CTI: Cyber Threat Intelligence - Enabling Predictive Defense by Reading Attackers’ Intent Ryusuke Masuoka Fujitsu System Integration Laboratories, Ltd. November 2016 Copyright 2016 FUJITSU LIMITED https://en.wikipedia.org/wiki/Euthalia_aconthea Copyright 2016 FUJITSU LIMITED Cyber Threat Intelligence (CTI) Definition: Product of collecting, processing, integrating, analyzing, evaluating, interpreting data and information 5Ws1H of Cyber Attacks Lets you determine who the adversary is what their purpose is how serious it is Two Elements of Cyber Threat Intelligence (CTI) • Data/Information like IP addresses and malware hash values: CTI Level 1 (L1) – Observables • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 12 Copyright 2016 FUJITSU LIMITED Two Elements: CTI L1 and L2 Attack from Attacker’s Point of View Who Why CTI L2 (Contextual CTI) Where How Links between observables and information pieces Target Region, Industry, Organization TTP - Tactics, Techniques, Procedures Phishing Email What Watering Hole Observables CVE2014-6324 New Indicators Malware Hash C&C IP Address 5 CTI L1 (Observables) Copyright 2016 FUJITSU LIMITED CTIM: CTI-Driven Platform for Proactive Defense CTI Gateway ICT Environment CTI Store CTI Distribution → Detection → Block IDS/IPS CTI Registration Evaluation CTI Matching AntiVirus Alert/Ticket Registration Alerts Incident Tracking Automation Engine Artifact Analysis Firewall Escalation Monitoring Incident Management Triage Artifact Store (SOC) • Operator • 1st Tier Analyst Attack Log PCs SIEM Artifacts (Memory, Log, Disks, Malware, etc.) Decoy System Disconnecting from Network, Shutting down, Locking Accounts, etc. Information Detection Artifacts Analysis 6 CTI Analysis Response Mitigation Information Artifacts Logs Machine Learning Observation Sandbox CTI Sources Communities Proxy Servers CTI Sharing External Network Analysis C2 Analysis Services OSINT Senior Analyst (SIC) Manual Artifact Analysis Analysis Environment Malware Analysis Memory Analysis Log Analysis Disk Forensics Attack Campaign Analysis Information Collection Web News, Blogs, SNS Security Reports Vulnerability information Communities Copyright 2016 FUJITSU LIMITED Sharing Policy Enforcement Sample Similarity Scoring System OASIS CTI Standardization Bi-Directional CTI Sharing Private Translator CTI Graph Analytics and Editing Automation Engine CTIM: CTI-Driven Platform for Proactive Defense Pushing the Boundaries – Phased Adoption Unlock the true potential of structured contextual CTI Phase 1 - Accumulate CTI in STIX Phase 2 + Consume External CTI Phase 3 + Share Observables/Indicators Phase 4 + Share Technical Context Phase 5 + Sharing Adversarial Context Adversarial Context Technical Context Indicators Observables 8 Copyright 2016 FUJITSU LIMITED Copyright 2016 FUJITSU LIMITED
© Copyright 2026 Paperzz