Cyber attacks are becoming more severe and more professional, causing great damage to governments, businesses and the economy. The sooner a cyber threat is detected, the less damage an attack can cause. Prevention, monitoring and incident response are no longer enough; we need a new strategy. In the recently opened Cyber Threat Intelligence Lab (CTI Lab), TNO is experimenting with new technologies and developing cybersecurity innovations.
“Many organisations already monitor their network closely and take action if they see anything suspicious,” says Richard Kerkdijk, cybersecurity expert at TNO. “Although this is a good approach, it is very reactive. We want to regain the initiative through cyber threat intelligence (CTI). By analysing threat intelligence, organisations can gain insight into the methods hacker groups use and the characteristics of specific types of malware. This enables them to anticipate cyber threats at an early stage and prevent damage to their systems.”
CTI is a relatively new field which, according to Annemarie Zielstra, Director of Cyber Security & Resilience at TNO, is still in its infancy. “Organisations are doing a lot of pioneering in this field and there are still many unanswered technical and organisational questions. Given the increasing importance of cyber threat intelligence in fighting cyber attacks, TNO has set up an ecosystem for this topic at the HSD campus: the CTI Lab.” It is an ideal ecosystem for public and private parties to share existing expertise and develop new knowledge. According to Zielstra, this joining of forces will boost further development of CTI as well as the development of cyber security products. “Firstly, the Netherlands will be safer digitally if we can jointly collect, analyse and share cyber threat intelligence. Secondly, by converting knowledge into cyber security innovations and products, we can create a strong Dutch cyber security industry. Reliable homegrown products are good for national security and offer real economic opportunities in the global market.”
“Analysing threat intelligence enables organisations to anticipate cyber threats at an early stage and prevent damage to their systems”
ING is one of the pioneers in the field of CTI. When the major DDoS attacks on the Dutch banks started, ING set up a Cyber Crime Expertise & Response Team (CCERT). This team collects and shares information globally at ING, alerts the organisation to threats, and solves problems. According to Vincent Thiele, manager of CCERT, it is important that a cyber threat intelligence team is closely connected to the organisation and its business processes. “CTI puts us a step ahead of attacks. That means that everyone in the organisation has a responsibility to notify our CCERT of warning signs, and at the same time our team must be able to translate relevant information, threats and solutions to the business processes or to a specific IT system. This is the most effective strategy.” Although ING is a frontrunner in CTI, there is still plenty of room for further development. “We want to get better at ‘threat hunting’: actively hunting for threats worldwide, followed by rapid adjustments to our security policy. To do this, we are relying on TNO’s expertise.”
Understanding the business of internal stakeholders
Like Vincent Thiele of ING, Joep Gommers, CEO of the EclecticIQ technology platform that analyses threat intelligence, emphasises translating CTI into actions that benefit the organisation. “A CTI team must understand the business of internal stakeholders and be able to accurately assess the threats to their business.” According to Gommers, CTI makes threat management possible. “It is an integrated process that reduces the risk of threats through targeted prevention, detection and security measures aimed at pre-empting cyber attacks.”
Which vulnerabilities have priority?
In a report entitled ‘The economic and social necessity of more cyber security’ (De economische en maatschappelijke noodzaak van meer cybersecurity) Herna Verhagen, CEO of PostNL, writes that ‘cooperation between government and industry in the field of cybersecurity needs to be strengthened and institutionalised. We must encourage information exchange on unauthorised use, vulnerabilities in systems, and crime or espionage in the digital world.’ According to Zielstra, that is exactly what the CTI Lab does for cyber threat intelligence. As an example, she cites the Cyber Trend Watch project, where information sources are linked and analysed, and any vulnerabilities found are identified. These are then given a score, which generates a ‘threat index’. This index indicates, through a ranking of vulnerabilities, which have priority and have to be resolved first. “This process is being developed and tested in the CTI Lab. We intend to add machine learning algorithms. This will accelerate the process and make it more automatic, while also ensuring high reliability.”
“We want to get better at actively hunting for threats, followed by rapid adjustments to our security policy. To do this, we are relying on TNO’s expertise”
Because CTI is still relatively new, there are still many unanswered questions. For example: which sources of information are relevant to a specific organisation? What are the criteria for labelling and prioritising threats? What does an efficient CTI workflow consist of? How can you translate threat intelligence to all departments in the organisation? And what skills do CTI analysts need? “These are highly relevant questions which we are researching at the CTI Lab,” says Zielstra. “Partners who wish to participate in research, testing and demonstrations are invited to contact us. By working together, we can further develop cyber threat intelligence and come up with new innovations.”
The difference between SOC, CERT and CTI
Security Operations Centres (SOC) are often focused on preventive detection of abnormal behaviour on their own network. Computer Emergency Response Teams (CERT) tend to focus mainly on solving problems in the event of an incident. Both are mostly reactive and have an internal focus on the organisation. The CTI team has an external focus aimed at identifying current threats that are relevant to the organisation.