Cyber Threat Intelligence (CTI): A Beginner's Guide

Cyber threats continue to evolve, with cyberattacks happening in the world every 39 seconds. That’s why cybersecurity has become one of the topmost concerns in many organizations. Despite many intelligent defense mechanisms organizations leverage, emerging cyber threats continue to disrupt businesses in many ways. 

Cyber Threat Intelligence is the best way for organizations to mitigate the risks of new cyber threats in the future. In this article, I’ll explain…

  • What Cyber Threat Intelligence (CTI) is
  • Its importance
  • Types of CTI
  • The CTI lifecycle
  • Other important information

Defining Cyber Threat Intelligence

Cyber threat intelligence (CTI) is evidence-based knowledge that helps you to:

  • Understand a cyber attacker's attack behavior and motives.
  • Predict the attackers’ next attack targets.

Threat intelligence is gathered by processing and analyzing current and potential threat data. 

The advantage of CTI is that it provides an in-depth understanding of the cyber threats that can become serious risks to the organizations’ assets and propose defense mechanisms to fight against them. Essentially, CTI promotes proactive cybersecurity measures for fighting cyberattacks rather than reactive cybersecurity, where security mechanisms trigger only after an incident is identified.

(Understand the differences in vulnerabilities, threats and risk.)

Functional importance of cyber threat intelligence

Threat intel informs all sorts of practices and use cases, like vulnerability management, risk management, incident response and incident management, and overall security operations (SecOps). CTI is crucial for any organization because it…

  • Enriches your organization with real information on attackers’ tactics, techniques and procedures (TTPs) used for cyberattacks.
  • Reveals hidden motives of attackers, enabling businesses to take preventive measures. Eventually, this intelligence helps organizations avoid financial losses and reputational damages due to data breaches.
  • Uncovers advanced persistent threats (APTs) present in the organization long term, exploiting organizations’ security vulnerabilities. With intelligence regarding APTs, organizations can secure the organization's intellectual properties and sensitive information.
  • Helps cybersecurity professionals such as CISOs, SecOps pros, devs and more to better understand how threat actors behave and their decision-making process.
  • Helps stakeholders to invest in the right tools and processes to mitigate cybersecurity risks. This also enables organizations to cut down unnecessary costs.
  • Empowers organizations to make better informed, faster and data-driven decisions on cyber security.

People that benefit from CTI

Several individuals and groups get direct advantages from CTI. They include security officers at all levels of the organizational hierarchy like security analysis, IT analysts, Security Operations Center (SOC) employees, the CISO, executive management, etc. By knowing potential threats beforehand, you can enable many teams:

  • Security and IT Analysts can improve the defense mechanisms against cyberattacks to cover emerging threats. 
  • SOC pros can contribute to better incident management by assessing the risk and impact of the new malicious actors and attack patterns
  • CISO and other executive management can make better-informed decisions on organizational cybersecurity. 

Overall, CTI helps any organization understand its potential security threats, provide faster incident responses, and reduce costs associated with data breaches. At the end of the day, every single employee of your organization benefits from a better CTI program. 

Cyber threat intelligence types

CTI programs can provide different types of intelligence based on the targeted audience and what information it mainly focuses on.  There are three types of CTI:

  • Strategic
  • Tactical
  • Operational

Here is a brief explanation of each category.

Strategic intelligence

This less-technical, high-level threat intelligence provides an overview of the organization’s threat landscape. The primary audience targeted by the strategic threat intelligence is the non-technical audiences, like:

  • The company board of directors
  • Executive-level security professionals

Strategic intelligence helps high-level staff to understand the risks and vulnerabilities associated with the organization and the goals of threat actors and provide preventive mechanisms. Based on the intelligence, it enables executive staff to drive high-level organizational strategy.

Tactical intelligence

This type of intelligence targets more technically proficient audiences and focuses on the immediate future. It reveals simple indicators of compromise (IoCs) such as:

  • Malicious domain names
  • URLs
  • IP addresses
  • Unusual traffic

IT teams can identify certain threats and mitigate the organization's risks. Tactical intelligence is simple and automated, which can be consumed through techniques like data feeds and APIs. Since IoCs can easily be changed or obsolete quickly, tactical intelligence has a shorter lifespan than the other two types. 

(Learn about security automation.)

Operational intelligence

Operational intelligence targets the cybersecurity professionals who are responsible for conducting daily operations in a security operations center (SOC).  It provides a more in-depth understanding of how attackers plan, execute and maintain cyberattacks and operations by understanding the attributes of adversaries like TTP used for cyberattacks. 

Operational intelligence helps improve threat monitoring, threat management and incident response tasks.  Since TTPs cannot be changed easily, operational intelligence lasts longer than tactical intelligence. 

Still, there are challenges in accumulating operational Intelligence. For example, encrypted messaging apps like WhatsApp and Telegraph, used by attackers for communications, are not easy to access, and the language some threat groups use can be difficult to decipher.  

Stages of the CTI lifecycle

Threat Intelligence is not an end-to-end process; rather, it is a cycle that starts from gathering requirements to getting feedback. The intelligence lifecycle transforms raw threat data into actionable insights that help cybersecurity teams to deploy effective threat intelligence programs. It comprises six phases:

  • Requirement gathering
  • Collection
  • Processing
  • Analysis
  • Dissemination
  • Feedback

1. Gathering requirements

The first stage is gathering all the stakeholders' requirements for threat intelligence. This phase can be seen as a planning phase where you set goals for the CTI and the methodology you should follow. The typical tasks of this phase include:

  • Defining the attack surface and the impact of a cyberattack.
  • Identifying which areas of the organizations the CTI program must cover.
  • Discovering the attackers and their motivations, and the required actions you’ll take.

2. Collecting raw data

After identifying all the requirements, the collection stage gathers the required data to satisfy the goals and objectives set in the first phase. To complete this stage, organizations need to determine the sources of threat data based on the defined goals and objectives. The following data sources usually include:

  • Publicly available data sources like news sites, forums and blogs
  • Network traffic logs
  • Social media sites
  • Threat data feeds provided by dedicated cyber security firms
  • Data from subject matter experts and interviews with relevant stakeholders
  • Cyber Counterintelligence (CCI) sources like passive DNS monitoring, sinkholes and honeypots
  • Analyzing malware to understand their origin and impact

3. Processing data

The collected raw data is not suitable for use in the threat analysis stage. Therefore, the next stage is transforming the raw data into an easily analyzed format. Depending on the data type, processing tasks include data normalization, sorting, sampling, validation and aggregation.

The method of data transformation depends on the data source. For instance, network traffic logs may have to be extracted with regular expressions (regex) for certain terms and news, and blog sites from foreign countries must first translate into their native language. If you collected data from interviews, you’ll have to carry out appropriate validations.

4. Analyzing data

The next phase is searching, interpreting and analyzing the formatted data to meet the goals and objectives defined and answering the questions identified during the requirement-gathering phase. 

The analysis reveals threat patterns and potential security impacts on the organization. Data analysis techniques include statistical data analysis as well as hypotheses-based analysis. 

The data analysis helps provide actionable recommendations on achieving organizational threat intelligence, like…

  • What investments the organization should increase
  • Actions to take on immediate threats
  • If any particular threats should be investigated, etc.

5. Disseminating or socializing the analysis

After completing the analysis according to the organization's requirements, circulate these reports to relevant stakeholders in a format that lets them easily decipher their contents.

Again, different stakeholders have different requirements regarding the analysis. Before sharing the information, identify stakeholder preferences for the report format and the information the analysis should contain. Best practices here include:

  • Concisely presenting the results and recommendations.
  • Avoiding complicated technical jargon. (Remember, you want their buy-in!)
  • Presenting the data in charts and graphs so stakeholders can easily interpret the results just by looking at them.

6. Providing feedback

The last phase of the threat intelligence lifecycle is getting feedback for the threat intelligence report presented to the stakeholders. Stakeholders will inform you if they need changes to the report, whether the analysis meets the organizational goals and objectives, the frequency they would like to obtain the threat intelligence reports, etc. 

Any changes to the report indicate particularly where the threat analysts should focus. Therefore, feedback is essential to make threat intelligence improved and successful. 

Reminder: CTI does not stop here. CTI is not a linear process that finishes within one iteration. Rather, CTI is an iterative and continuous process where each cycle helps improve the organization’s threat intelligence program. 

Summarizing CTI

No matter how advanced your security mechanisms, evolving threats can always make you vulnerable to cyberattacks — at any point in time.  Many organizations today are investing in CTI programs because of the many benefits they get in strengthening their cyber threats defense mechanisms.

Cyber threat intelligence analyzes threat data to reveal patterns of potential cyber-attacks and predict the behaviors of bad actors. Based on the depth of intelligence and targeted audience, there are three major CTI types; strategic, tactical, and operation CTI. CTI is an iterative process. Therefore, it lets organizations improve their defense mechanisms against emerging cyber threats.

What is Splunk?



This posting does not necessarily represent Splunk's position, strategies or opinion.

Shanika Wickramasinghe is a software engineer by profession and a graduate in Information Technology. Her specialties are Web and Mobile Development. Shanika considers writing the best medium to learn and share her knowledge. She is passionate about everything she does, loves to travel and enjoys nature whenever she takes a break from her busy work schedule. She also writes for her Medium blog sometimes. You can connect with her on LinkedIn.