Cyber Threat Intelligence (CTI) can be defined as evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them. These can be utilized to protect critical assets and inform cyber security teams and management business decisions.

Intelligence is a correlation of data and information to extract patterns of actions based on contextual analysis.

• Data → indicators associated with an adversary, such as IP addresses, URLs, or hashes.
• Information → A combination of multiple data points that answer questions such as “How many times have employees accessed tryhackme.com within the month?”

The primary goal of CTI is to understand the relationship between your operational environment and your adversary and how to defend your environment against any attacks. You ask the following questions:

• Who is attacking you?
• What are their motivations?
• What are their skills or capabilities?
• What IoC’s should you look for?

The following are the sources of Intelligence to answer those following questions.

• Internal
  • Corporate security events such as vulnerability assessments and incident response reports.
  • Cyber awareness training reports.
  • System logs and events.
• Community
  • Open web forums.
  • Dark web communities for cybercriminals.
• External
  • Threat intel feeds (Commercial & Open-source)
  • Online marketplaces.
  • Public sources include government data, publications, social media, and financial and industrial assessments.

Threat Intelligence Classifications

• Strategic Threat Intelligence (High-level Insights)
  • Helps executives and decision-makers understand long-term cybersecurity risks and trends.
  • High-level intel that looks into the organization’s threat landscape and maps out the risk areas based on trends, patterns, and emerging threats that may impact business decisions.
  • Audience: CISOs, CTOs, board members, and policymakers.
• Tactical Threat Intelligence (Attacker Tactics & Techniques)
  • Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
  • Helps security teams understand how attackers operate by analyzing their TTPs (Tactics, Techniques, and Procedures).
  • Audience: SOC teams, Blue Teams, Threat Hunters, and Incident Responders.
• Operational Threat Intelligence (Real-time threats & Campaigns)
  • Helps security teams respond to ongoing threats by analyzing active adversary campaigns and malware activity.
  • Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organization (people, processes, and technologies) that may be targeted.
  • Audience: SOC teams, IR teams, Red Teams.
• Technical Threat Intelligence (IoC)
  • Provides detailed technical data on threats for detection and blocking.
  • Looks into evidence and artifacts of attack used by an adversary. Incident Response teams can use this intel to create a baseline attack surface to analyze and develop defense mechanisms.
  • Audience: SOC analysts, SIEM engineers, Blue Teams, and EDR teams.

CTI Life cycle