As malware becomes more commercialized, attackers are leveraging the

same attack kits again and again. Cyber Threat Intelligence (CTI) offers

the ability to detect attacks carried out using methods previously

reported by others in the threat intelligence network. In the latest SANS

Cyber Threat Intelligence (CTI) Survey (1), results showed that 69% OF

ORGANIZATIONS SURVEYED ARE NOW USING CTI TO SOME EXTENT.

For IT security teams considering integrating CTI, what are the key

questions to ask before getting started?

What are your short-term and long-term goals and how will you measure progress?

Top benefits reported

by those using CTI:

Top 5 skill sets respondents viewed

as valuable for leveraging CTI:

Who will you assign to CTI planning?22

11

IMPROVED

VISIBILITY into

attack methodologies

FASTER AND

MORE ACCURATE

RESPONSE

Measurable reduction

in incidents through

more INTELLIGENT

BLOCKING

What do you intend to do with CTI data? 33Organizations are integrating many tools into their

CTI feeds, among those surveyed, the top 5 were:

INTRUSION

PREVENTION

SYSTEMS (IPS)

FIREWALLS

/UTMS

HOST

SECURITY

SYSTEMS

SIEM VULNERABILITY

MANAGEMENT

Will you use commercial feeds, open source and community data, or both?44

Will you use a standard import data format for your CTI feeds?55

What kinds of tools will you useto aggregate and collect CTI data?66

Knowledge of normal

network and system

operations to

DETECT ABNORMAL

BEHAVIORS

DATA

ANALYSIS

capabilities

Knowledge

of INDICATORS

OF COMPROMISE

INCIDENT

RESPONSE

skills

Knowledge

of ADVERSARIES

AND CAMPAIGNS

AlienVault

Open Threat

Exchange TM

(OTX)

Structured Threat

Information

Expression (STIX)

Collective

Intelligence

Framework

(CIF)

Open

Indicators of

Compromise

(OPENIOC)

framework

Trusted

Automated

eXchange of

Indicator

Information (TAXII)

For those using standard formats, the

top 5 standard formats were:

COMMUNITY (groups such

as ISACs, CERT or other

formal or informal groups)

INTERNAL SYSTEMS

VENDOR-DRIVEN cyber

threat intelligence feeds

PUBLIC cyber threat

intelligence feeds (DNS,

MalwareDomainList.com, etc.)

OPEN SOURCE feeds

Survey respondents reported use of a

number of threat intelligence sources:

SECURITY INFORMATION

AND EVENT MANAGEMENT

(SIEM)

INTRUSION

MONITORING

platforms

OTHER TYPES

of analytics

platforms

HOMEGROWN

tools

Top four tools used by survey respondents

to aggregate, analyze & present CTI:

Companies using cyber

intelligence data in

“STANDARD” FORMAT

and well-known

open-source toolkits

(1) SANS Cyber Threat Intelligence Survey (CTI)

https://www.alienvault.com/resource-center/white-papers/cyber-threat-intelligence-whos-using-it-and-how