Hello, my name is Charles DeBeck, and I'm a cyber threat intelligence expert with IBM Security X-Force. Today, we're going to talk about what cyber threat intelligence is, why it's valuable, and how to identify different types of intelligence. The first question we're going to ask ourselves when doing a course on cyber threat intelligence is, what is CTI? What is cyber threat intelligence? The answer is, it's complicated. You will get a lot of different definitions depending on who you ask. But one definition that I've really enjoyed is the one from Carnegie Mellon which says; cyber threat intelligence is the acquiring, processing, analyzing, and disseminating information that identifies, tracks, and predicts threats, risks, and opportunities in the cyber domain to offer courses of action that enhance decision-making. There's a lot to parse out and break down that definition, it's a lot of words. But I think to me, what I would really capture here is that cyber threat intelligence is about the three P's, being predictive, preventative, and proactive in your cyber threats security posture. Let's break those down a little bit. What do I mean by predictive, preventative, and proactive? By predictive, I mean that cyber threat intelligence should identify areas of changing risk, including beyond cyber. We should be looking at how the cyber threat landscape is shifting and changing for an organization in the future, not just where it is right now, and be able to communicate times of elevated risk. Cyber threat intelligence can also be preventative. The goal here is to prevent attacks before they occur or prevent incidents before they happen, and enhancing preventative controls is fundamental to cyber threat intelligence. Finally, cyber threat intelligence needs to be proactive. Again, this gets back to that future-oriented component of cyber threat intelligence. We want to reduce exposure time, we want to provide additional perspective for overall risk assessment, and be able to plan and prepare for likely threat activity. In my mind, cyber threat intelligence is really about these three P's. Another way of a better understanding of what cyber threat intelligence is; what's the value of cyber threat intelligence? Why do we spend the money on it? Ultimately, the value for cyber threat intelligence derives from assessing risk. Risk mean the exposure to a consequence, the overall risk of loss or harm to an organization. The way that cyber threat intelligence provides this value is by assessing vulnerabilities and threats. Vulnerabilities are the path to potential harm. This is for example a particular vulnerability in a web product or a vulnerability in a particular software that an organization uses. This is the way that a bad guy gets into a system. A threat, on the other hand, is the trigger to consequence or loss. Put more simply, this is almost always a threat actor, this is a bad person or a bad organization looking to cause harm. To put this into perspective, let's take an example. Let's say we have threat intelligence that threat actor group APT1 is using PowerShell to get into organizations. In that scenario, the vulnerability here is the PowerShell usage. There's a vulnerability in PowerShell that is being leveraged by the group. The threat is APT1, that's the group of individuals that is causing the harm. The risk is that that group, APT1, will use that vulnerability in PowerShell to cause harm to the organization. Cyber threat intelligence provides a value by assisting with risk assessment and enabling organizations to better understand their risk exposure by understanding threats and understanding vulnerabilities. Usually these risks, threats, and vulnerabilities apply at organization at tactical, operational, and strategic levels. At the very top of the organization, at the strategic level, decision-makers need to be able to assess risk and understand what their risk outlay is based on different courses of action. That's where cyber threat intelligence provides value at the very top. At the operational level, understanding of threats and their generalized tactics, techniques, and procedures helps provide protection, and security across business units. Then at the tactical level, vulnerability understanding allows practitioners, these subject matter experts, to really dig in and provide tactical level security components for the organization and protect themselves at that level. Threat intelligence provides value across the organization at the tactical, operational, and strategic level. As we go through this course, you'll see this breakdown between tactical, operational, and strategic come up time and time again as organizations need to understand how they can apply threat intelligence throughout the organization, not just at one of these levels to provide maximum benefit. Let's talk a little bit about of how we can apply intelligence to these levels in more depth. At the tactical level, starting at the bottom, you use the focus on specific threat actor details on really minute tactics, techniques, and procedures to implement immediate short-term changes to the organization that can effectively protect and block against these TTPs. This helps technical staff understand the motive and intent behind these attacks so they can also find potential other protections to put in place. At the operational level, using that generalized knowledge of tools and vulnerabilities, we can implement cyber security measures across the organization to help protect against things in a short to medium term, and better understand the nature of these attacks. Then at the strategic level, we can use analysis of trends and emerging risks of potential attacks to make longer-term decisions and re-prioritize tasks and security spend to protect against threats that might be coming down the line in 6, 12, 18, 24 months so we're able to better protect ourselves across a larger time span with more effective, more efficiency, and more efficacy. Now that we understand what threat intelligence is, we understand the value of threat intelligence, and we can identify different types of threat intelligence: tactical, operational, and strategic threat intelligence, Llet's take this information to understand how threat intelligence actually works on a day-to-day basis and how you actually do threat intelligence.
