Cyber Threat Analysis
Cyber Threat Analysis-
Cyber threat analysis is the proactive process of identifying, assessing, and understanding potential security threats to an organisation's digital systems. It transforms raw security data into actionable intelligence, allowing security teams to anticipate attacks rather than just reacting to them.
Core Components
A robust analysis typically examines four key dimensions of a threat:
Threat Actors (Who): Identifying the source, such as nation-states, cybercriminals, or malicious insiders, and understanding their motivations.
Techniques & Methods (How): Analysing the specific Tactics, Techniques, and Procedures (TTPs) used to breach systems.
Targeted Assets (What): Determining which critical systems, data, or infrastructures are at risk.
Potential Impact (So What): Evaluating the likely financial, reputational, or operational damage if the threat materialises.
The 4 Tiers of Cyber Threat Intelligence (CTI)
Analysis is often categorised into these levels to serve different organisational needs:
Strategic: High-level analysis of broad trends and geopolitical risks for executive decision-makers.
Operational: Insights into specific ongoing or upcoming campaigns targeting an industry or organization.
Tactical: Technical details on adversary behaviors (TTPs) used by SOC analysts to improve detection logic.
Technical: Granular data like malicious IP addresses or file hashes (Indicators of Compromise) for immediate blocking.
The Threat Intelligence Lifecycle
Security teams use a structured workflow to maintain continuous visibility:
Planning & Direction: Defining the scope and specific intelligence goals.
Collection: Gathering raw data from internal logs, open-source intelligence (OSINT), and commercial feeds.
Processing: Formatting and cleaning data to prepare it for analysis.
Analysis: Interpreting the data to find patterns and predict attacker behavior.
Dissemination: Delivering findings to stakeholders in usable formats.
Feedback: Refining the process based on how effectively the intelligence was used.
Common Threat Frameworks
Analysts use standardized models to map and communicate threat behavior:
MITRE ATT&CK: A globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
STRIDE: A model used in threat modeling to identify threats like Spoofing, Tampering, and Information Disclosure.
Cyber Kill Chain: Developed by Lockheed Martin to identify and prevent the stages of a cyberattack.
STRIDE Framework and Career Paths
1. The STRIDE Framework
Developed by Microsoft, STRIDE is a mnemonic used during the design phase of a system to identify what could go wrong. It categorizes threats based on the security property they violate:
Category | Security Property Violated | Definition & Example |
|---|---|---|
Spoofing | Authenticity | Pretending to be someone or something else (e.g., using a stolen admin password). |
Tampering | Integrity | Maliciously modifying data or code (e.g., changing an account balance in a database). |
Repudiation | Non-repudiation | Claiming not to have performed an action because of a lack of evidence (e.g., deleting logs to hide a transaction). |
Information Disclosure | Confidentiality | Exposing private data to unauthorized users (e.g., a data breach of patient records). |
Denial of Service | Availability | Crashing or slowing down a system so users can't access it (e.g., a DDoS attack). |
Elevation of Privilege | Authorization | Gaining higher permissions than allowed (e.g., a standard user gaining root access). |
Did you find this ICT insight helpful?
