Page cover

Cyber Threat Intelligence 101

What is Cyber Threat Intelligence (CTI) ?

Cyber threat intelligence (CTI) is the gathering of information from various sources about current or potential threats to an organisation. Is at ists core, structured analysis of the threat.

CTI Collaboration

Teams like CTI can work alongside Incident Response, SOC, Threat Hunting, and Threat Management teams to enhance threat detection and response. This collaboration allows for the exchange of crucial information, proactive identification of threats, and more effective incident management, thereby strengthening the overall security of the organization.

  • Incident Response (IR): Collaborates in identifying and managing security incidents by providing information on threats and attacker tactics.

  • Security Operations Center (SOC): Works together with CTI to monitor and analyze security events in real-time, sharing relevant information about ongoing threats and attacks.

  • Threat Hunting: Relies on CTI to proactively identify threats that may already be present in the network.

  • Threat Management: Utilizes CTI information to prioritize and address threats based on current intelligence.

The Intelligence Process Pyramid

The Intelligence Process Pyramid illustrates how raw data is transformed into actionable intelligence. It consists of three levels:

  • Data: Raw, unprocessed facts such as IP addresses, file hashes, or log entries.

  • Information: Organized data that provides context and reveals patterns or relationships.

  • Intelligence: Analyzed information that delivers actionable insights to support decisions and understand threats.

This model helps analysts understand the value of processing and enriching data to produce meaningful insights.

How Organizations Use CTI

Cyber Threat Intelligence (CTI) can support a wide range of business processes at different levels:

  • Strategic level - Use threat intelligence to inform business decisions and long-term cybersecurity strategies.

    • Strategic intelligence offers a high-level perspective on how cyber threats intersect with global events, geopolitical conditions, and organizational risks. For example, nation-state attacks may be linked to geopolitical events, and financially motivated cybercrime groups adapt their techniques based on broader economic trends.

    • This type of intelligence is typically used by executive leadership (CISOs, CIOs, CTOs) to understand the impact of cyber threats on the organization and guide cybersecurity investments that align with the company’s strategic priorities.

    • Stakeholders:

      • CISO

      • CIO

      • CTO

      • Executive Board

      • Strateigc Intel

  • Operational level – Engage in tracking campaigns and threat actor profiling to gain insight into the adversaries' tactics, techniques, and procedures (TTPs).

    • Operational threat intelligence provides a deeper understanding of the "who," "why," and "how" behind an attack. This intelligence focuses on attribution (the "who"), motivation (the "why"), and the TTPs (the "how"). Operational intelligence provides context that helps security teams understand how attackers plan and sustain campaigns.

    • Unlike tactical intelligence, operational intelligence is not automated. It requires human analysis to convert data into actionable insights. Operational intelligence has a longer lifespan than tactical intelligence because adversaries cannot easily change their TTPs as quickly as they change specific tools or malware.

    • Stakeholders:

      • Threat Hunter

      • SOC Analyst

      • Vulnerability Management

      • Incident Response

      • Insider Threat

  • Tactical level – Broaden the perspective on threats to address underlying security issues.

    • Tactical intelligence is technical and focused on the immediate future. It deals primarily with indicators of compromise (IOCs) such as malicious IP addresses, URLs, file hashes, and domain names. This type of intelligence is often automated and machine-readable, meaning it can be integrated into security tools via data feeds or API integrations.

    • However, IOCs have a short lifespan, as threat actors frequently change their infrastructure, rendering these indicators obsolete in a short time. While tactical intelligence is easy to obtain from open-source feeds, it is prone to false positives and lacks strategic analysis. Simply subscribing to a feed may overwhelm a team with data without clear guidance on how to use it.

    • Stakeholders:

      • SOC Analyst

      • SIEM

      • Firewall

      • Endpoints

      • IDS/IPS

CTI Goals

Its main goals are:

  • Prevent attacks proactively, rather than reactively.

  • Understand threats deeply, including the motives and methods of attackers.

  • Support decision-making by providing actionable intelligence.

  • Enhance security posture by identifying high-risk vulnerabilities.

  • Improve incident response through updated threat knowledge.

  • Monitor external sources for early signs of attacks.

In short, CTI helps organizations stay ahead of threats, reduce risks, and minimize the financial and operational impact of cyber incidents.

Threats Actors

A Threat Actor is a person or group responsible for carrying out a cyber attack or other malicious activity.

Hacker Concept

Hacker
Description

Black Hacker

Conducts hacking activities without owner consent and with malicious intent.

Grey Hacker

Conducts hacking activities without owner consent but usually stops short of malicious activities.

White Hacker

Conducts hacking activities with the consent of the technology owner.

Threat Actors Categories

Black Hacker
Description

Nation State Actors

Nation State Actors work for governments to disrupt or compromise other target governments, organisations or individuals to gain access to intelligence or valuable data. Also know as APT (Advanced Persiostent Threat).

Cyber Criminals

Cyber Criminals are individuals or teams of people who commit malicious activities on networks and digital systems, with the intention of stealing sensitive organisation data or personal data, and generating profit.

Hacktivists

Hacktivists generally operate within the social or political sphere, breaking into and causing damage to computer systems and networks. Targets of hacktivists can vary dramatically from things like the Church of Scientology, to pharmaceutical companies and drug dealers.

Threat Vectors

A Threat Vector is a path or method via which a threat gains access to a victim computer or network.

A Vulnerability is a flaw in a system (people, technology, or business logic) that a trheat can exploit to create an effect on the victim.

Threat vectors are the ways in which a threat actor can exploit a vulnerability to gain access to a system or network. While the term itself is already defined, it’s important to understand how it fits into the bigger picture of cybersecurity risk.

The total collection of all possible threat vectors in a system is known as its attack surface. In simple terms, the attack surface is the sum of all the different points where an unauthorized user could try to enter or extract data. The larger the attack surface, the more opportunities an attacker has — which is why reducing it is a key part of any defense strategy.

Common Attacks

Attack
Description

Phishing

Tricking someone into clicking a malicious link or giving up sensitive information through fake emails or messages.

Watering Hole Attack

Compromising a trusted website that the target visits regularly, and using it to deliver malware.

Insider Threat

A threat that comes from someone inside an organization, like an employee or contractor, who misuses their access to cause harm or steal information.

VPN/RDP Compromise

When an attacker exploits weaknesses or stolen credentials in a Virtual Private Network (VPN) or Remote Desktop Protocol (RDP) to gain unauthorized access to a network or computer.

Software Vulnerabilities

Weaknesses or flaws in software that attackers can exploit to gain unauthorized access or cause damage.

Supply Chain Attacks

Supply Chain Attacks happen when attackers exploit weaknesses in software, hardware, or services from third-party suppliers. Instead of attacking the target directly, they compromise a trusted supplier to gain access to the target’s systems.

These attacks are especially dangerous because they can affect many organizations at once—even those with strong internal security.

Common examples include malicious code inserted during software development or compromised updates that spread malware. Securing the supply chain is essential to reduce the attack surface and prevent widespread damage.

The Intelligence Cycle

The 4 Steps:

  1. Direction

    1. This is where the intelligence team works closely with the customer (often decision-makers or leadership) to understand what information they need. These are called intelligence requirements.

    2. For example, a company might want to know about emerging cyber threats targeting their industry or specific vulnerabilities in their systems.

  2. Collection

    1. In this phase, the team gathers raw data from various sources—this can include open-source information (like news or social media), internal logs, sensor data, or even signals intelligence.

    2. For example, collecting logs from firewalls or monitoring suspicious IP addresses are part of this step.

  3. Analysis

    1. The collected data is processed and examined to identify patterns, trends, or anomalies. The goal is to turn large volumes of raw data into meaningful intelligence.

    2. For example, analysts might correlate multiple failed login attempts from different locations to detect a possible cyber attack in progress.

  4. Dissemination

    1. Finally, the actionable intelligence is shared with the customer in a useful format—like a report, alert, or briefing. The customer uses this information to make informed decisions or take preventive actions. Based on the feedback, new intelligence requirements are created, which restarts the cycle. For instance, after receiving an alert about a new malware strain, the customer might request deeper analysis or additional monitoring.

Glossary

  • Advanced Persistent Threat (APT): A group of hackers that uses stealthy and advanced techniques to stay inside systems for a long time without being detected.

  • Attack Surface: The total set of points (or “attack vectors”) where an unauthorized user can try to enter or extract data from a system or network.

  • Hacker: Someone who uses technical skills to break into systems or explore how they work.

  • Indicators of Compromise (IOCs): pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activitry on a system or network.

  • Supply Chain Attack: An attack where hackers target less secure elements in a supplier or partner’s systems to indirectly compromise the primary target.

  • Threat: a person or thing with the ability to inflict damage onto a victim.

  • Threat Actor: A Threat Actor is a person or group responsible for carrying out a cyber attack or other malicious activity.

  • Threat Vector: A Threat Vector is a path or method via which a threat gains access to a victim computer or network.

  • Vulnerability: A weakness in a system, software, or network that can be exploited by a threat to cause harm or gain unauthorized access.

Previous:~/VAULT$ cyber-topicsNextRed Team Operation 101

Last updated