Guide to SAMA approach to CTI with RST Cloud
Oct 20, 2023
The Saudi Central Bank (Saudi Arabian Monetary Authority – SAMA) recognises the pivotal role that Cyber Threat Intelligence (CTI) plays in enhancing cybersecurity within the financial sector. To this end, SAMA has extended its Cyber Security Framework (CSF) by introducing the “Cyber Threat Intelligence Principles“. This subdomain outlines the essential principles of Cyber Threat Intelligence, aligning with SAMA’s commitment to strengthening CTI practices within its regulated financial institutions.
This document, known as the “Cyber Threat Intelligence Principles,” is a mandatory directive for all Member Organisations under SAMA’s regulatory purview. Its reach extends to senior and executive management, business owners, information asset custodians, Chief Information Security Officers (CISOs), and individuals responsible for defining, implementing, and reviewing CTI practices within Member Organisations.
The journey to effectively integrate CTI principles into organizational cybersecurity strategies may appear daunting. However, with the guidance provided by SAMA’s Cyber Threat Intelligence Principles, organizations are equipped to navigate the intricate CTI landscape confidently.
CTI in general
CTI is a broad field, with both immature customers and immature product and service vendors. To avoid wasteful spending, departments should create a CTI strategy, and pilot open source tools to better inform requirements. CTI is a supporting capability for cyber security defences. It does not replace a dedicated protective monitoring capability or security tools. Prior to investment in CTI, departments should uplift existing capability to the minimum necessary cyber security.
CTI function covers all the stages of MITRE Cyber Attack Lifecycle and works closely with SOC, Threat Hunting, other cyber defence functions and processes.
CTI can be used in several ways. Before a department makes an important and long-term decision on how to improve its CTI capability, it should understand the use cases for CTI.
Examples* of key use cases of CTI are identified below:
| Use Case | Objective | Intelligence Required | RST Cloud product that works here |
| Validate Alarms/Events | Validate alarms/events and decide which to escalate to the incident response team for remediation | Threat data: data connecting individual indicators, threat actors, techniques, etc. | RST Threat Feed: the most relevant IoCs for current time, with filtered noise and false positives. IoCs are attributed to the threats/APTs. RST Whois API: can be used to check if a domain is a newly registered domain and search for other connected malicious domains by registrant/registrar |
| Enhance Automated Response | Automate the triage process of investigations by helping Security Information and Event Management (SIEM) and analytics tools correctly prioritise alarms and events presented to the CTI lead/analyst | Threat data: threat indicators and severity ratings, linked to attacks targeting specific industries, applications, etc | RST Threat Feed: each IoC has individual risk score, which indicates the priority and possible risks that it has, this score is recalculated every day |
| Inform Departmental Risk Profession | Enhance the security assurance and risk management process with contextual content from intelligence gathering | Threat data: threat indicators and severity ratings, linked to attacks targeting specific industries, applications, etc | RST Threat Feed: it has direct integration with different security tools. Each IoC enriched with necessary content for decision making |
| Prioritise Vulnerabilities | Create a metric for evaluating vulnerabilities, by measuring the overlap between the problems which can be fixed and those with the most impact, given the time and resource available | Vulnerability data: CVEs linked to attacks against specific industries, CVE’s linked to specific threat actors, etc | RST Report Hub: specific data with CVEs extracted from CTI reports (and linked to the known attacks) |
| Support Threat Hunting | Proactively uncover hidden attacks on a department’s network, related to current incidents, or threats targeting the department | Threat data: indicators with links to context regarding campaigns, threat actors, techniques, history and targets | RST Threat Feed: each IoC enriched with full context and TTPs. RST Report Hub: the feed with collected and parsed CTI reports from all world known sources. We extracted key facts from each report: threat name/actor, TTP, software, geo, industry, presence of YARA and Sigma rules, etc |
| Contain and Remediate Attacks | Disrupt attacker communications/ command and control, remove malware | Threat data: intelligence knowledge base including data on techniques, history and targets of various threat actor groups | RST Threat Feed: has direct integration with NGFW/WAF network security tools, so the connection with C2 servers and other threats can be blocked. Also, the Lookup API can be used with SOAR tools to make remediation decisions quicker |
| Anti-Phishing | Enhance existing mail protection capabilities by enriching detection datasets with indicators | Threat data: indicators with links to context regarding campaigns, threat actors, techniques, history and targets | RST Threat Feed: has more that 20 threat types, including phishing IoCs RST Whois API: can be used to registration data for a domain while investigating phishing incidents |
Stay tuned with us and watch for further updates. To be continued…