What is Cyber Threat Intelligence?
By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center
The Multi-State and Elections Infrastructure Information Sharing & Analysis Centers' (MS- and EI-ISAC) Cyber Threat Intelligence (CTI) team plays a key role in supporting U.S. State, Local, Tribal, and Territorial (SLTT) government entities’ cybersecurity defenses. But what do we mean when we say "CTI," and what is its function?
At the MS- and EI-ISACs, we’re driven by our mission to provide cybersecurity support for our nation’s SLTTs. This includes offering access to a 24x7x365 Security Operations Center (SOC) and other supporting teams, such as the Cyber Incident Response Team (CIRT). These teams work in tandem to provide real-time and tailored cybersecurity support and recommendations for SLTTs.
CTI performs a critical function among these teams by ensuring that their actions are informed by timely and actionable threat intelligence. Threat intelligence is knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect critical assets of the enterprise. When we say “CTI,” we’re referring to a collaborative initiative driven by the CTI team focused on maintaining timely situational awareness of the threat environment to inform SLTT cybersecurity decision-makers.
To better highlight how this works, we will explain how our analysis fits into the classic intelligence cycle and provide an example of CTI in action that exemplifies how we think about and deliver threat intelligence.
The Intel Cycle
The MS- and EI-ISAC CTI team relies upon the classic intelligence cycle (steps listed below) to drive our operations, but we tailor it to our specific mission requirements. The steps in the intel cycle include:
One visible shift in our application of the intel cycle (See Figure 1 below.) is that the steps are recursive. This means we’re often not following the steps straight through but may instead jump around. For example, Processing (3) may lead us back to review our Collections (2). Similarly, feedback from SLTT representatives during the Dissemination process (5) may lead us to revise our Planning (1).
Figure 1: The MS-ISAC CTI team’s tailored intel cycle
Planning – Key Intel Questions & Priority Intelligence Requirements (PIRs)
How do we apply the CTI Intel Cycle in practical terms? Like many other analyst teams, we start our Planning by defining our Key Intel Questions (What are the key threats that we are confronting or that have the potential to impact SLTTs?) and Priority Intelligence Requirements. (Where can we find that information, and how can we enrich it to serve SLTTs?) These considerations serve as first principles, guiding our collections, analysis, and reporting to SLTT entities. For these reasons, it’s critical that they’re finely tuned and informed by SLTT feedback and input across our team.
Case Study: Mark of the Web (MOTW) – The Intel Cycle in Action
Once we’ve established our collections and intel requirements, it’s time to start collecting. To demonstrate this, we’ll refer to an example where our analysis eventually led to a blog post describing how threat actors were leveraging container files to evade Mark of the Web (MOTW). In the next step of the intel process, we ensure our Collections source from tailored resources, providing actionable information concerning threats most likely to impact SLTTs.
The MOTW blog started when one of our analysts reviewed MS-ISAC internal data as part of our Processing step and identified a 173% annual spike in cyber threat actors (CTAs) leveraging container files to push malware. This sudden spike led the analyst to review the context behind the data to make sense of what was going on and determine if it signified an emerging threat tactic, technique, or procedure (TTP) likely to impact SLTTs. The analyst then dug into the context behind the data and enriched it with context from other sources.
Analysis into the trend revealed that the tactic was an adaptation on the CTAs’ part to a recent security change by Microsoft to block macros in MS Office documents by default. The CTAs determined that leveraging container files would provide a workaround, enabling them to circumvent Microsoft’s change and continue to deliver files with embedded malicious executables.
After reviewing further evidence and collaborating across MS-ISAC teams, the analyst refined their assessments to a degree that they were ready to produce a report on their findings. Analytic production is a critical step because the analyst consolidates their findings into a report to communicate the team’s tailored assessments and messaging to SLTTs. The actual product Dissemination takes several forms, including briefings to the SLTT community, direct peer-to-peer communication with SLTT representatives, finished intelligence reports, and other mechanisms as needed.
Why We Do What We Do with CTI
Ultimately, this fluid process is designed to assess threats and communicate to busy SLTT decision-makers precisely what they need to know to defend against or remediate the threat. The key components that comprise our messaging are the:
- What? What happened? What is the threat?
- So What? Why is this important to them?
- Now What? What do they need to do about it?
Effectively communicating these points relies on our team maintaining communication with SLTTs and ensuring that our work across all five stages of the intelligence cycle is tailored to meet their needs. In this way, we help them align themselves so that they're in the best position possible to defend their networks against emerging threats.
Don’t wait to make use of cyber threat intelligence in your SLTT government organization. Become an MS-ISAC member today!
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC), functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.