Skip links

Building a Cyber Threat Intelligence Platform in 5 steps

Cyber threat intelligence is information about a prevailing or evolving cyber threat that can be disseminated by threat intelligence partners to organizations in order  to reinforce security against cyber-attack vectors. Cyber threat intelligence data might take the form of rogue IP addresses, known malware hashes, attachments,
and other core threat identifiers. Such data may also include other critical information about a threat activity, like Indicators of Compromise (IOCs), Indicators of Attack (IOAs), the methods used in the attack, and sometimes the motivation or even ID of the attacker. Through threat intelligence sharing community platforms or tools, it is possible to share cyber threat intelligence between organizations and stop attacks before they occur.
Threat intelligence data is used to learn about an adversary and gain insights into current threats. Threat intelligence can be a valuable tool when it comes to lessons learned in Incident Response (IR) and preventing future attacks. Intelligence is used to learn how threat actors are operating. This is of great value to the cybersecurity domain, because nowadays the threat landscape is so broad and adversaries vary widely, from state-sponsored actors to cybercriminals extorting money from their victims.
The Importance of CTI
Every organization has certain core objectives regardless of their size, business type, or geographical location, such as increasing their income, mitigating risks, dropping expenditures, increasing the number of clients and satisfying employees, conforming to regulations, and so on. However, information security is often overlooked and is frequently not seen as a core objective due to its cost, and as a result, the time spent on security awareness training is minimal. To combat this prevalent outlook, in this section, you are going to learn how cyber threat intelligence can have a positive impact on your organization. The key benefits of threat intelligence are as follows:
Mitigating risk: Adversaries are constantly discovering new ways to infiltrate organizations. Threat intelligence provides visibility into these existing and emerging security hazards, which will reduce the risk of data loss, prevent or minimize the disruption of business operations, and increase regulatory compliance.
Stopping financial loss: Security breaches can cost your organization in the form of post-incident remediation and restoration processes as well as in fines, investigations, and lawsuits. Using a threat intelligence tool can help you to make timely, informed decisions to prevent system failure and the theft of confidential data. It also assists in protecting your organization’s intellectual property and in saving your brand’s reputation
• Increasing operating success: Threat intelligence helps in the creation of a more efficient security team. Using automated threat sharing platforms to validate and correlate threat data, and to integrate the data into your organization will strengthen your security posture and can lower your IR time. Moreover, it will allow your operational workforce to work more efficiently and will save your business money.
• Reducing costs: Threat intelligence benefits any kind of organization regardless of its shape and size. It helps process threat data to better understand attackers, respond to incidents, and proactively predict and block the possible next moves of attackers. Leveraging external threat intelligence can reduce costs
Cyber Threat Intel
Key pointers when building your CTI Program: (Building a Cyber Threat Intelligence Platform in 5 steps)
1.  Start with a “planning and direction document” to derive the Priority Intelligence Requirements (PIR)
2.  If you have limited or non-existent budget start with open source/free first.
3.  Be aware that a vendor collection scope might overlap but might vary in terms of quantity or quality.
4.  There is no one single vendor that does everything perfectly.
5.  SOAR seems one of the best product Categories out there that is able to a lot of the later CTI Lifecycle steps (although only a sub-set of SOAR vendors support TIP-like platform capabilities).
For more information:
To Learn more about Incident response :

You can learn more about Cybersecurity in my book “Cybersecurity : The Beginners Guide”

more info about my book : 

Amazon Australia :

Free Threat Intel resources :
Threat Intel post from my blog ;
More Articles which may takes your attention :

Case study – Panama Papers

In 2015, an offshore law firm called Mossack Fonseca had 11.5 million of their documents leaked. These documents contained confidential financial information for more than 214,488 offshore entities under what was later known as the Panama Papers. In the leaked documents, several national leaders, politicians, and industry leaders were identified, including a trail to Vladimir Putin. The following diagram shows how much was exposed as part of this attack:

While there is not much information available on how the cyber attack occurred, various security researchers have analyzed the operation.

According to the WikiLeaks post, which claims to show a client communication from Mossack Fonseca, they confirm that there was a breach of their“email server“. Considering the size of the data leak, it is believed that a direct attack occurred on the email servers.

Cyber terrorists

Extremist and terrorist organizations such as Al Qaeda and Islamic State of Iraq and Syria (ISIS) are using the internet to distribute their propaganda, recruiting new terrorists and communicating via this medium. An example of this is the 2008 attack in Mumbai, in which one of the gunmen confirmed that they used Google Earth to familiarize themselves with the locations of buildings. Cyber terrorism is an extension of traditional terrorism in cyber space.

Case study – Operation Ababil

In 2012, the Islamic group Izz ad-Din al-Qassam Cyber Fighters—which is a military wing of Hamas—attacked a series of American financial institutions. On September 18th 2012, this threat actor group confirmed that they were behind the cyber attack and justified it due to the relationship of the United States government with Israel. They also claimed that this was a response to the Innocence of Muslims video released by the American pastor Terry Jones. As part of a DDoS attack, they targeted the New York Stock Exchange as well as banks such as J.P. Morgan Chase.

Cyber criminals

Cyber criminals are either individuals or groups of hackers who use technology to commit crimes in the digital world. The primary driver of cyber criminals is financial gain and/or service disruption. Cyber criminals use computers in three broad ways:

  • Select computers as their target: These criminals attack other people’s computers to perform malicious activities, such as spreading viruses, data theft, identity theft, and more.
  • Use computers as their weapon: They use computers to carry out “conventional crime”, such as spam, fraud, illegal gambling, and more.
  • Use computers as an accessory: They use computers to save stolen or illegal data.

The following provides the larger picture so we can understand how Cyber Criminals has penetrated into the finance sector and wreaked havoc:

Becky Pinkard, vice president of service delivery and intelligence at Digital Shadows Ltd, states that “Attackers can harm the bank by adding or subtracting a zero with every balance, or even by deleting entire accounts”.

Case study – FIN7

On August 1st 2018, the United States District Attorney’s Office for the Western District of Washington announced the arrest of several members of the cyber criminal organization FIN7, which had been tracked since 2015. To this date, security researchers believe that FIN7 is one of the largest threat actor groups in the financial services industry. Combi Security is a FIN7 shelf company.

The screenshot presented here shows a phishing email sent by FIN7 to victims claiming it was sent by the US Food and Drug Administration (FDA)

Case study – Carbanak APT Attack

Carbanak is an advanced persistent threat (APT) attack that is believed to have been executed by the threat actor group Cobalt Strike Group in 2014. In this operation, the threat actor group was able to generate a total financial loss for victims of more than 1 billion US dollars. The following depicts how the Carbanak cyber-gang stole $1bn by targeting a bank:

Case study – OurMine operation

In 2016, the threat actor group OurMine, who are suspected to operate in Saudi Arabia, conducted a DDoS attack against HSBC’s websites, hosted in the USA and UK. The following screenshot shows the communication by the threat actor:

The result of the DDoS attack was that HSBC websites for the US and the UK were unavailable. The following screenshot shows the HSBC USA website after the DDoS attack:

With cybercrime on the rise, companies have started adopting the hard ways of preventing system breaches. Cybersecurity has become the need of the hour. This article will explore how cyberattacks bring companies down to their knees giving rise to cybersecurity. The article also looks at some of the cybersecurity strategies that an organization can adopt to safeguard itself from the prevalent attacks.

“For every lock, there is someone out there trying to pick it or break in.” – David Bernstein

Malware, Phishing, Ransomware, DDoS!

These terms have become widespread today due to the increasing number of cyberattacks. The cyber threats that organizations face have grown steadily during the last few years and can disrupt even the most resilient organizations.

3 cyber attacks that shook the digital world

2011: Sony

Who can forget the notorious Sony hack of April 2011? Sony’s PlayStation Network was hacked by a hacking group called “OurMine,” compromising the personal data of 77 million users. This cyberattack made Sony pay more than 15 million dollars in compensation to the people whose accounts were hacked. A hack made possible through a simple SQL inject could have been prevented using data encryption.

Not long after this hack, in 2014, Sony Pictures was attacked through a malware by a hacker group called “Guardians of Peace” stealing more than 100 terabytes of confidential data. Sony had once again not paid heed to its security audit, which showed flaws in the firewall and several routers and servers resulting in the failure of infrastructure management and a monetary loss of 8 million dollars in compensation.

2013: 3 billion Yahoo accounts hacked

Yahoo has been the target of the attackers thrice. During its takeover by Verizon, Yahoo disclosed that every one of Yahoo’s 3 billion accounts had been hacked in 2013. However, one of the worst things about this attack was that it was discovered only in 2016, a whopping two years after the breach.

2017: WannaCry

One of the most infamous ransomware of 2017, WannaCry spanned more than 150 countries targeting businesses running outdated Windows machines by leveraging some of the leaked NSA tools. The cyber attack that has been linked to North Korea hit thousands of targets, including public services and large corporations. The effects of WannaCry were so rampant that Microsoft, in an unusual move to curb the ransomware, released Windows patches for the systems it had stopped updating. On a somewhat unsurprising note, WannaCry owed its success to the use of outdated technologies (such as SMBv1) and improper maintaining their systems update for months, failing to protect themselves from the lurking attack.

 How cyber attacks damage businesses

Cyberattacks are clearly bad for business. They lead to:

  • Monetary loss
  • Data loss
  • Breach of confidential information
  • Breach of trust
  • Infrastructure damages
  • Impending litigations and compensations
  • Remediations
  • Bad reputation
  • Marketability

This is why cybersecurity is so important – investing in it is smart from a business perspective as it could save you a lot of money in the long run.

Emerging cybersecurity trends

Tech journalist and analyst Art Wittmann once said “the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided”. It’s a valuable thing to remember when thinking about cybersecurity today. It’s about more than just buying software; it’s also about infrastructure design, culture and organizational practices. Cybersecurity is really a range of techniques and strategies designed to tackle different threats from a variety of sources.

Gartner predicts that worldwide cybersecurity spending will climb to $96 billion in 2018. This rapid market growth is being driven by numerous emerging trends, including:

  • Cloud computing
  • Internet of things
  • Machine learning
  • Artificial Intelligence
  • Biometrics and multi-factor authentication
  • Remote access and BYOD–Bring your own device

Effective cybersecurity strategies

The most effective strategy to mitigate and minimize the effects of a cyberattack is to build a solid cybersecurity. Here are some of the ways in which an organization can strengthen their cybersecurity efforts:

  • Understand the importance of security

In the cyberage, you have to take the role of security seriously. You need to protect the organization with the help of a security team. When building a security team, you should take into accountthe types of risks that could affect the organization, how these risks will impact the business, and remedial measures in case of a breach

  • Top notch security systems

You cannot compromise on the quality of systems installed to secure your systems. Always remember what is at stake. Shoulda situation of attack arise, you need the best quality of security for your business.

  • Implement a Red and Blue Team

The organization must use the Red Team and Blue Team tactics, where the Red Team tactics can be used in penetration for accessing sensitive data, and the Blue Team tactics will defend your system from complex attacks. This team can be appointed internally or this job could be outsourced to the experts.

  • Security audits

Security audits are conducted with the aim of protect, detect, and respond. The security team must actively investigate their own security systems to make sure that everything is at par to defend against the lurking attack if it should occur. The security team must also be proactive with countermeasures to defend the organization walls against these malicious lurkers. Employees must also be properly educated to take proper precautions and act wisely in case of occurrence of a breach.

  • Continuous monitoring

Securing your organization against cyberattacks is a continuous process. It is not a one-time-only activity. The security team must be appointed to do regular audits of the security systems of the organizations. There should be a systematic and regular process, penetration testing must be conducted at regular intervals. The results of these tests must be looked at seriously to take mitigation steps to correct any weak or problematic systems.

  • Enhance your security posture

In an event of a breach, once the security team has confirmed the breach, they need to react quickly. However, don’t start investigating without a plan. The compromised device should be located, its behavior should be analyzed and remedial actions should be underway.

  • Vigilance

In the words of the world’s most famous hacker, Kevin Mitnick, “Companies spend millions of dollars on firewalls, encryption,and secure access devices, and its money wasted; none of these measures address the weakest link in the security chain.”

It cannot be stressed enough how important it is to be ever vigilant. The security team must stay current with the latest threat intelligence and always be on the lookout for the latest malicious programs that disrupt the organizations.

  • Think ahead

The question is never “if”, the real question is “when.” The attackers come sneaking when you are not looking. It is absolutely critical that organizations take a proactive stance to protect themselves by dropping the “if” attitude and adopting the “when” attitude.