What is CTI?
What you need to know about Cyber Threat Intelligence
Hi Folks! Brought you an interesting blog today about CTI. When talk about Cyber Threat Intelligence first we need to know what is that really means. Lets go through the blog and discuss about the facts that we all need to know about CTI.
What is Cyber Threat Intelligence?
Cyber threat intelligence is a process that involves of identifying, collecting and analyzing potential risks, vulnerabilities, and sharing data about current or potential cyber threats. Basically stay updated with the latest security trends.
Why CTI is important for security processes?
As Security professionals we have to identify what are the potential risks we have. Since we have to safeguard our systems we have to be aware about the current security trends prevailing in the industry. This prepares organizations to take proactive actions to mitigate the future risks and predictive capabilities to avoid the attacks that can be happen.
Normally inside of a Security Operations Center (SOC) they are stay updating with CTI since that helps them to enhance their security processors. (need to know about SOC- https://cybersecnews.medium.com/what-is-soc-7fff27da8919)
Take a look at following scenarios to identify how CTI is important to enhance the security processors.
Use Case 1: As a example lets say your company is using Fortinet. Recently there is a remote login vulnerability has revealed in Wireless LAN Manager (FortiWLM). It was a critical vulnerability and it has CVSS score of 9.6 out of 10. In sites they have mentioned affected versions and vulnerability fixed versions. In a scenario like this we can update the security patches and safeguard our environment. Reference:https://thehackernews.com/2024/12/fortinet-warns-of-critical-fortiwlm.html
Use case 2: This news is about some malicious npm packages which are impersonating as legitimate packages. Every developer is now using VScode for their developments and they need packages for their development procedures. Hackers released some malicious libraries and those libraries can cause some severe damages to the endpoints and that could leads organizational security in to a risk. In this news they have included all the corrupted VSCode extensions and developers can avoid downloading those packages in the future by that and that is some kind of a relief. Reference:https://thehackernews.com/2024/12/thousands-download-malicious-npm.html
Use case 3: The news is about a malware called DarkMe. In this they have published lots of IOC (indicators of compromises). They are like evidence of an attack. IOCs are data or behaviors that indicate a cyberattack, intrusion, or data breach has occurred. these are helpful for protect our environment from possible risks and these are a key tool in threat hunting (threat hunting is a proactive approach to identifying previously unknown, or ongoing non-remediated threats). The other question is what we can do with these IOCs. IOCs can be IPs, hashes, domains and etc. In SOCs we are using XDR and WAF. In XDR we can add those IPs, hashes, domain into block list. By that we can block that IOC from all the devices in the network, That will mitigate the future risk. In some XDRs only facilitate us to enter hashes, like in the cortex XDR we can only add SHA-256 hashes into our blocklist. but in the crowdstike we can add IPs, hashes and domains. following image is from the IOC page of Crowdstrike.
Further more we can block IPs and domains from the WAF (web application firewall) side. these actions are minimizing the risk against the company. Reference: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
CTI Resources
- HackerNews — https://thehackernews.com/
- Trendmicro — https://www.trendmicro.com/en_us/research.html
- Bleeping computer — https://www.bleepingcomputer.com/
- AlienVault — https://otx.alienvault.com/
- Dark Reading — https://www.darkreading.com/threat-intelligence?
- MalwareBazaar — https://bazaar.abuse.ch/browse/
That is all you need to know about CTI. In this evolving threat landscape Cyber Threat Intelligence is no longer optional — it’s a critical component of any robust cybersecurity strategy. Embrace intelligence, and let it drive your journey toward a more secure digital future.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Written by:- Chandimal Ekanayake — Information Security Engineer
