The document discusses the commercialization of malware and the increasing use of cyber threat intelligence (CTI) among organizations, with 69% of those surveyed integrating it into their security practices. It highlights the key questions organizations should consider before adopting CTI, such as goals, tools for data aggregation, and data formats. Additionally, it lists the top benefits and skills needed for effective CTI usage, along with popular sources and tools for threat intelligence.

1. As malware becomes more commercialized, attackers are leveraging the
same attack kits again and again. Cyber Threat Intelligence (CTI) offers
the ability to detect attacks carried out using methods previously
reported by others in the threat intelligence network. In the latest SANS
Cyber Threat Intelligence (CTI) Survey (1)
, results showed that 69% OF
ORGANIZATIONS SURVEYED ARE NOW USING CTI TO SOME EXTENT.
For IT security teams considering integrating CTI, what are the key
questions to ask before getting started?
What are your short-term and long-term
goals and how will you measure progress?
Top benefits reported
by those using CTI:
Top 5 skill sets respondents viewed
as valuable for leveraging CTI:
Who will you assign to CTI planning?
22
11
IMPROVED
VISIBILITY into
attack methodologies
FASTER AND
MORE ACCURATE
RESPONSE
Measurable reduction
in incidents through
more INTELLIGENT
BLOCKING
What do you intend to do with CTI data?
33
Organizations are integrating many tools into their
CTI feeds, among those surveyed, the top 5 were:
INTRUSION
PREVENTION
SYSTEMS (IPS)
FIREWALLS
/UTMS
HOST
SECURITY
SYSTEMS
SIEM VULNERABILITY
MANAGEMENT
Will you use commercial feeds, open
source and community data, or both?44
Will you use a standard import
data format for your CTI feeds?55
What kinds of tools will you use
to aggregate and collect CTI data?66
Knowledge of normal
network and system
operations to
DETECT ABNORMAL
BEHAVIORS
DATA
ANALYSIS
capabilities
Knowledge
of INDICATORS
OF COMPROMISE
INCIDENT
RESPONSE
skills
Knowledge
of ADVERSARIES
AND CAMPAIGNS
AlienVault
Open Threat
Exchange TM
(OTX)
Structured Threat
Information
Expression (STIX)
Collective
Intelligence
Framework
(CIF)
Open
Indicators of
Compromise
(OPENIOC)
framework
Trusted
Automated
eXchange of
Indicator
Information (TAXII)
For those using standard formats, the
top 5 standard formats were:
COMMUNITY (groups such
as ISACs, CERT or other
formal or informal groups)
INTERNAL SYSTEMS
VENDOR-DRIVEN cyber
threat intelligence feeds
PUBLIC cyber threat
intelligence feeds (DNS,
MalwareDomainList.com, etc.)
OPEN SOURCE feeds
Survey respondents reported use of a
number of threat intelligence sources:
SECURITY INFORMATION
AND EVENT MANAGEMENT
(SIEM)
INTRUSION
MONITORING
platforms
OTHER TYPES
of analytics
platforms
HOMEGROWN
tools
Top four tools used by survey respondents
to aggregate, analyze & present CTI:
Companies using cyber
intelligence data in
“STANDARD” FORMAT
and well-known
open-source toolkits
(1) SANS Cyber Threat Intelligence Survey (CTI)
https://www.alienvault.com/resource-center/white-papers/cyber-threat-intelligence-whos-using-it-and-how