November 9, 2023
Dejan Zdravkov

Threat Intelligence is a Core Component of a Zero Trust Architecture (ZTA)

Cyber threat intelligence is a Zero Trust Architecture (ZTA) core component. ZTA is a security concept and framework that assumes all network traffic is untrusted and requires strong authentication and authorization. Zero-trust policies and controls can be developed and implemented with the support of cyber threat intelligence.

Threat intelligence can help an organization identify and better assess potential threats and risks to systems and networks, as well as help to identify previously known threat actors and the tactics, techniques, and procedures (TTPs) they use. It can also identify emerging threats that may not have been previously identifiable, which is valuable information that can be used to enhance security controls further to better monitor for related suspicious activity within the network.

Using Cyber Threat Intelligence in the NIST SP 800-207 Zero Trust Framework

The NIST SP 800-207 guideline, focusing on the Zero Trust Architecture Framework, highlights the vital significance of threat intelligence within this architecture. According to NIST SP 800-207, threat intelligence is an integral element of the Zero Trust framework.

A straightforward illustration would involve an organization leveraging threat intelligence to pinpoint a threat actor and the malicious malware tools they employ, allowing the existing security measures to incorporate this threat intelligence. The network can be protected from infiltration by enabling users to identify and block malware.

Additionally, threat intelligence serves as an educational resource for training employees on identifying and responding to potential threats. Within a Zero Trust network environment, all network traffic is viewed as untrusted, necessitating employees to remain vigilant for any signs of suspicious activity. Zero Trust aids organizations in recognizing and preempting threats at an earlier stage, thereby influencing the development and deployment of more robust security controls.

According to NIST SP 800-207, titled "Zero Trust Architecture," threat intelligence is crucial in helping organizations gain insights into potential threats and implementing adequate security controls. The guideline underscores that "threat intelligence can be employed to identify known malicious actors and their Tactics, Techniques, and Procedures (TTPs), as well as previously undisclosed emerging threats."

In Figure 2 of NIST SP 800-207, you can observe that threat intelligence is prominently featured as a fundamental logical component within the Zero Trust framework.

Figure 2: Core Zero Trust Logical Components

Enhancing Zero Trust Security with Anomali's Integrated Threat Intelligence

Anomali's threat intelligence plays a pivotal role in bolstering the implementation of a zero-trust architecture within organizations. It achieves this by furnishing real-time insights into potential threats lurking in its systems and networks. This is made possible through the use of threat feeds, which constantly provide updated information on known malicious actors and their tactics, techniques, and procedures (TTPs). Armed with this wealth of threat feed data, organizations can craft and put in place security controls that effectively identify and thwart potential threats from infiltrating their network.

Anomali ThreatStream brings together external threat intelligence feeds and internal threat intelligence, data, or research to enable analysis and investigations of threats in a single interface and to integrate the threat intelligence with the organization’s security systems (SIEMs, EDR, FWs, etc.) to enable the efficient mitigation of threats.

Importantly, this enables security operations to work with stakeholders to prioritize and remediate threats according to their impact on the business services. Similarly, it allows threat intelligence and incident response functions to prioritize their research/investigative efforts according to the same information in a more coordinated and informed approach across all security teams and stakeholders focused on threats to the organization. 

In this manner, ThreatStream provides a technical realization of one of the key objectives of establishing a CTI function: Understanding and mitigating business risk from cyber threats using an automated and integrated Threat Intelligence Platform.

Leveraging MITRE ATT&CK and Anomali Lens for Enhanced Cyber Threat Analysis

The MITRE ATT&CK framework and other threat intelligence models are built into an advanced Investigations Workbench for users to leverage, research, and produce finished intelligence reports for further action.

Anomali Lens is the first natural language processing (NLP) based web content parser that highlights all cyber threat information for further investigation, thereby supercharging Threat Research and Reporting.

Attackers inevitably set the agenda for cybersecurity analysts. Yet CISOs want answers and actions from those same analysts—and they want them now. Analysts are constantly racing against the clock to understand attacks and how to prevent threats from harming their networks.

Anomali Lens enables analysts to work and stay in any single web-content location for faster research and better communicate cyber risk to the executive leadership, which is especially critical in high-pressure environments such as widespread cyber-attacks and high-profile data breaches.

Anomali Lens scans and converts unstructured data, such as news stories, social media, research papers, blogs, paste sites, coding repositories, and internal content sources like SIEM user interfaces, into actionable intelligence. Anomali Lens leverages natural language programming (NLP) that takes unstructured data and identifies threat actors, malware families, and attack techniques as they relate to threat intelligence.

Fortifying Cybersecurity with Zero Trust and Strategic Cyber Threat Intelligence

The NIST SP 800-207 guidelines emphasize the importance of cyber threat intelligence as a vital component of Zero Trust Architecture (ZTA). This strategic incorporation of threat intelligence is essential for organizations to identify and mitigate cyber threats effectively. With tools like Anomali ThreatStream, organizations are equipped with real-time, accurate threat data for crafting proactive and responsive security strategies.

Additionally, the use of frameworks like MITRE ATT&CK and technologies such as Anomali Lens significantly empowers cybersecurity teams. These tools facilitate in-depth threat analysis and expedite the reporting process, enabling swift and effective countermeasures against cyber threats. Combining comprehensive threat intelligence with the disciplined zero-trust approach is crucial in addressing current security challenges and reinforcing defenses against future threats. This approach is key to maintaining a secure, resilient, and well-protected digital infrastructure in the face of increasingly sophisticated and targeted cyber threats.

For more information on the Anomali Threat Intelligence Platform and Lens+, visit their respective pages at Anomali ThreatStream and Anomali Lens.

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.