by Milica D. Djekic

Cyber defense is an area that has found its applications all over the globe. In the most recent past, when we said cyber – we would mean by that – computer, internet, and mobile technologies. On the other hand, with the very first beginnings of a digital transformation – we would realize that even the most developed engineering systems would get its correlations with the cybersecurity.

So, cyber is not only about the computers, web and mobile devices – but rather about the connected objects dealing with their web connectivity. Let’s say that any cyber system either being purely the digital one or even some industrial asset could cope with some software and hardware. The practice would suggest that any of these solutions could get vulnerable to the hacker’s attacks, so what we need here the most is the good cyber defense.

The reason for this is the modern cyber-physical systems became so sensitive to the threat and if we want to formulate the useful security tactics and strategies in order to protect our infrastructure – we need to better understand anything bringing the risk to our solutions. Some experts would say that the good defense is about understanding your threat, so it’s quite obvious – why any finding of the threat matters. In the sense of cybersecurity, the threats could get virtual, physical or human. The virtual threats are any piece of the code including some malware applications that could make harm to some new generation system.

On the other hand, threats to physical solutions could cause the disadvantage to the system’s hardware, while the threats being linked with the people are those sorts of risks coming from the human factor. Anyhow, the purpose of this effort is to discuss the topic of threat intelligence being the vital pillar to the helpful cyber defense tactics, strategies, and procedures.

What We Mean by Threat Intelligence

In case you want to understand your threat, there are several steps you need to follow in order to produce some threat intelligence. First, you need to collect some findings of the stuff that’s worrying you in a security manner. Those findings are usually the data about the malware behavior, hacker’s tactics and approaches as well as some insider risks. Collecting the threat findings is a long-term business and once you are in progress with such a task you would figure out that you are getting the new and new things about your threat. That novel stuff you are discovering amongst your threat findings is the threat information. Finally, if you put that information under some analysis and statistical review you would get the threat intelligence. The entire process is given in Figure 1 as follows.

Figure 1. The threat intelligence block diagram

As represented in the threat intelligence block diagram – there are three main steps in producing the threat intelligence. In other words, the things are not that simple in the practice for a reason you could need the hours and hours being spent in front of your computing device researching and researching any anomaly that may appear in the cyberspace. Once you obtain your source of information on the web, you should start thinking about how to document the entire process and separate the new findings from the well-known ones. Once you achieve so you would get the clear information that could get lately processed and used as the threat intelligence. This is not the easy task at all, but any effort is worth that for a reason it could support you from protecting yourself from the threat.

The Hacker’s Forums as a Good Starting Point

The good place to find the information about the threats is any hacker’s forum being available with a visible or deep web. For such a purpose, we would give the example of the Tor’s Hidden Wiki being the spot where the cybercrime and organized crime networks offer their goods and services. In order to deal with such an environment, you need to get the Tor’s browser being installed on your machine. The Tor is a decentralized system that may provide a certain amount of privacy and it will not get applied by the defense community only, but also it would find its usages with the bad guys. Some instances of the Tor’s black market are given in Figure 2 as follows.

Figure 2. The Tor’s Hidden Wiki example

As illustrated above, the hacker’s and criminal websites could offer plenty of useful findings to the entire defense community that can invoke so many security researchers who would collect the data from there in order to prepare the skillful reporting about the situation on the internet. The given instance is only an illustration of how that stuff looks like and how we could choose them as the good starting point with our research. It’s not the rare case that researching the visible or deep internet you can discover some malicious applications which links could be given with some of the hacker’s forums. Such a discovery is the quite handy outcome to the malware researchers who could try to isolate such a code in order to understand how it works and how such a finding could get used for the further cyber industry needs. For instance, once you discover the new malware you can send that information to some anti-malware application developer’s team that could include its signature to the upgraded version of their product. That’s how the threat intelligence could serve for preventive purposes.

The Need for Deep Research of the Darknet Environment

The Darknet surrounding has become so critical part of the internet. The most applied Darknet browser of today is the Tor and such a system would deal with the millions of user every single day. The brief illustration of the Tor’s user being online during some period of time is given in Figure 3 as follows.

Figure 3. The Tor’s users being online

The results of this graph could get found with the Tor’s project website using the well-known Tor’s Metrics web-based tool. In our opinion, analyzing those tendencies could help us make a better approach to our research and its methodologies.

The Methods of Producing Threat Intelligence

In order to produce the threat intelligence, you should think a bit how to make the threat information and further put them under some analysis. All the findings were gathered on the web should be carefully reported and if you want to cope with some trends and tendencies you need to do some mathematical and statistical processing of such collected data. This could require some analytics skills and we would encourage anyone getting such an affinity to attempt to make his contribution as a security researcher. The entire simplified procedure of how it works is represented in Figure 4 as follows.

Figure 4. The threat intelligence procedure

Finally, we should mention that the entire threat intelligence production is about so hard work and in order to make any sort of documentary reporting you need plenty of knowledge and experience at once. Above all, the security researchers need to deal with the great learning skill and get capable to use some of the expert’s tools, so far. In other words, the security research is the quite demanding field and there is some skill shortage that could make us think hard how to overcome so.

The Next Steps in Getting Security Challenges

The security is an always-changing landscape that can offer us a lot of challenges. In order to beat them, we need to adopt new approaches, methods, and techniques, so far. It’s quite a trickery to think about the security business as about something that could get resolved using the silver bullet. It’s more the long-term game between the cat and the mouse or – in other words – the good guys and the bad guys. As long as we put some effort to understand the threat we can talk about some best practices and the measures of remaining safe.


About The Author

Milica D. Djekic is an Independent Researcher from Subotica, Republic of Serbia. She received her engineering background from the Faculty of Mechanical Engineering, University of Belgrade. She writes for some domestic and overseas presses and she is also the author of the book “The Internet of Things: Concept, Applications, and Security” being published in 2017 with the Lambert Academic Publishing. Milica is also a speaker with the BrightTALK expert’s channel and Cyber Security Summit Europe being held in 2016 as well as CyberCentral Summit 2019 being one of the most exclusive cyber defense events in Europe. She is the member of an ASIS International since 2017 and contributor to the Australian Cyber Security Magazine since 2018. Milica’s research efforts are recognized with the Computer Emergency Response Team for the European Union (CERT-EU). Her fields of interests are cyber defense, technology, and business. Milica is a person with a disability.