CTI for SecOps

- [Presenter] Sun Tzu once said, "If you know the enemy and know yourself, you need not fear the result of 100 battles. If you know yourself but not the enemy for every victory gained, you'll also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." This quote may be overused in cybersecurity, but its relevance is undeniable, especially when talking about threat intelligence. Without a clear understanding of the adversary, defending the organization inevitably leads to blind spots. Incorporating CTI into your cybersecurity strategy, however, it can be the difference between being blindsided and ready to defend. So what is CTI? CTI stands for Cyber Threat Intelligence. It refers to the structured collection, analysis and dissemination of data about potential or existing cyber threats across the world. CTI provides actionable knowledge about adversaries, including their motivations, intentions, and methods. This intelligence enables security and business teams to make informed decisions to protect critical assets. Defending an organization without CTI is like protecting a ship from the captain's chair. On a clear day, visibility is roughly 2.9 nautical miles before the curvature of the earth limits the view. While radar can extend this range, it won't reveal emerging threats targeting ships thousands of miles away. CTI enhances defenses by acting like a satellite camera and radio, providing a global perspective and extracted details about the attack. With it defenders gain insight into attacks occurring elsewhere, enabling them to anticipate and defend against emerging threats. But where does CTI knowledge come from? First, it comes from external sources, including open source intelligence or OSINT, news articles, social media or resources like the SANS Internet Storm Center, commercial services, providers like Recorded Future or CrowdStrike, technical resources, platforms such as VirusTotal or Malware sandboxes, human intelligence or HUMINT, information from collaborations and partnerships, dark web, monitoring threat actors, activities in underground forums and chats. Second, CTI comes from internal sources as well. Security logs, prior incidents, and honeypots. Here's another way to look at it. Imagine you're in charge of protecting a house. To keep that home and all the people inside safe, you'd want to gather answers for certain questions like who might try and break in? For example, burglars. What tools might they use? For example, lock picks or masks. When and where might they strike? For example, targeting an old window at night. How can you stop them? For example, installing cameras, commercial door locks, or setting up an alarm. And once you have these answers, you plan accordingly and invest in door locks that lock picks won't work on, for example. You get the idea. This is very much like what cyber threat intelligence offers a business protecting itself. Who might try and break in? For example, identify threat actors. What tools might they use? For example, CTI works to understand how bad actors operate. When and where they might strike? For example, CTI looks at which vulnerabilities exist within the company's network. How can you stop them? For example, ways for SecOps teams to defend against cyber attacks before they happen. With this, defenders and SecOps teams can prevent many attacks before they happen and gain a holistic understanding of the threat landscape, enabling them to adapt their defenses. Of course, it's impossible to defend against every conceivable threat with limited resources and time, but CTI helps to provide the context needed to prioritize defenses and detections against the most significant risks. CTI isn't just an advantage, it's a necessity.