Cyber threat intelligence (CTI) consists of information related to cyber threats and threat actors. It incorporates various sources to help identify and mitigate harmful events and potential attacks occurring in cyberspace.
CTI is commonly offered in the form of a threat intelligence platform or service, although some organizations have in-house CTI operations. CTI is a core part of advanced threat protection strategies that help organizations defend against sophisticated, organized cyber attacks.
CTI combines cyber intelligence sources into meaningful insights that can support security operations. Here are common cyber threat intelligence sources:
In this article:
Some threats can be automatically identified and mitigated using security tools. More severe or evasive threats are handled by human security and IT teams, who need to triage the threats, understand their modus of operation, and learn how to prevent them.
Both of these use cases are enabled by CTI:
Investing in cyber threat intelligence gives businesses access to a threat database that contains technical information about a wide range of threats. Providing access to this knowledge by the security team or automated systems greatly improves the organization’s security posture. CTI is operational intelligence that provides analysts and security systems with actionable insights.
An effective CTI system makes a clear distinction between threat data collection and threat intelligence:
Cyber threat intelligence analysis involves studying actors and their intent, capability, motivations, access to targets, and their preferred tactics, techniques, and procedures (TTP). It helps make informed operational and tactical assessments.
Strategic intelligence involves assessing disparate information to create integrated views. The goal is to inform policy and decision-makers on long-term or broad issues and provide timely threat warnings. Strategic CTI provides a broad view of the capabilities and intent of malicious cyber threats, such as actors, TTP, and tools. This process involves identifying trends, emerging threats and risks, and patterns.
Operational intelligence involves assessing potential incidents related to specific events, activities, and investigations. Operational CTI provides highly specialized intelligence to support and guide responses to specific incidents, supplied as forensic reports or other forms. This type of intelligence is typically related to campaigns, tools, and malware.
Technical intelligence focuses primarily on identifying signs that indicate an emerging attack, such as weaponization, reconnaissance, and various delivery techniques like spear-phishing and baiting. It is particularly useful in blocking social engineering attacks. Technical intelligence may be grouped with operational threat intelligence. However, technical intelligence adjusts rapidly in cadence with actors as they update their tactics.
Tactical intelligence involves assessing real-time events, activities, and investigations to support daily operations and events. For example, tactical CTI can inform decision-makers on the development of indicators of compromise (IoC) and signatures. It typically employs traditional intelligence analysis techniques.
Organizations implement a CTI framework to enhance the following capabilities.
IT and security teams use tactical threat intelligence to determine the security controls applied to an organization. The CTI data helps them prioritize the most relevant threats and understand how attackers might exploit system vulnerabilities. They also use operational threat intelligence to evaluate and adjust the controls.
The SOC is usually responsible for processing cyber threat intelligence and adding threat context to the data sourced from monitoring tools and logs. SOC teams often use tools like SIEM to prioritize security data and help analyze large datasets. SOC operators leverage threat intelligence to identify suspicious activity and inform security teams of priority threats.
Organizations typically have many vulnerabilities, making it difficult to identify and patch high-priority vulnerabilities. Vulnerability-specific threat intelligence helps vulnerability management teams determine the impact risk and likelihood of threats.
Security analysts rely on CIT to investigate and respond to incidents. It allows them to hunt for threats proactively, anticipating the intent and techniques of attackers. Incident response teams can use threat intelligence to prepare for threats and practice response procedures before a real breach. The information is also useful for forensic investigation after a breach.
CTI allows organizations to better comply with data security regulations like the GDPR. Compliance managers can implement a risk-based security strategy that incorporates regulatory requirements. In addition to helping identify potential threats in advance, the intelligence provides a useful record for audits and post-incident assessments.
Successful network security goes beyond firewalls and antivirus software. Continuous detection and response must be combined with up-to-date, real-time threat intelligence. This is often beyond the scope of internal IT departments and security staff, requiring the hiring of external analysts or outsourced response teams.
Enterprise-grade tools for data collection are expensive to implement and maintain. Internal data collection and analysis often deploys security information and event management (SIEM) systems to collect and aggregate data from all areas of an organization. While this centralization is key to threat data analysis, it can be difficult for non-specialists to build on their own threat intelligence solution. Therefore, most organizations choose to incorporate threat intelligence platforms instead of building their own solutions based on SIEM data or independently sourced threat intelligence feeds.
In this article, we explained how cyber threat intelligence sources data from open source intelligence, social media, forensic data, device logs, the dark web, and many other sources, and repurposes it to serve these use cases:
We hope this will be helpful as you augment your security operations with threat intelligence data.