Cyber Security differs from CTI (Cyber Threat Intelligence). While the first deals with the technical aspects of protecting informatic systems and web applications, the second regards the intelligence applied to information, taking form in different ways like OSINT (Open Source Intelligence), HUMINT (Human Intelligence) and SOCMINT (Social Media Intelligence). The first important thing to understand what “cyber threat intelligence” means, is to define the word “threat”. In the intelligence field, we say that a threat exists when an individual or an organization has:
- Intent: if someone has a malicious desire against you, then he has the intent.
- Capability: if someone has the technical means to hit you, then he has the capability.
- Opportunity: if someone finds that you are vulnerable in some way, then he has the opportunity.
For a threat to exist, all these three things must occur at the same time. If someone has the intent but not the capability, he’s not a threat. Similarly, if someone has the opportunity but he has not the capability, he isn’t a threat. In this significance, cyber intelligence consists in using the evidence-based knowledge that a threat exists, to prepare the proper countermeasures to contrast the threat itself.
Analysts Are The Key
The world of cyber threats is accelerating day by day and there’s nothing you can do to keep up with all the new threats, vulnerabilities and 0-days discovered. Automation tools are the great help that you will use frequently, but always remember that the key is your human resource. The ability to recognize behavioral schemas and to find thought patterns is typical of humans. No tool, no computer can help this way like an experienced analyst. Tools will help accelerating the repetitive processes but humans will always be the key to restrict the field of survey and to identify threats in a realistic and efficient way. Organizations hire analysts to produce short-term and long-term assessments and organize the defense. The analysts must have technical skills, analytical ability and a certain level of instruction. In particular:
- a degree in computer science
- certifications like OSCP (Offensive Security Certified Professional) or CEH (Certified Ethical Hacker)
- practical experience in security field
IOCs (Indicators Of Compromise) are a fundamental part of CTI. These indicators are data collected in several ways, from anti-virus logs to email attachment data. The set of all the IOCs, will give you a context where you will work to find the path that leads to the threat’s identification. IOCs won’t give you the solution, they are data without a schema, it will be your deal to find the schema within them. Anyway, without IOCs it will impossible for any security analyst to find the way to the truth. When it comes to IOCs, it is not sufficient to identify them but it is also very important to establish few important data:
- time of the attack: it is fundamental to establish a timeline to understand the correct chain of the events.
- data categories: dividing the data that you collected during the attack will help you to understand rapidly what kind of countermeasures you will need.
- geolocation: understanding where the attack comes from is a key factor to set up a strategy of defense.
Finding Your Way With Maltego
Maltego is a powerful tool that can help all the analysts in the field of threat intelligence. From the official site:
“Maltego is an interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet.
Maltego uses the idea of transforms to automate the process of querying different data sources. This information is then displayed on a node based graph suited for performing link analysis.”
At the moment Maltego is developed by Paterva, a company founded in 2007. The developers’ team is made by only seven people but this strong base is reinforced with a great number of vendors who offer their data to the users of Maltego through the “transforms” system.
Maltego clients come to you in three different flavours, Maltego CE, Maltego Classic and Maltego XL. The CE version is the free one destined to the community, and you can download it after a free registration process and it will give you an idea of what you can do with this powerful tool. Anyway, the free version is strongly limited. In fact, Maltego Classic is the standard commercial version and it will cost you 1,005 Canadian dollars. Maltego XL will help you to connect up to one million pieces of information but it will require 2,379 CAD. With CaseFile, Paterva helps you organizing your job even if you’re online. Essentially, CaseFile is the graphical application that helps you organizing your data, without the ability to run transforms, peculiar to Maltego.