killchain-compendium/Miscellaneous/Threat Intelligence/Isac.md

2.6 KiB

Threat Intelligence

Data must be analyzed to be considered threat intelligence. Once analyzed and actionable, then it becomes threat intelligence. The data needs context around to become intel.

Cyber Thread Intelligence (CTI) is a precautionary measure that companies use or contribute to so that other corporations do not get hit with the same attacks. Of course, adversaries change their TTPs all the time so the TI landscape is constantly changing.

Vendors and corporations will sometimes share their collected CTI in what are called ISACs or Information Sharing and Analysis Centers. ISACs collect various indicators of an adversary that other corporations can use as a precaution against adversaries.

Threat Intelligence is also broken up into three different types.

  • Strategic

    • Assist senior management make informed decisions specifically about the security budget and strategies.
  • Tactical

    • Interacts with the TTPs and attack models to identify adversary attack patterns.
  • Operational

    • Interact with IOCs and how the adversaries operationalize.

Advance Persistent Threats (APTs)

TTP

TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of these terms mean?

  • The Tactic is the adversary's goal or objective.
  • The Technique is how the adversary achieves the goal or objective.
  • The Procedure is how the technique is executed.

TI is an acronym for Threat Intelligence. Threat Intelligence is an overarching term for all collected information on adversaries and TTPs. You will also commonly hear CTI or Cyber Threat Intelligence which is just another way of saying Threat Intelligence.

Indicator of Compromise

  • IOCs is an acronym for Indicators of Compromise, the indicators for malware and adversary groups. Indicators can include file hashes, IPs, names, etc.

Information Sharing and Analysis Centers (ISACs)

According to the National Council of ISACs, "Information Sharing and Analysis Centers (ISACs) are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators". ISACs can be community-centered or vendor-specific. ISACs include CTI from threat actors as well as mitigation information in the form of IOCs, YARA rules, etc. ISACs maintain situational awareness by sharing and collaborating to maintain CTI, through a National Council of ISACs.