The Importance of CTI Service Architecture
We came across this excellent scientific paper “A service architecture for an enhanced Cyber Threat Intelligence capability” written by Giuseppe Amato, Simone Ciccarone, Pasquale Digregorio and Giuseppe Natalucci at the Bank of Italy, Directorate General for Information Technology.
The paper discusses the cyber threat landscape and how organisations more effectively can look to enhance their CTI capabilities to produce and utilise actionable cyber threat intelligence by improving the CTI management process with a properly resources internal team.
This is a proposed architecture for how the world should connect; rather than an accurate picture of how it does but we placed ourselves in it with this red dot. We also added two smaller dots where we also fit, but don’t worry about those for now as we will write more about them soon. See below.
This got us at Elemendar talking and Giorgos Georgopoulos our co-founder and CEO wrote the following thoughts about it and the necessary interconnectedness of Cyber threat intel and security / business operations.
“CTI Doesn’t Exist in a Vacuum”
Threat intel exists to serve the needs of its security operations customers (e.g. in a SOC), and in turn security operations serve an IT or business function. That much is uncontroversial and has been thought through and documented by competent folks in this paper. The goal is to create a scalable service architecture that can collect data from various sources and provide an actionable picture of the company’s security risks.
Where things get more controversial is deciding how automation fits into the picture. Why does that matter? We argue that scalability is impossible without automation, but that implementing the wrong automation, in the wrong place, or for the wrong context can do more harm than good – and that ‘right’ and ‘wrong’ are not universal or unchanging. Specifically, if automation is to help process information, you have to think about the interfaces of the information layer in this architecture.
Let’s pick one of those interfaces that we at Elemendar know best: the flow of CTI information deliverables as input to the CTI service. Concretely, this might look like a PDF downloaded from your CTI vendor or ISAC portal, a MISP or TAXII client/server connection, or a WhatsApp message from another CISO in your sector at 3am on a Saturday if you’re lucky. The base case is that the CTI analyst at the service input interface is overloaded with up to 10x more information than they can handle effectively.
Even at that one place in the process, the context and type of automation applied vary wildly. The PDF will need sophisticated extraction and natural language understanding to parse quickly (we know a thing or two about that!) but not necessarily accepted whereas the structured data could be triaged immediately against SIEM events. WhatsApp might be better off without any automation – can a machine helpfully trigger a playbook for whoever’s on call that night to investigate on the basis of a hasty voice message?
Of course, the real fun begins when all three of these pieces of intel arrive together, and making intel actionable means very different things in the context of a live incident, a forensic investigation, or a planned project.