Analysis of Cyber Threat Intelligence Tools; Trends, Technology and Framework

Abstract

Cyber Threat Intelligence has become the building block for the present and all future cyber security initiatives. However, just assembling CTI is not enough and it is not humanly possible to store threat intelligence of multiple attacks on a single server and relate each upcoming threat to that stored data. Complex attacks are being carried out by well-trained threats actors with sophisticated Tactics, Techniques and Procedures (TTPs) making detection and mitigation considerably more difficult. As a result, companies are urged to abandon old protection approaches in favor of deploying new systems in a proactive manner. In this research, we focus on the Cyber Threat Intelligence tools that are readily available and go a long way in securing an organization’s network. Three Open-source, CTI tools have been selected depending on their operational feasibility and online support. Anomali STAXX, OpenCTI and MISP are compared against a set of selected attributes to determine which tool can be more suitable for a certain environment. OpenCTI is then used to trace Cyber Kill Chains of two Pakistan specific cyber-attacks. Cyber kill chain has multiple phases and each phase of a cyber- attack when shared on a CTI platform can help security analysts to identify similar odd behavior and stop an attack before happening. To enhance understanding of how a CTI tool works, it becomes imperative to grab the knowledge of the Cyber Threat Intelligence Framework. A thorough homework on this can allow organizations in future to develop CTI tools as per their requirement. Following up on this we design a CTI framework for a small to medium enterprise and explain it. Research shows that Cyber Threat Intelligence is the key component in the battle against modern and ever evolving cyber-attacks and its knowledge and application is imperative in tackling cyber-attacks.