Cyber Threat Intelligence (CTI) defines cyber threat research, analysis and modeling. It makes it possible to describe a threat or a computer attack through contextualized elements and/or indicators understandable by men or machines.
With the increase in ever more sophisticated cyber attacks, it has become essential to acquire and maintain knowledge of the threat and the attacker for companies and institutions.
To understand these new challenges, François Deruty, Chief Operation Officer at SEKOIA, gives us in this interview enlightened answers on what Cyber Threat Intelligence CTI is.
What is Cyber Threat Intelligence used for?
Threat intelligence is used to prevent and detect computer attacks. The CTI platform provides prior knowledge of this threat in order to anticipate it, i.e. take defensive countermeasures upstream and detect it in real time if necessary.
“To give you an image, I will reinforce my front door to which I will add locks and cameras. These extra locks allow me to deal with actors trying to force her every day. The CTI is used to detect when this takes place, it is a means of anticipation allowing me to see that people are trying to enter my home. » François Deruty, COO SEKOIA.
Going back to the computing environment, locks can be blacklists because we know that certain items are used daily by attackers, items that are not trusted, which we will either blacklistor quarantine, the time to verify that they are legit. The CTI platform is used to model this set and to understand and detect these events.
Schematic representation of the types of threats at the entrance of the SEKOIA.IO platform and the actions at the exit.
How to make the information usable?
Today, information is made usable first by contextualizing it as much as possible and modeling it in a format that is accepted by the greatest number of tools while making it quickly understandable by analysts (STIX is today the format that is most adopted by the community today).
The underside of manufacturing cyber threat intelligence
The concrete impact of the use of CTI in a company
A well-made Cyber Threat Intelligence platform allows the company to save time and peace of mind spirit.
The enemy of the CTI being the false positive, this knowledge of the threat and the attacker must make it possible to ensure that the slightest alert is generated legitimately so as not to “drown” the analysts. The goal is to reduce the number of false positives, to drop below the 5% mark and thus only report real incident alerts.
Cyber Threat Intelligence therefore brings real time savings for enterprise security teams. These soc teams are solicited on many subjects. The CTI allows these teams to generate tranquility and free time. A return on investment is therefore quantifiable very quickly.
Criteria for a quality CTI
Today, only one player has the capacity to provide a quality CTI. If the underlying question is to know “can a single actor make a CTI of so-called exhaustive quality?” “. For this point, it is more difficult!
“To have the most exhaustive Cyber Threat Intelligence platform possible, the fact of using several sources makes it possible to cross-reference information and thus have better confidence in the elements detected. If something is determined to be malicious and that information is confirmed by one or more other sources, we have a better chance that it is. At SEKOIA, we use many data sources which give us elements allowing us to cross-reference information. We also create our CTI, by investigating and enriching the information at our disposal. This internal capacity is essential to create a quality CTI thanks to our dedicated team of analysts specialized in this field. »
Does cybersecurity without CTI make sense?
“I don’t think so, but that’s my personal opinion. We cannot achieve optimal prevention and detection without threat intelligence. »
Information systems are constantly evolving, they are becoming very heterogeneous and are growing so quickly thatit has become impossible to have exhaustive knowledge of them in real time. Due to a changing environment, it is more effective to concentrate on knowledge of the threat, with specialized teams whose job it is to understand and analyze the various attack operating modes, in order to then decline and disseminate it within the various information systems to be protected.
Other definitions of cyber concepts, methods and tools are also available:
- What is an XDR (eXtended Detection & Response) solution?
- What is an EDR (Endpoint Detection and Response)?
- What is a SIEM (Security Information Event and Management)
- What is an Indicator of Compromise (IoC)?
- What is a SOC (Security Operations Center)?
- What is SOAR?