Screenshot 2023-10-20 at 20.01.02

Guide to SAMA approach to CTI with RST Cloud

The Saudi Central Bank (Saudi Arabian Monetary Authority  – SAMA) recognises the pivotal role that Cyber Threat Intelligence (CTI) plays in enhancing cybersecurity within the financial sector. To this end, SAMA has extended its Cyber Security Framework (CSF) by introducing the “Cyber Threat Intelligence Principles“. This subdomain outlines the essential principles of Cyber Threat Intelligence, aligning with SAMA’s commitment to strengthening CTI practices within its regulated financial institutions.

This document, known as the “Cyber Threat Intelligence Principles,” is a mandatory directive for all Member Organisations under SAMA’s regulatory purview. Its reach extends to senior and executive management, business owners, information asset custodians, Chief Information Security Officers (CISOs), and individuals responsible for defining, implementing, and reviewing CTI practices within Member Organisations.

The journey to effectively integrate CTI principles into organizational cybersecurity strategies may appear daunting. However, with the guidance provided by SAMA’s Cyber Threat Intelligence Principles, organizations are equipped to navigate the intricate CTI landscape confidently.

CTI in general

CTI is a broad field, with both immature customers and immature product and service vendors. To avoid wasteful spending, departments should create a CTI strategy, and pilot open source tools to better inform requirements. CTI is a supporting capability for cyber security defences. It does not replace a dedicated protective monitoring capability or security tools. Prior to investment in CTI, departments should uplift existing capability to the minimum necessary cyber security.

CTI function covers all the stages of MITRE Cyber Attack Lifecycle and works closely with SOC, Threat Hunting, other cyber defence functions and processes.

CTI can be used in several ways. Before a department makes an important and long-term decision on how to improve its CTI capability, it should understand the use cases for CTI.

Examples* of key use cases of CTI are identified below:

Use CaseObjective  Intelligence RequiredRST Cloud product that works here
Validate Alarms/Events  Validate alarms/events and decide which to escalate to the incident response team for remediation Threat data: data connecting individual indicators, threat actors, techniques, etc. RST Threat Feed: the most relevant IoCs for current time, with filtered noise and false positives. IoCs are attributed to the threats/APTs.
RST Whois API: can be used to check if a domain is a newly registered domain and search for other connected malicious domains by registrant/registrar
Enhance Automated ResponseAutomate the triage process of investigations by helping Security Information and Event Management (SIEM) and analytics tools correctly prioritise alarms and events presented to the CTI lead/analystThreat data: threat indicators and severity ratings, linked to attacks targeting specific industries, applications, etcRST Threat Feed: each IoC has individual risk score, which indicates the priority and possible risks that it has, this score is recalculated every day
Inform Departmental Risk Profession   Enhance the security assurance and risk management process with contextual content from intelligence gatheringThreat data: threat indicators and severity ratings, linked to attacks targeting specific industries, applications, etcRST Threat Feed: it has direct integration with different security tools. Each IoC enriched with necessary content for decision making
Prioritise Vulnerabilities  Create a metric for evaluating vulnerabilities, by measuring the overlap between the problems which can be fixed and those with the most impact, given the time and resource availableVulnerability data: CVEs linked to attacks against specific industries, CVE’s linked to specific threat actors, etcRST Report Hub: specific data with CVEs extracted from CTI reports (and linked to the known attacks)
Support Threat Hunting  Proactively uncover hidden attacks on a department’s network, related to current incidents, or threats targeting the departmentThreat data: indicators with links to context regarding campaigns, threat actors, techniques, history and targetsRST Threat Feed: each IoC enriched with full context and TTPs.
RST Report Hub: the feed with collected and parsed CTI reports from all world known sources. We extracted key facts from each report: threat name/actor, TTP, software, geo, industry, presence of YARA and Sigma rules, etc
Contain and Remediate Attacks  Disrupt attacker communications/ command and control, remove malwareThreat data: intelligence knowledge base including data on techniques, history and targets of various threat actor groupsRST Threat Feed: has direct integration with NGFW/WAF network security tools, so the connection with C2 servers and other threats can be blocked. Also, the Lookup API can be used with SOAR tools to make remediation decisions quicker
Anti-Phishing  Enhance existing mail protection capabilities by enriching detection datasets with indicatorsThreat data: indicators with links to context regarding campaigns, threat actors, techniques, history and targetsRST Threat Feed: has more that 20 threat types, including phishing IoCs
RST Whois API: can be used to registration data for a domain while investigating phishing incidents
*“Cyber Threat Intelligence in Government: A Guide for Decision Makers & Analysts”

Stay tuned with us and watch for further updates. To be continued…