Introduction
Threats to cyber intelligence are multifaceted due to the extensive risk exposure encountered in that spectrum. There is a tendency for cyber criminals to constantly adapt to changing structures, consequently making their detection that much more difficult. Over the years, a rapid escalation of cybercrime has been reported, with a 300% increase in ransomware being observed in 2016 than in 2015 (Alves et al., 2017). With the progression of the years, there has been a significant improvement in the level of sophistication. This regards the tactics, procedures, and techniques used by cybercriminals. While technology has undoubtedly led to the automation of many things, it is accompanied by various challenges. It has become a prerequisite for many organizations to invest heavily in cyber security measures to counter any of these threats. Markedly, the nature of these threats makes establishing a secure network a daunting process. Fortunately, there is an associated promise in implementing cyber threat intelligence (CTI).
Continuous observance of the system’s activities provides options for mitigating cyber-attacks. However, this largely relies upon the extensive knowledge regarding the same, which can be provided by integrating CTI and Security Information and Event Management (SIEM). The interplay between physical and cyber threat assessment provides comprehensive cyber threat intelligence aimed at inhibiting cyberspace attacks. It provides well-documented, researched, and organized past, present, and future attacks, giving the organization an upper hand in determining suitable mitigation methods (Goel et al., 2022). Notably, this strategy is a viable option for bridging the cyber intelligence gap. On the other hand, SIEM is charged with computing details about cybersecurity events from divergent sources, standardizing them then transmitting them to a centralized management console (Alves et al., 2017). The integration of CTI and SIEM facilitates the prioritization of threat alerts, inspiring proper intervention strategies.
Problem Statement
This project aims to examine the present gaps in cyber intelligence and determine suitable bridging methodologies. While the computerization of most organizations’ processes provides an efficient operation, there is a need to consider the amount of risk exposure experienced during operations. According to recent statistics, the total damage of cyber-attacks reached $6 trillion in 2022, while cybercrimes accrued $2 trillion (Jovanovic, 2019). These statistics cause worry among most organizations that are often subjected to these continuous challenges. The frequency of cyber-attacks and cybercrimes is very alarming, with statistics revealing an estimated one cyber-attacks per 39 seconds and one ransomware per 14 seconds (Jovanovic, 2019). Therefore, there is a need for organizations to explore mitigation opportunities for the growing number of cyber-attacks. The popularization of internet users worldwide is a course for alarm among most organizations constantly faced with the threat of invasion. While cyber intelligence is essential, there is a constant risk of information overload whereby much irrelevant information is collected, consequently not helping mitigate threats (Sahrom Abu et al., 2018). The trajectory of internet use denotes a steady increase in cybercrime with the progression of the years. Therefore, this demands some efforts regarding organizations’ cyber-attack interventions. The study explores the gap in the comprehension of the CTI function inside an organization. This is by determining the benefits of this strategy and the shortcomings of poor implementation. This research aims to answer the following primary research questions: what is the current state of cyber intelligence in use? And what is the most suitable way of closing the cyber intelligence gap?
Purpose Statement
This qualitative research aims to determine the most suitable ways to close organizations’ cyber intelligence gap. At this stage in the project, cyber threat intelligence will be generally defined as the information a company uses to comprehend any possible threats to their systems, which is used to reduce the ramifications of attacks (Goel et al., 2022). Organizations that have incorporated this strategy report remarkable results, especially in understanding the nature of attacks and generally improving their response time to any identified threats. There is an associated cost-effective benefit to implementing CTI since the negative impacts of cyber-attacks are significantly reduced through prompt identification. CTI actively analyses the potential threats before their attack to understand their purported goals, strategies, techniques, tactics, and procedures (Berndt & Ophoff, 2020). Notably, this allows the system to effectively develop relevant response strategies to protect the organization from any resulting impacts. Additionally, CTI is allowed to familiarize itself with the constantly shifting threat landscape by including sharing platform technologies, which translate to prompt threat identification and consequent mitigation. The information sharing aspect enjoys an expected collective knowledge angle. It is expected to ensure a better understanding of cyber intelligence, bridging any resultant gaps. By extension, this concept ensures that there is resulting communal protection emanating from mitigated cyber-attacks since this implementation’s impacts ensure a hindered spread of threats (Berndt & Ophoff, 2020). Therefore, extensive use of CTI among organizations will significantly reduce the cyber intelligence gap.
Hypothesis
If all organizations incorporate CTI, the cyber intelligence gap will likely reduce. Based on research, the cyber intelligence gap results from a lack of understanding of cyber security methodologies. The use of CTI boosts knowledge regarding the resulting threats, ensuring that all stakeholders have a good account of these issues.
Literature Review
Sahrom Abu et al. (2018) analyzed the threat landscape’s evolution over the years to identify the most suitable definition of CTI. They also addressed the complexities in defining cyber threats and cybercrime. Cyber threats are recognized as the inclusion of a myriad of malicious activities occurring in cyberspace. At the same time, a cyber-attack is a single attempt to destroy or disrupt a computer system or network. In a nutshell, there is a sense of collectivism regarding the cyber threats while cyber-attack factors in the actual event. Sahrom Abu et al. (2018) also investigated some expected challenges in implementing CTI. Ideally, the popularization of this strategy requires scrutiny to identify potential and upcoming challenges. The general issues surrounding the implementation of cyber threat intelligence are discussed amd mostly hinge upon the general lack of knowledge experienced among several individuals. Notably, this results in poor implementation strategies, rendering the entire process ineffective. Additionally, it aims to identify a universal definition of the concept to eliminate the issue of divergent meanings, which is thought to be the main cause of the lack of proper knowledge. It is also closely related to Berndt & Ophoff’s (2020) findings when evaluating CTI uptake in South Africa.
The response to CTI is also an identified issue resulting in the prevalent gap in cyber intelligence gap. Ideally, due to the causal effect emanating from the implementation of CTI in an organization, it is determined that there will be a consequential effect among other companies in case of a gap regarding this. It was identified how effective overall implementation is for an overall threat mitigation success rate. The work has demonstrated how imperative it is for organizations to consider creating awareness to ensure uniformity in tackling the issue. The article purposed to identify the perceived notion regarding CTI within developing countries by using South Africa as a case study. It set out to determine the reasons for the gaps within an organization and how the external factors play a significant role in the same (Berndt & Ophoff 2020). Furthermore, it has gone into detail in the examination of challenges and the resulting outcomes when implementing CTI within an organizational framework. Essentially, Berndt & Ophoff (2020) analyzed the primary value emanating from an organization’s decision to implement CTI. They identified the need for skill in implementing this concept to ensure effectiveness. The limited participant in this study points to a need for more research concerning the same.
The use of SIEM in identifying false threats to ensure that organizations channel their efforts towards real threats is a vital strategy to curb the challenge of false threats. Alves et al. (2017) highlighted the limitation of public blocklists and also went on to provide an alternative methodology aimed at enhancing trustworthiness. Notably, an increase in false negatives is a gap in cyber intelligence that requires addressing. The evaluation of threat actors is critical in bridging the existing gap. According to Alves et al. (2017), CTI is an essential strategy that ensures that the current gap is addressed to enhance efficiency. In a general sense, CTI promotes the existing knowledge by ensuring that the organizations and their employess fully understand the nature of threats. This gives them an upper hand in determining the best course of action whenever faced with a threat. Furthermore, it helps in resource allocation decision-making whereby the relevant stakeholders can understand the real threats that require their input. This means that expertise in cyber security is attained. The research conducted by Alves et al. (2017) laid some necessary groundwork regarding the research question, which is the subject of our study. Central to bridging the gap is the acquisition and spread of knowledge.
CTI is divided into three levels: strategic cyber threat intelligence, tactical cyber threat intelligence, amd operational cyber threat intelligence (Goel et al., 2022). These levels were provided to facilitate understanding of the concept. However, no direct correlation was drawn to show how these CTI levels improve closing the cyber intelligence gap. The research has provided readers with information regarding related literature highlighting some of the associated challenges with CTI implementation. Understanding this provides the groundwork for the core issue to be discussed and researched. There was essentially no correlation between SIEM and CTI implementation that has been outlined to bridge the gap. Ideally, this is an area that this proposed research can address in answering the research question.
Essentially, some of the highlighted challenges in this regard point to ways that require some effort to ensure the gap is bridged. Some of the identified methodologies include the establishment of new honeypots to fetch threat data and enhance the pattern identification algorithms in addition to evaluating framework in a more complicated environment of cyber threats Goel et al. (2022). In a nutshell, this provides information with regards to ther other proposed methodologies to address the cyber intelligence gap and the modes which can be implemented to ensure that it is closed. This article highlights the operation of threats in comprehending how they influence system operation. It highlights the implication of the different interpretations of CTI among organizations and the negative implications. Furthermore, it highlights the different perceptions of the concept in developed and developing countries.
Research Methods/design
Given the exploratory nature of the research, in addition to our ambition of answering a top-level research question, a scoping review methodology is sought as it is the most suitable for this study. The findings from this study will provide the initial groundwork needed to understand the trend of CTI and the available research direction regarding the same. This research aims to study the most suitable method of bridging the cyber intelligence gap to ensure that cybercrime and cyber-attacks are effectively mitigated. It will incorporate multiple methodologies in the data collection phase. The use of interviews will be used to ensure that information is collected from the organizations which are already using CTIs. Notably, this is essential as it ensures that first-hand information is gathered. Ideally, this being qualitative research, the subject of data collection is essentially small. Primarily, this provides the researcher with the desired focus of the targeted research area, increasing the details collected from the identified research area. The empirical data collected through interviews will allow the researcher to observe the respondents’ body language to gather information from both the covert and overt behavior (Berndt & Ophoff, 2020). In this study, the respondents will be identified through nonprobability sampling since it is essentially inexpensive and relatively fast. It will also help us structure our interviews to ensure that the target respondents are identified and interviewed. The inclusion criteria are all organizations and companies using CIT, while the exclusion criteria are those which have not incorporated the same in their operations. This information’s credibility will be established by correlating collected information from the interviews to the research question. On the other hand, applicability would depend on the desired sampling criteria where the inclusion and exclusion test was determined.
In addition, the research question for this study requires the researchers to conduct an extensive literature review on journal articles with similar content. Ideally, these materials will be sourced through various online databases such as google scholar and research gate. Primarily, in identifying the desired literature review needed for this paper, keyword searches will be used to ensure that the relevant sources are identified. In this regard, the research will ensure that the citations and references are considered to ensure that effective sorting criteria are implemented, ensuring that materials consistent with the study are considered. Some of the keywords used in the search engines and databases include; “Cyber Threat Intelligence.” The literature search factored in articles from government agencies and peer-reviewed journals. Regarding the inclusion and exclusion criteria, the articles presented from the keyword input were further subjected to refined standards. The sources were expected to address specific areas of CTI and the various aspects of the same. Purposely, this is to ensure that the targeted information is captured hence working towards answering the posed research question. The findings of this research proposal show a great promise for the security and general safety of all organizations, regardless of nature. Essentially, they will work towards ascertaining the safety of the data, systems, and network, ensuring efficient operation. The use of thematic analysis will be included. This is aimed at ensuring that the patterns of the themes are identified. This will allow the researchers to gather additional information necessary to comprehend the issue further. Some of the expected related themes will be the benefits that the organizations have experienced with implementing CTI. The participating organizations will be provided with the final findings for implementing the recommendation and information to demonstrate their strategies’ impact.
References
Alves, J., Rosa, I. R., Respicio, A., & Rodrigues, P. (2017). Threat Intelligence Improving SIEM cyber criminality awareness using information from IP blacklists.
Berndt, A., & Ophoff, J. (2020). Exploring the value of a cyber threat intelligence function in an organization. Information Security Education. Information Security in Action, 96-109. https://doi.org/10.1007/978-3-030-59291-2_7
Goel, N., Mansi, & Sethi, N. (2022). Cyber Threat Intelligence: A Survey On Progressive Techniques And Challenges.
Jovanovic, B. (2019, November 14). Better safe than sorry: Cyber security statistics and trends for 2022. Dataprot. https://dataprot.net/statistics/cyber-security-statistics/
Sahrom Abu, M., Rahayu Selamat, S., Ariffin, A., & Yusof, R. (2018). Cyber Threat Intelligence – Issue and Challenges. Indonesian Journal of Electrical Engineering and Computer Science, 10(1), 371. https://doi.org/10.11591/ijeecs.v10.i1.pp371-379