Gruppo TIM
Gruppo TIM

What is the Cyber Threat Intelligence?

In the nowadays cybersecurity paradigm, Cyber Threat Intelligence plays a leading role.

Reactive malware detection tools, firewalls, and analysis through artificial intelligence are not enough: to ensure the security of companies, an intensive Cyber Threat Intelligence activity is required to prevent attacks by cybercriminals.

Cyber Threat Intelligence deals with the collection and analysis of information to identify and characterize possible cyber threats from a technical, resource, motivation, and purpose point of view, often concerning specific operational contexts.

 

Cyber Threat Intelligence: a world in constant evolution

The game between cybersecurity experts and hackers is a day-to-day chess game, in which the emergence of new malware and threats follows a frenetic pace.

Cyber Threat Intelligence (CTI) is the tool that allows you to adopt specific defense solutions for possible attacks and identify any new vulnerabilities within the corporate network.

All through an activity that closely resembles what, in the “real” world, is defined as counterintelligence.

Like any community, even that of cybercriminals has its references, meeting places, and communication channels on the Internet.

The monitoring of this widespread undergrowth on the Web made up of specialized forums, chat channels, and more or less clandestine marketplaces, offers cybersecurity experts a strategic advantage that allows them to improve the effectiveness of protection tools.

 

When the game is played on vulnerabilities

The dynamics of cybersecurity are extremely complex and varied, but they follow a logic that experts know well.

In particular, one of the most useful elements for Cyber Threat Intelligence activities is to consider that cybercriminals act mainly in an opportunistic way, exploiting the most effective hacking techniques and tools at a given moment.

From this point of view, a sort of short circuit occurs in the world of cybersecurity: it is often the same activity of researchers, committed to finding and correcting the devices’ vulnerabilities, operating systems, and software, to provide the idea that allows cyber pirates to launch their attacks.

It is quite rare that hackers can independently develop malware that exploits unknown security holes.

More often (almost always) they use known vulnerabilities, which have been identified by the security companies themselves or by researchers specializing in the bug bounty in a preventive key.

 

The scheme of the CTI

The scheme can usually be summarized in three steps. The first one is represented by the identification of the vulnerability and the communication (confidentially) of the technical details to the software developer or device manufacturer.

The specific information on the vulnerability, at this stage, is not accessible to any other person but is publicly released only later, when the update that corrects the vulnerability is available.

This is the critical time when hackers can use the information to develop exploits that take advantage of the vulnerability thereby creating new malware or new versions of existing ones.

The bet of cybercriminals, in practice, is to be able to hit their victims before they have updated the systems.

This is a dynamic that security experts are well aware of and that has been happening over and over again for years. 

The role of the Cyber Threat Intelligence teams, in this perspective, is to monitor everything that happens and promptly identify new trends in cybercrime.

In this way, experts can prepare the most appropriate protection measures to deal with possible new attacks.

 

When the threat becomes real

Simply posting the details of a vulnerability, in most cases, does not automatically mean that pirates can exploit it for their purposes immediately.

The development of an exploit requires some time and the use of resources to test it. In other words, the discovery of a new vulnerability does not necessarily represent an imminent danger, but a sort of “alarm bell” that must lead to raising the level of attention.

Instead, what triggers the emergency is the publication of a Proof of Concept (PoC), the code that can exploit the security flaw to compromise the device or software in question.

As the PoC begins to circulate on the Web, cybercriminals have an easy game to use for setting up their attacks.

Once again, the timely detection of the presence of a PoC on clandestine markets or in forums dedicated to hacking can be a great advantage in preventing an attack.

 

Cyber Threat Intelligence and Dark Web

To collect this type of information, it is essential to know the environments in which cyber pirates move.

The main objective, from this point of view, is the Dark Web: that part of the Internet that cannot be reached with normal browsers and that requires, to access it, the use of special tools such as Tor and access credentials that are only granted to those who are deemed “reliable”.

The work of those involved in Cyber Threat Intelligence is similar to that of a secret agent who works undercover and who must infiltrate the environments where new malware, hacking tools, and all are exchanged and distributed. those “services” that allow cyber pirates to carry on their business.

Not to mention the exponential growth of the phenomenon of “malware as a service“, a formula whereby pirates “rent” their tools to other cybercriminals.

 

Protect the brand reputation with the CTI

The harmful effects on a company’s business do not arise only from direct attacks on IT systems.

Often the activity of cybercriminals can be deleterious even when it is aimed at end customers, users, or partners of the company itself.

Also, in this case, the environments frequented by cybercrime allow information and clues to be obtained on any activities undertaken to the detriment of subjects connected to the companies.

Cyber Threat Intelligence, therefore, can allow the launch of information campaigns to warn users of cyber threats that could affect them or block illegal activities that jeopardize, even if indirectly, the reputation of the company.

In short: a 360-degree activity that, in the current landscape, represents a fundamental piece of cybersecurity and can make a difference in the fight against cyber threats.