hash values identifying traces of successful cyberattacks. This information is often the fastest to share and it is actionable almost by definition (it represents exactly what we need to search in our logs or check in our network traffic). However, CTI does not always come in the form of IoCs. As cyberattacks increase in complexity, the importance of sharing general information about attackers’ behaviors and preferred methods is growing and the whole security community has actively endorsed this trend. Understanding more about offensive tactics, techniques, and procedures (often referred as TTPs) might be a crucial advantage for the defenders but making this information actionable is often a challenge.

For this reason, beyond supporting and promoting the sharing of this type of CTI, CONCORDIA is actively encouraging approaches to improve TTPs’ actionability. Some of these approaches focus on the use of common attack taxonomies linking attackers’ behaviors to security best practices and countermeasures (e.g., the MITRE ATT&CK’s framework). Others focus on the standardization of incident response techniques (e.g., OpenC2, CACAO) that might be used to craft open playbooks explaining how to defend against well-known threat actors. All these approaches will not only make CTI easier to use for defenders but also drastically improve their overall response to the related threats.