Threat Intelligence – A Complete Guide

image describing the words what is threat intelligence with a hint of purple shades

What Is Threat Intelligence?

You and I fight a common foe. Day and night, we must stand ready to defend our organizations against cyber attacks. Defending our organizations is ultimately what cybersecurity is all about. Cyber threat intelligence will make your defensive efforts more efficient, optimize resource allocation, and increase resilience against cyber attacks.

Threat intelligence is about prioritizing the threats that matter.

This is where cyber threat intelligence enters the picture. The essence of CTI is to help you make more informed decisions, such as how to protect your organization from cyber attacks. In this context, cyber threat intelligence can help you determine where to allocate resources, which security controls to implement (or improve), and how to augment existing security controls.

industrial site, early morning, blue sky and icy sea, defending critical infrastructure using threat intelligence

And that’s the promise of CTI. It should be your guide on how to most effectively navigate the increasingly complex cybersecurity landscape. It’s not just a product or a service; it’s a methodology, a process, and a system for how to approach the specific needs of your organizational cybersecurity challenges. It’s about how to better manage business risk stemming from the cyber domain.

When working with cybersecurity and specifically cyber attacks, you can either:

  1. Make them less likely.
  2. Reduce cyber attack impact.

The true challenge lies in achieving just that: How do we strengthen or build cybersecurity? Which security controls should we implement? What processes are necessary? How do we comply with regulatory and industry frameworks and compliance requirements? And so forth.

Are you feeling ready to explore CTI a bit more in-depth? Before delving into more detailed explanations, let’s first spend a few sentences on some of the more common challenges you may find relevant.

What Challenges Does Cyber Threat Intelligence Address?

Listed below are some challenges that many organizations face today, and perhaps you can relate to some of them:

  • Too Many Vulnerabilities – Your digital infrastructure likely has hundreds of vulnerabilities to patch, update, or address. It can be challenging to know which vulnerabilities to focus on, as they’re not all created equal.
  • Remote Workforce – Employees can use their corporate credentials to access work-related resources (email, VPN) from their often shared home computers. Credential stealers can compromise these computers as they’re often not secure.
  • Lacking Visibility – Many organizations feel they’re reacting to threats and “putting out fires” rather than preventing and predicting them. This is usually the result of an inability to see threats outside their network perimeter.
  • Phishing and Social Engineering – Cybercriminals use CFO and BEC scams to trick users into revealing passwords and downloading malicious code masquerading as a software update or an invoice. Phishing remains a major problem and concern for many organizations, and it’s increasingly so as it relates to their supply chains.
  • Increased Dependence on Supply Chains – You’re becoming increasingly dependent on a growing network of vendors and partners to do your job: your supply chain. This is also a growing concern for many organizations in terms of increased risk, as your suppliers’ cybersecurity is becoming YOUR cybersecurity.
  • Alert Fatigue – Incident responders and security analysts often spend precious time hunting down suspected malicious IP addresses and domains, only to discover they were benign. They often lack historical context and relevant information regarding domains, IP addresses, and historical attacker behavior, information that will help them triage faster and more quickly isolate and evict attackers in their environments.

Can you relate to one or more of these challenges? The chances are pretty good that you can. Let’s spend some time learning how CTI can help address these challenges and how you can go about leveraging CTI to help resolve some of your pains.

What Is Cyber Threat Intelligence?

CTI is information about threats to computers, networks, and data. It helps you better defend against cyber attacks as it allows you to make appropriate prioritizations across several dimensions. It’s common to describe CTI as being provided in three main categories:

  • Tactical CTI provides details on specific threats, such as malicious IP addresses, domains, malware strains, or vulnerabilities. It will typically facilitate and help address challenges related to alert fatigue, phishing, social engineering, and attempting to address too many vulnerabilities.
  • Operational CTI further abstracts cyber attacks and begins to characterize threat actor groups and their tools/techniques. It attempts to describe particular attacker behaviors and weave together individual tactical elements into a bigger picture, which may even help you predict the most likely attacks.
  • Strategic CTI identifies emerging trends to plan long-term security strategies. This is probably the most difficult type of intelligence to conduct as it involves much uncertainty and unknown elements. At the same time, it’s the one type of intelligence that may truly and significantly affect long-term risk.

Who Uses Cyber Threat Intelligence?

There are many recipients of CTI, and it entirely depends on the challenge you’re attempting to address. Broadly speaking, we could consider the following groups/roles to be recipients of CTI-related reporting:

  1. Security Analysts
  2. Incident Responders
  3. Threat Hunters
  4. Security Engineers
  5. Security Architects
  6. Chief Information Security Officers (CISO)
  7. Chief Risk Officers (CRO)

CTI offerings are typically tailored to security analysts and, to some extent, security engineers/architects. These professionals’ primary focus is obtaining TACTICAL intelligence.

Security Analysts and Their Use of CTI

Security analysts require relevant and up-to-date intelligence on threat groups and their current active infrastructure for command and control. Think of them as guards patrolling a perimeter, investigating suspicious activities, determining if there have been any burglars in the area recently, what they might look like, etc.

Next, we’ll consider the security engineers and architects who don’t require daily updates of malicious indicators, only more generalized indicators. Their task is to understand the bigger problem, learn how systems and organizations are generally breached, and identify the general security controls that must be implemented to prevent these breaches from succeeding.

In our guard analogy, operational intelligence is about understanding where burglars typically will attempt to subvert security controls. How do they generally deceive CCTV recordings? What organizations do they typically target? How long does it take to breach a target? What are they looking for, and why?

Needs of the Chief Security Information Officer

Last but certainly not least is the security leadership – the CISOs. They must understand the types of cyber attacks that their organization is most likely to face. CISOs require situational awareness and complete visibility into areas of the infrastructure and organization that are currently the most at risk and likely to be attacked.

This involves having a good understanding of threat actors and groups targeting their industry and also the types of systems they use. Leveraging and using threat profiles can help in building this understanding. They must understand where they have applications and infrastructure that would likely attract the attention of cyber attackers. They must ensure timely remediation of vulnerabilities and, most importantly, address them in the most appropriate order.

Lastly, CISOs must try and predict the most likely future scenarios concerning business objectives and strategies. Is the organization expanding to a particular country? Are they considering migrating to a particular platform? Are they producing and inventing particular technology that other nations find highly attractive?

As you can see, there are plenty of recipients of cyber threat intelligence products, reports, and services. It all boils down to your understanding and appreciation of the challenges your organization is facing. Only after understanding your challenges can you tailor your intelligence requirements to address and meet these challenges.

Why Is CTI Important?

Cyber threat intelligence will ultimately make your organization more resilient against cyber attacks because it will ensure investment in the most appropriate security controls based on real-world data and an understanding of the threat landscape. Additionally, it will also ensure it’s done in a cost-effective, measurable manner. This will also make it easier to provide the rationale for particular requests for more resources.

CTI will provide data supporting your argumentation, strengthening and improving the likelihood of actually acquiring the resources you need. Another important benefit of CTI is that you’re pushing the entire cyber attack kill chain toward earlier stages. Most organizations typically don’t discover they’ve been attacked until very late in the attack lifecycle.

Early Discovery Through Threat Intelligence

Imagine cyber attacks being a chain of phases that an attacker has to go through to reach their objective. If you can catch an attacker earlier in the attack, they’ll have a harder time achieving their objectives. An attacker will have to perform reconnaissance and develop necessary resources and infrastructures. They need to weaponize exploits, gain initial access, and successfully execute code on remote systems, to mention a few stages of an attack.

As previously noted, organizations typically discover attacks very late – in some cases, only after a completed attack (i.e., after they’ve been hit by ransomware). What we must strive toward is pushing the attacker toward the left, detecting them much earlier in the attack phases. And that’s exactly what CTI will help you do. It will even help you anticipate their moves and find their malicious infrastructure before they’ve even had a chance to use it.

When we push the attacker toward the left, we help minimize the impact of a successful attack. We also reduce the likelihood of them succeeding in the first place. In the ideal scenario, we predict their moves and stop them before they even begin.

Deep dive into the evolving threat landscape as detailed by Truesec in their 2023 Threat Intelligence Report.

How Has CTI Made a Difference in the Real World?

In this section, we’ll highlight a few select stories from the real world where threat intelligence has had a significant impact on the outcome of cyber attacks.

Scenario 1: Predicting Threat Actor Use of Malicious Infrastructure

In this scenario, continuous monitoring and analysis were performed on newly registered domains with similar-looking or slightly modified versions of the original domain names.

Systems detected multiple instances of such domains, which were flagged for analysis by our human friends, the threat intelligence analysts. They concluded that these domains appeared suspicious. After receiving them, the detection engineering team quickly added the suspicious domains to custom detection rules.

Cybercriminals leveraged the domains in real and targeted phishing attacks against the target organization within four days of discovery and analysis.

The use of the suspicious domains triggered the custom detections, which completely thwarted this attack. The organization suffered little to no impact. Had this detection not been in place, the attack would likely have had a much more significant impact, potentially resulting in providing the attacker with initial access to the targeted environment.

Scenario 2: Discovering Leaked Credentials

In this scenario, an organization’s credentials were discovered on a dark web marketplace; they were flagged and consequently investigated. After manually reviewing the marketplace listing, threat analysts concluded that the credentials were indeed authentic. They also noted several other credentials that were available for sale.

These additional credentials were INTERNAL ONLY credentials for backup systems hypervisors. This significantly increased the risk of a very serious cyber attack.

Alerting the customer to these credentials and the added information discovered by the human intelligence analyst, the recommended action was an immediate incident investigation.

Further investigation revealed that the credentials had been harvested from a consultant’s computer. Additionally, it was discovered that the computer had NOT been onboarded in the customer EDR solution, and the attack had gone unnoticed.

The customer could terminate and reset passwords and sessions associated with the leaked credentials. The attacker, who had likely purchased the credentials, attempted to use them several days later.

Yet again, CTI made the difference between a successful breach and an unsuccessful one.

If you’re curious about marketplaces on the dark web, here’s a video in which Christoffer conducts a deep dive into a real dark web marketplace selling credentials.

Common Questions About CTI

How can I tell vendors apart?

Many vendors and service providers focus almost exclusively on tactical CTI, as this is often the easiest to provide. That is also a double-edged sword because it’s also the easiest for threat actors to change.

You’ll find that what distinguishes CTI providers is their ability to move “up the ladder” from tactical toward operational and strategic intelligence. Mature vendors will discuss intelligence requirements and what actionable, relevant, and timely intelligence means to you.

How can we start using CTI?

Often, the most challenging aspect of CTI is getting started. Don’t worry; we’re here to guide you. First, you have to consider your current cybersecurity capabilities. Ingesting CTI, of any kind (tactical, operational, or strategic), will require some dedicated resources (time, staff, and know-how) to leverage appropriately.

Therefore, the first thing to consider is what type of commitment you can make toward acquiring CTI. You can choose to buy a fully managed end-to-end CTI capability, or you can build everything yourself and then everything in between.

When you’ve answered that question, you’ll have a better idea of how to proceed. It’s easy to buy tools and products; however, tuning them and incorporating them into your existing processes, systems, and tools is another matter. You should ideally strive to document your needs, and typically that’s done through something called Intelligence Requirements.

There’s no single answer to this question, but it does depend on your current needs and resource availability.

How much does threat intelligence cost?

Again, this entirely depends on what you want to achieve and the level of involvement you’ll have in the capability development. Fully managed services are usually perceived as being more expensive, and to a certain extent, that may be true. However, many people fail to consider the opportunity cost of allocating an existing resource toward building CTI capabilities. Ultimately, one hour spent building CTI is one hour that can be deducted from somewhere else.

You’ll very likely find that the cost of CTI-related services and products varies significantly. It can be difficult to judge whether or not these costs are and can be justified. This will all circle back to whether you fully understand the challenges you’re trying to solve. Determining if CTI is the most appropriate “tool” for the job will take some effort.

Expect to pay anything from a few thousand euros per month to tens of thousands. You should probably focus on your needs, as that will help you better understand if a particular offering can address your needs and if the cost is justified.

How do I know if I’m getting any value out of my CTI service/product?

This is indeed a tough nut to crack. If nothing happens, has the service been good or bad? This can be a difficult question to answer. But you could attempt to seek indirect evidence of the service working. Is there any reporting involved that would provide a sense of what the service has done? How many “alerts” has the analyst team processed (if managed)?

Don’t be fooled by statements with random large numbers, such as “We monitor one gazillion sources across the open, deep, and dark web.” Instead, you should look for how many “alerts” were relevant in light of your organizational context. How many potential typosquatted domains have been processed? How many mentions of your brand have been spotted on the dark web?

Ultimately, this is a hard question to answer because there is no good answer. This is about trust and authority between you and your provider. Do you believe they know what they’re talking about? Are they transparent about their processes, guidelines, and ways of working? Can they be specific about what they know and don’t know?

In this video, Truesec shares the latest findings on the threat landscape from their 2024 Threat Intelligence Report.

Additional Resources for Threat Intelligence Learnings