Cyber Threat Intelligence (CTI)

Cyber Threat Intelligence consists of cyberattack tools and adversaries that might constitute a threat and the vulnerabilities they could exploit. Utilities need CTI to understand the threat landscape and take action to mitigate cyber risks.

CTI is information about the threats, vulnerabilities, and cyberattack tools that an organization needs to understand to better defend itself. CTI is collected by government agencies, nonprofits, academics, and commercial entities. These organizations publish notifications and alerts as threats evolve, new vulnerabilities are discovered, and new attack tools are identified. CTI is sometimes made available free of charge and sometimes requires a paid subscription.

Importance 

By keeping up to date on CTI, an organization can optimize their cybersecurity efforts and better allocate their cybersecurity budgets to assess and address vulnerabilities that may be the target of specific cyber threats. When ransomware is on the rise, for example, investments in more staff education focused on cybersecurity awareness training will reduce the vulnerability of an undereducated staff (who might, for instance, open a malware-infected email attachment). If network-based attacks are increasing, consider more network isolation and intrusion detection. Knowing who might attack, how they might attack, and the vulnerabilities they might exploit makes an organization more prepared to defend itself.

Intersections With Other Building Blocks

The cyber threat intelligence building block shares with the risk management building block information about emerging threats (e.g., new hacking groups), new vulnerabilities (e.g., a newly discovered operating system security flaw), and new cyberattack tools (e.g., new malware). This gives risk management a more complete picture of risks facing the organization and is used to focus and prioritize security resources.

Figure 4 . Information passed from the cyber threat intelligence building block

Processes and Actions

CTI is produced by nonprofits, government agencies, and for-profit enterprises that specialize in monitoring and analyzing the ever-changing cyber threat landscape. CTI is consumed by many types of organizations (including utilities); however, before an organization begins monitoring CTI sources, they should create a thorough inventory of their assets—the systems, devices, applications, and software they use. These assets should be prioritized by criticality. This prioritized asset list enables the organization to focus on alerts and notifications that are most relevant. If an alert or notification addresses a threat to a type of device that the organization does not have, it can be ignored. Alternately, if the organization has the device but is using it in a setting with low or middle criticality, there is less urgency to respond to the alert or notification. The inventory of assets, prioritized by criticality, enables prioritization of response.

Next, the organization needs to decide which sources of CTI it will monitor. There are many; organizations should research CTI sources to find those that match their needs and budget.

Some CTI sources are specific to industrial control systems or the electric sector, while others are more general in nature. Some charge for the information they provide, and others are free of charge. Security consultants have assembled lists of CTI sources, along with guidance for evaluating them (Metivier 2016). The list below provides example CTI sources from governments, nonprofits, and commercial entities. Note: The list provides examples and is not meant to be an endorsement of any particular CTI source.

Spamhaus Project
- International nonprofit, Switzerland-based
- General CTI
- Free public service (with some restrictions).
SANS Internet Storm Center
- Private company (SANS Institute)
- General CTI
- Free public service.
ICS-CERT
- S. government program
- CTI specific to ICS
- Free public service.
RSA
- Private company
- Sector-specific with automated segmentation
- Paid subscription.
National Council of ISACS
- Coordinator for 20 individual Information Sharing and Analysis Centers (ISACS)
- Each ISAC is sector-specific (e.g., Electricity ISAC)
- Some ISACS are free, others membership-based.

Threats to the most critical systems and data should get the most attention; therefore, a prioritization of these critical assets will help inform the selection of CTI sources.

Organizations then need to decide who will monitor the CTI sources and what actions will be taken in response. There is no point in gathering CTI if no one has been assigned responsibility for following up on alerts or notifications. Budget must be set aside for both the time required to monitor and respond to CTI alerts and notifications. Upper management must instruct staff in all departments to be ready to cooperate with efforts to respond to alerts and notifications (e.g., mitigate a newly discovered vulnerability).

At that point, the organization can begin monitoring CTI sources. Individual alerts and notifications may need to be acted on (e.g., mitigation of a newly discovered vulnerability), while longer-term trends in CTI become input for the risk management building block.

Essential Data

Organizations that plan to monitor CTI should research the sources that best fit their needs. Gathering the following information will help them select from the many sources available:

An inventory of the organization’s assets, prioritized by criticality
A list of CTI sources, prioritized by applicability to the organization’s critical assets
Processes and plans for responding to CTI.