Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
2. 1
Cyber Threat Intelligence in a Nutshell
What is the Threat Intelligence Cycle?
Cyber Threat Intelligence is a process in which information from different sources is collected, then
analyzed to identify and detect threats against any environment. The information collected could be
evidence-based knowledge that could support the context, mechanism, indicators, or implications about an
already existing threat against an environment, and/or the knowledge about an upcoming threat that could
potentially affect the environment. This information could then be used to take necessary actions to protect
against an attack from adversaries. The whole breakdown of the process is defined in the Cyber Threat
Intelligence Cycle.
The Threat Intelligence Cycle has different versions,
however the one shown is widely accepted in the
Intelligence Community (IC). The Threat
Intelligence Cycle is broken down into five steps.
Planning
and Direction Collection
Processing
Analysis
and Production
Integration and
Dissemination
• Planning and Direction: This phase of the cycle is
where we plan the process of collection, in which
direction to proceed, and identify what needs to
be collected. In other words, here we define what,
where, when, and how the collection process
should be done.
• Collection: This is the process of collecting
information from different sources using different
collection methods. Broadly, collection efforts are
divided into two - Manual and Automated. Manual
Collection is the process where collection is
achieved by HUMINT (Human Intelligence)
gathering mechanisms. On the contrary,
Automated Collection is the process where
collection is achieved by automating the
collection process from OSINT (Open Source
Intelligence), Logs, Data Points, Honeypots,
etc.
• Processing: Data collected in the collection process should be broken down or translated into a language
in which further analysis can be done. This might include translating the data to different file formats,
native language translation, tweaking data to specific formats, etc.
• Analysis and Production: Now that we have collected information from different sources using different
collection mechanisms and prepared it for further analysis, a much closer break-down is applied to assess
and answer different intelligence questions like what is happening, why is it happening, what could
potentially happen next, who are the adversaries, what is the motivation behind, what are the intentions,
etc.
• Integration and Dissemination: After filtering through the above-mentioned steps, we now have threat
intelligence which is ready to be shared. This threat intelligence is then integrated with existing systems or
disseminated in the best possible way for the audience to digest.
Cyber Threat Intelligence
3. 2
Sources of Information
All sources of information for Cyber Threat Intelligence is from either the Clear Web, Deep Web, or Dark
Web.
Clear Web: The Clear Web/Surface Web/Clear Net/Surface Net is the part of web that can be indexed by a
typical search engine.
Deep Web: The Deep Web/Deep Net is the part of web that a typical search engine cannot index. This part
of the web is still accessible through standard browsers, however, it might be protected or hidden from the
surface web using crypted URLs, password protected pages, local/internal networks, direct IP address, etc.
Dark Web: The Dark Web/Dark Net is the part of the web, which is a subset of the Deep Web, that is made
intentionally hidden and/or made inaccessible through standard browsers or require specific configuration
to access through standard browsers.
In general, sources of information can also be classified as
an internal or external source. Intelligence that is gathered
from the environment itself constitutes Internal Threat
Intelligence. This information could include what is already
known, what attack vectors are already availed, and how
the environment is already protected. Based on this
available information, an entity can define their attack
surface and an attack profile of their environment based
on different attacks they experience daily, which could
then be translated to Enterprise Intelligence.
Deep Web
Dark Web
Records
Subscription-only
Information
Databases
Organization-specific
Information
Academic
Medical
Legal
Scientific
Government 96%
of the
content
on the
web
Cyber Threat Intelligence
• What you don't
know
• How you may
be attacked
• What you should
be protecting
• What you do
know
• How you have
been attacked
• What you are
protecting
External Internal
Leading Search Engines
and Public Sources
Clear Web
TOR, Cyber Crime, Cyber Espionage,and
other illegal activities
4. 3
Challenges and Limitations
Why Threat Intel? The Benefits.
Major challenges faced by enterprises towards threat intelligence by different industries include:
On the other hand, External Threat Intelligence comprises of intelligence that is acquired from outside the
environment. This could be information gathered via subscriptions to different information sources like
feeds shared within the community, information from similar industries, governments, and other intelligence
agencies, and/or other crowdsourced platforms.
• Most cyber security threats faced by different
enterprises today originate from advanced threat
actors, which include nation/state-sponsored
cyber criminals, organized hackers, and other
cyber espionage actors
• Challenges in early detection and identification of
threats by most organizations are due to the
clandestine nature of efforts to fight against
cyber crime
• Low, slow approach, complexity of resource
allocation, etc. also extend to cyber security
threats faced by enterprises today
• Cyber criminals operate in a very organized way,
and they hardly leave any digital traces behind.
This makes it challenging for enterprises to
identify any such trace of a sophisticated,
organized, and persistent attack
In short, enterprises require a third eye, which has
visibility beyond network borders into advanced
threats specifically targeting organizations and
infrastructure.
Conducting research for cyber threat intelligence in multiple sources can help an enterprise with:
• Early Detection of Breaches: The Collection process in the Threat Intelligence Cycle actively collects
both internal and external threats. Analyzing this information could help in the detection of any breach in
its early stages, thereby reducing the impacts caused by the breach.
• Avoiding Data Loss: A well-organized cyber threat intelligence framework for monitoring can effectively
detect any attempt of communication to untrusted destinations with malicious intent, thereby actively
preventing data loss.
• Incident Response: In an event of a security breach, threat intelligence can provide the magnitude of the
breach and Tactics, Techniques, and Procedures (TTPs) used, which can help further identify
compromised systems.
Cyber Threat Intelligence
5. 4
The Future of Threat Intelligence
Hundreds of thousands of new devices are exposed to the internet, daily. Since there is no such thing as
“100% security,” the risk of these devices being compromised remains. The scope for threat intelligence
increases with the advancement of technology. The collection process could be automated further, with the
scaling of sources.
Different types of analysis, like contextual analysis, behavioral analysis, co-relational analysis, etc. could be
applied to collected information for better threat intel. The use of artificial intelligence and machine learning
could be leveraged to reduce false positives and detect adversaries much earlier.
• Threat Research and Analysis: Research and Analysis of different threats, attack patterns, and Tactics,
Techniques, and Procedures (TTPs) used by threat actors could help prevent future attacks.
• Analyzing Compromised Data: Detailed analysis of leaked data, in an event of a breach, can provide
further insights of the breach that extends to the motives behind the threat actors, data of interest, etc.
• Sharing Threat Intelligence: Sharing threat information helps others within the industry stay secure, and
thereby, gain knowledge about active threats and the TTPs used that target the industry. Sharing this
information with government and law enforcement agencies can also help them take necessary action
against adversaries.
Cyber Threat Intelligence