SAMA CTI Principles: How to Facilitate Compliance
Jan 25, 2024
In the ever-evolving landscape of cybersecurity, compliance with the Saudi Arabian Monetary Authority (SAMA) CTI Principles is crucial for financial organisations. These principles are designed to strengthen the resilience of the financial sector in the face of increasing cyber threats. To navigate this complex terrain, financial institutions require robust cybersecurity solutions. One such solution is RST Cloud, which aligns seamlessly with the SAMA CTI Principles to help organisations bolster their security posture and safeguard their critical assets.
SAMA CTI Principal | Recommendations | What RST Cloud offers |
CORE SAMA CTI PRINCIPLES | ||
PRINCIPLE 2: DEFINE THREAT INTELLIGENCE PLANNING AND COLLECTION REQUIREMENTS | In planning requirements for cybersecurity threat intelligence (CTI) automation tools, it’s important to include the following functions: utilizing CTI feeds that offer cohesive data, and selecting a CTI platform (commercial or open-source, such as OpenCTI) that provides features for filtering relevant indicators and tactics, techniques, and procedures (TTPs), searching for related indicators, and supporting drill-down capabilities when working with data. | RST Cloud offers CTI feeds that meet the specified requirements. RST Report Hub includes interrelated data on threat Tactics, Techniques, and Procedures (TTPs), malware, threat actors, and more. RST Threat Feed and Report Hub include enriched data such as Industry, Geo, Technology, Threat actor, Vulnerabilities, and TTPs. Integration with platforms like OpenCTI and other TIP enables tag-based filtering and drill-down for relationship analysis. |
PRINCIPLE 3: SELECT AND VALIDATE RELEVANT SOURCES | Connect to available TI sharing points and centers. Consistently analyze the landscape of accessible threat intelligence sources, regularly assess the reliability of threat intelligence sources through selective analysis of false positives. Choose sources with sufficient context, and well described data acquisition (collection) principles. | RST Cloud monitors publicly available CTI sources worldwide, top cloud Sandboxes, own global honeypot network, regularly selects and validates relevance of indicators and the level of trust for each source, and assesses many other factors including FP rates, frequency of publications, quality of published data. In RST Cloud feeds, various tags are present, enabling you to filter the most relevant CTI information for your company, including geo-tags, industries, threat categories, TTPs, and risk score. |
PRINCIPLE 4: COLLECT DATA THROUGH INTELLIGENCE SOURCES | When collecting data, it’s crucial not to rely solely on one supplier. In addition to premium CTI providers, utilize information from open sources, social networks, repositories, expert publications on specific websites, TI sharing platforms, and deep and dark web resources. | RST Cloud streamlines the intelligence gathering process by automatically sourcing data from various global TI sources including hundreds of opensource resources, feeds, individual experts, various social media platforms, and communication channels like Twitter and Telegram etc. It also consolidates information from repositories such as Github and Pastebin, along with numerous open CTI sources and global sandboxes. This automation relieves security teams from the task of manually gathering intelligence from the deep web. |
PRINCIPLE 6: PROCESS AND CLASSIFY INFORMATION | When selecting threat intelligence sources and tools, opt for those that incorporate a human-readable risk assessment system for each indicator. | RST Cloud provides a risk score for each indicator. This score is individually calculated and updated daily, taking into account information about the indicator itself, its attribution, and the current context. It’s presented in a numerical format that can be transparently mapped to a human-readable format. The most dangerous indicators have a score above 55, while less critical ones have a score below 30, and those in between are considered suspicious. Also, additional checks are performed, like estimating the number of domains associated with an IP, checking if a domain is registered, resolvable, or checking if a URL is still active. |
PRINCIPLE 7: ANALYZE INFORMATION | Utilize a diverse set of quantitative and qualitative analytical methods to evaluate the significance and consequences of the processed data, leading to the generation of actionable intelligence. Additionally, integrate and analyze data from a wide range of sources to detect patterns, trends, and more. Employ different Key Performance Indicators (KPIs) in the CTI process. | RST Cloud processes the collected raw threat intelligence data, transforming it into actionable intelligence. During the pre-processing phase, false positives are eliminated, and the data is enriched with essential decision-making information. Tactics, Techniques, and Procedures (TTPs), YARA, and Sigma rules are identified. Each Indicator of Compromise (IoC) receives an individual risk assessment. |
PRINCIPLE 8: SHARE INTELLIGENCE | When choosing platforms and services, prioritize those with extensive integration capabilities, support for industry standards, and standard integration schemes with typical consumers of threat intelligence, such as SIEM, NGFW, TIP, and others. | RST Cloud offers a multitude of integration possibilities for its services, including seamless integration with industry-leading SIEM solutions, specialized APIs for NGFW and WAF solutions, support for industry standards like STIX/TAXII, and open platforms such as MISP and OpenCTI. Additionally, it provides extensive integration capabilities through APIs, JSON, CSV, and various other formats. |
PRINCIPLE 9: DELIVER ACTIONABLE THREAT INTELLIGENCE | Extract the most actionable information from the analyzed threat intelligence data, ensuring it’s free from false positives, and deliver it to threat intelligence service consumers in a highly refined and ready-to-use format for swift decision-making. | RST Cloud services deliver high-quality technical threat intelligence data. These data sets are meticulously tagged, highlighting elements such as Tactics, Techniques, and Procedures (TTPs), attributed threats, related indicators, risk scores, the presence of YARA/Sigma rules for reporting, and more. This approach enhances the actionable nature of the provided threat intelligence information. |
STRATEGIC CYBER THREAT INTELLIGENCE | ||
PRINCIPLE 12: IDENTIFY A CYBER THREAT LANDSCAPE | Recognize and give due consideration to established threat actors focusing on regional businesses, as well as global threat actors with a focus on financial institutions. Analyze their key attributes, encompassing their origins, intent, motivations, and capabilities, among others.Identify the predominant cyber trends that are expected to shape the future of the cybersecurity threat landscape.Conduct an evaluation of the recognized threats to determine their relevance and prioritize the most significant ones. | To support this SAMA CTI Principle, RST Cloud consistently provides insights into threat landscapes specific to regional or industry-focused segments including financial institutions. |
OPERATIONAL CYBER THREAT INTELLIGENCE | ||
PRINCIPLE 16: IDENTIFY TTPS | Examine data gathered from sources associated with pertinent threat actors, tools, or malware to pinpoint applicable Techniques, Tactics, and Procedures (TTPs). Additionally, depend on Indicators of Compromise (IoCs) to detect and identify these TTPs. | RST Report Hub and RST Threat Feed categorizes Tactics, Techniques, and Procedures (TTPs) in line with the MITRE ATT&CK taxonomy that are relevant to the threat report, attributing them to the described threat. They also associate appropriate TTPs with indicators. |
PRINCIPLE 17: IDENTIFY MALWARE AND TOOLS | Identify malware and tools in the course of an attack, and perform a broad categorization for organizational purposes (e.g., Banking Trojans, Ransomware, etc.). Acquire and analyze information about various types of malware and tools employed by threat actors from a variety of sources, including Indicators of Compromise (IoCs), the dark web, deep web, OSINT, code repositories, information sharing platforms, and more. | RST Threat Feed and RST Report Hub categorize available threat-related data about the type of malware (e.g., Trojan, Ransomware, RAT, downloader, etc.) as tags, which can be employed for data filtering and searching. Information in the feeds includes not only info about malware, but also provides information about tools and frameworks used by threat actors. Additionally, details about the targeted software, operating systems, and other technical data are also highlighted for quick access by analysts. |
TECHNICAL AND TACTICAL CYBER THREAT INTELLIGENCE | ||
PRINCIPLE 18: COLLECT IOCS | Employ multiple Cyber Threat Intelligence (CTI) sources. Identify, gather, and consolidate Indicators of Compromise (IoCs) and integrate them into their defense infrastructure across various security tools. | RST Cloud gathers information from over 260+ Cyber Threat Intelligence (CTI) sources, encompassing threat intelligence reports, social networks, open data feeds, repositories, channels, global sandboxes, and the RST Cloud Honeypot. Moreover, RST Threat Feed offers multiple integrations with prominent industry leaders in SIEM, NGFW, EDR, SOAR, TIP, and adheres to industry standards for Threat Intelligence sharing protocols. |
Interested in learning more about how RST Cloud can assist you in achieving compliance with SAMA CTI Principles? Request a demo today and discover the possibilities!