What is CTI?
According to Gartner in 2013, Cyber Threat Intelligence (CTI) is defned as “evidence-based knowledge, including the context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. CTI is designed to assist understanding of why and how cyberattacks become a threat to a specific enterprise or organization. Customized information can be directly used to respond to cyberattacks, which adds the analysis and evaluation of the cyber incident analysis expert. CTI is divided into the TIS (Threat Intelligence Service), which provides CTI information, and the TIP (Threat Intelligence Platform), which is applied to the actual enterprise or organization using the CTI information. Generally there are 3 stages in developes a Cyber Threat Intelligence Platform, which consist of developing threat intelligence, gathering threat data, and providing threat information, indication of compromise (IoC) and common vulnerabilities and exposures (CVE).
Technically, the Cyber Threat Intelligence Platform works based on big data analysis to find APT attacks and generate threat information using deep learning methods. For example in the vulnerability library, nowadays, globally there are more than 470,000 data contained in the database vulnerability which on average increases about 400 new data each day. The DNS library currently has around 9 billion DNS resolution records, which continue to grow around 9 million each day. Therefore, to support large-scale data collection and processing, the Cyber Threat Intelligence Platform must have a big data platform to be able to process data up to petabytes of data.
It is necessary to develop an automated cyber incident information collection system that collects analysis information derived from previous cyberattacks and the various ICT resources used for the attacks (IP, domain, malicious code, email, VPN, and vulnerable software, etc.) in order to analyze cyberattacks automatically based on CTI, analyze similarities among past cyberattacks, and identify the attack group.
However, most of them are fragmentary. For example, there is only a list of meaningless IPs or domain names used for a specific cyberattack. However, the correlation between and similarity to previous attacks cannot be found for the automated analysis of cyberattacks simply by using the method of listing meaningless information. As a result, the association relationship of the information collected in this way should be collected and analyzed.
In 2017, the Indonesian government began to look very challenging in dealing with cyberspace, one of the factors that supported the enactment of Presidential Regulation No. 53 of 2017 which was approved by Presidential Regulation No. 133 of 2017 concerning the Siber and State Code Agency (BSSN). On the basis of the presidential regulation, BSSN received orders to carry out cyber security duties and effectively by utilizing, developing, and consolidating everything that is not related to cyber security. In other words, BSSN is the most competent government organization or institution to coordinate all cyber security resources in Indonesia. This cyber security will be the backbone of Indonesia’s cyber resilience.
In the same year, the countries most targeted by APT (Advanced Persistent Threat) cyber attacks were the USA, China, Saudi Arabia, South Korea, Israel, Turkey, Japan, France, Russia, Germany, Spain, Pakistan and the United Kingdom. Based on a report released by TrendMicro, the top three organizations that have become the massive attacks of APT are technology manufacturers, the financial sector and the government (including the military).
APT is a very sophisticated type of cyber attack on the Intrussion Detection System (IDS) and Intrussion Prevention System (IPS) security systems which can be said to be conventional technology. Generally APT is used as a cyber attack to steal sensitive data from the core system of an organization. The method of APT attacks is very complex, each attack is hidden, planned, repeated over a long period of time. Therefore the conventional cyber security system is no longer an effective solution to prevent APT attacks.
Threat intelligence solutions gather raw data about emerging or existing threat actors and threats from a number of sources. This data is then analyzed and filtered to produce threat intel feeds and management reports that contain information that can be used by automated security control solutions. The primary purpose of this type of security is to keep organizations informed of the risks of advanced persistent threats, zero-day threats and exploits, and how to protect against them.
When implemented well, threat intelligence can help to achieve the following objectives:
- Ensure you stay up to date with the often overwhelming volume of threats, including methods, vulnerabilities, targets and bad actors.
- Help you become more proactive about future cybersecurity threats.
- Keep leaders, stakeholders and users informed about the latest threats and repercussions they could have on the business.
To support Indonesia’s cyber resilience as outlined in a project management project development of the Cyber Threat Intelligence Platform starting from the initiating, planning, executing, monitoring and controlling, to closing stages.
At this stage, a Project Management Office (PMO) is formed to play a role in controlling the development of the Cyber Threat Intelligence Platform so that the project runs optimally in accordance with the expected goals.
At this stage, stakeholder management is carried out, the formation of an organizational structure, the establishment of development strategies, the design of development, preparation of budget plans, and preparation of project scheduling.
Consist of communication management and compliance with regulations and standards as guidelines.
The monitoring and controlling phase starts from the activities at the executing stage to the end when the Cyber Threat Intelligence Platform is used. Monitoring and controlling activities during project implementation must really pay attention to the reference regulations and standards that have been set. In addition, it also needs to be considered if there is a change in policy of an organization. Meanwhile, when the project is completed, the activity focuses on the performance of the Yenag platform that has been made, whether in good performance or not.