CYBERSECURITY A-Z
What Is Threat Intelligence?
Cyber threat intelligence (CTI) is data that is gathered and processed with a focus on the motives and behaviors of potential threat actors. Threat intelligence provides actionable insights that can be used to prevent, detect or mitigate security breaches.
According to the SANS Institute:
“Threat intelligence is analyzed information about the hostile intent, capability, and opportunity of an adversary that satisfies a requirement.”1
CTI is a foundational element of an overall security architecture, as it informs the overarching security actions and investments selected by an organization. It allows security professionals to better select, configure, and deploy the right security controls for their own circumstances and environments.
Intelligence is unlike data or information because it must go through a process of analysis first. The National Institute of Standards and Technology (NIST) includes in its definition this distinction, describing CTI as “threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.”2
This definition also captures one of the purposes of CTI: To enable more accurate, informed decisions that can shift an organization from reactive to proactive threat mitigation.
Intelligence is both the process of gathering as well as a product, which is often in the form of a detailed report and set of recommendations to various stakeholders based on the set of requirements specified at the outset.
Who Is Threat Intelligence For?
A common misconception is that CTI is generated only for the benefit of security operations itself. In truth, it may begin as a request that ultimately serves other business units with resulting actions and implications for the security team to implement.
Every CTI effort begins with a set of requirements that may come from within senior leadership. This person provides a list of knowledge gaps and areas of interest or concern to an intelligence team to investigate with the goal of reporting back with both strategic and tactical findings and recommendations.
A TI team informs stakeholders from:
- Executive Management, so they can better understand the open risks and the options available to prevent, mitigate, and respond to them
- Business Operations, to provide context around security-related headcount and budget implications of various breach scenarios
- System Engineering & IT, to detail network architecture changes that may be needed, or new policies and procedures
- Security Operations Center (SOC), to explain the technical details around specific preventative measures and accelerate the creation of response and mitigation tactics to be considered
- Incident Response, to supply team members with specific protocols drawn from high-level intelligence recommendations
- Vulnerability Management, for resources and guidelines learned from prior incidents, attack patterns, and trends
How Is Threat Intelligence Used?
CTI serves three core functions:
- Preventative function to support a larger SOC with activities, such as alert triage and vulnerability identification.
- Response function for supporting incident response efforts, strengthening Indicators of Compromise (IoC; proof or evidence of exploitation), and disseminating information between teams.
- Strategic function to help prioritize and inform business decision-making around security, such as choosing specific tools, acquiring third party security firms, or augmenting cybersecurity staff.
Intelligence can be used to:
- Find non-obvious intrusion evidence and vulnerability traces
- Block nefarious IP addresses, URLs, domains, and files
- Identify both the root cause and resulting implications of a breach
- Optimize preparedness and response tactics
- Prioritize incident readiness based on likelihood and impact
- Enrich alerts with more timeliness and specificity
- Adjust and refine existing security control configurations
- Link and correlate alerts with other incidents and attack patterns
- Provide the basis for creating security roadmaps and readiness scores
What Are the Different Types of Threat Intelligence?
In addition to three CTI functions, there are also four types of intelligence that comprise these functions: Strategic Intelligence, Operational Intelligence, Tactical Intelligence, and Technical Intelligence. The difference between these types is largely determined by who the intelligence is intended to benefit, in descending order from less technical but higher-ranking executives to highly technical individual contributors and analysts:
- Strategic Intelligence gives an overview of an organization’s threat landscape to inform high-level strategy. Intelligence includes threat actor profiles, vulnerability audits, and threat assessments.
- Operational Intelligence focuses on detailed knowledge of attack motives, timing, and methods, often based on hard-to-gather intel from threat actor discussions online.
- Tactical Intelligence consists of more specific details on threat actor tactics, techniques, and procedures (TTPs) to better understand potential attack vectors, remove vulnerabilities, and implement effective mitigation measures.
- Technical Intelligence includes detailed clues or evidence of attacks based on technical information such as reported IP addresses, malware samples, and compromised URLs. This level of intel is much more time-sensitive, as specific vectors and techniques may be discarded quickly by savvy threat actors.
Sometimes Technical Intelligence is bundled under Tactical Intelligence for a total of three types, but the EC-Council makes a distinction between understanding threat actors and attack vectors (Tactical Intelligence) and identifying more specific technical data and indicator forensics (Technical Intelligence).3
What Steps Are Part of the Threat Intelligence Process?
TI follows a similar process as with all intelligence gathering more generally. It is known as the “intelligence lifecycle.” This term acknowledges the importance of feedback at the end of the process, which cycles back to inform the process all over again and stay current on the dynamic, evolving cyber threat landscape.
The process follows this general outline:
1. Requirements and Planning
This phase begins with intelligence requirements provided by members of the organization. These are the objectives as specified by key stakeholders, describing knowledge gaps or questions about a threat or environment. For example: which business units are most at risk for a cyberattack? What are the most pressing threats right now? Where should resources be allocated? What specific indicators should technical team members be aware of?
The primary activity in the planning phase involves threat modeling, which ultimately consists of methodically outlining what exists within the organization that adversaries might want. This could be financial information, user data, intellectual property, or even system resources. Certain threat groups may only have a history of going after one of these things (for example, maybe a specific software version) which can help align and focus efforts.
2. Collection
This phase consists of understanding what requirements can be fulfilled based on the sources and data available and how they are processed. The primary source is analyzing internal information about what adversaries have done in the past, known as intrusion analysis. Other sources can include:
- Threat data feeds of digital hashes, filenames, or IP addresses
- Data pivoting on various indicators, connecting one piece of data to another (for example, using Whois information to lookup registered contacts connected to different IP resolutions)
- Public intelligence reports, which largely focus on malware analysis
3. Processing & Analysis
This phase involves using structured models to segment data into relevant categories, which helps to abstract the raw information making it easier to see patterns and resemblances. Most security analysts leverage one of several existing models that are widely used such as Kill Chain, MITRE ATT&CK, VERIS, and Diamond Model.
Regardless of the methodology chosen, analysis is mainly concerned with clustering activities to identify related patterns. Clusters can be described as threat actors, activity groups, campaigns, and intrusion sets, and are generated based on analytical weighting—a form of confidence scoring.
A Threat Intelligence Platform (TIP) is often used at this stage to store and access information in a convenient format that makes analysis stronger and more efficient.
4. Production & Dissemination
This phase refers to formatting the intelligence for the intended audience and distributing or presenting it accordingly. This means producing useful artifacts for stakeholders including reports, runbooks, and knowledge bases determined by the requirements outlined during the Planning phase.
It is critical that distribution and conversations undergo proper security procedures to avoid infiltration of what at this point is a precise distillation of the most sensitive vulnerabilities and attack vectors. Meetings, file sharing, and email correspondence should be tightly managed to reduce the attack surface and avoid intrusion.
5. Feedback
The final phase involves collecting feedback from stakeholders and assessing the intelligence outputs based on how closely they fulfilled the initial objectives and requirements. Stakeholders’ priorities can also change and require subsequent adjustments or additional investigation. Utilizing a formal scoring method can be helpful to standardize performance metrics and measure intelligence more consistently over time, with the goal of continuous security improvement.
This process is not a linear path but an iterative cycle, and benefits from constant refinement, adjustment, and evolution to stay one step ahead of clever, highly motivated adversaries.
What’s Included in Threat Intelligence Reports?
Formal reports are one of the most common outputs to come out of a CTI process cycle, and the contents are unique to each organization, stakeholder group, requirements, process, and analyst.
However, there are some common attributes that tend to feature in most CTI reports and are a good starting point when creating a checklist of essential information to consider:
- Methodology
- Executive summary
- Attacker trends and common security issue
- Statistics on breaches, attacks, and data loss
- Vulnerability audit
- Impact analysis
- Prioritized technical recommendations
- System and technology gaps
- Staffing and departmental implications
- Policy documents
What Sources Are Used to Conduct Threat Intelligence Research?
There are many places to find current data and relevant information for any given CTI need, environment, or industry. Sources include but are not limited to:
White papers and journals produced by governments, companies, and universities, which consolidate a variety of sources and perspectives into nicely formatted thought leadership.
Open Source Intelligence (OSINT) are free resources often associated with paid security consultancies or software organizations but also come from non-profit organizations, such as the popular MISP Threat Sharing resource. OSINT compiles up-to-date lists of threat data such malicious IP addresses associated with recent malware-hosting domain names or DoS spam attacks.
Information Sharing and Analysis Centers (ISACs) are associations that often share free TI publications developed and maintained to be industry-specific.
“ISACs are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators. Information Sharing and Analysis Centers help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.”4
Attack signatures used by security software for analyzing traffic patterns on a network to identify malicious behavior. These signatures are drawn from threat data that is usually obtained from paid, reputable sources.
What Makes Threat Intelligence Valuable?
Only when researched and produced correctly is intelligence valuable. Poorly produced CTI can do more harm than good by understating vulnerabilities, ignoring threats, or misunderstanding attack methods.
The Cybersecurity and Infrastructure Security Agency (CISA) considers the most valuable intelligence to be both relevant and useful.5
Relevant intelligence is:
- Applicable (Is it a threat of interest?)
- Accurate (Is the information reputable, clear and confident?)
- Timely (Is the information generated and shared quickly?)
Useful intelligence is:
- Machine Readable (Can the information be read and shared by systems?)
- Consumable (Can processes use the information in an automated fashion?)
- Actionable (Can the information be understood clearly to make operational decisions?)
Leading research firm Gartner emphasizes relevance as a key attribute inherent in quality TI efforts:
“Threat intelligence is knowledge about who or what is on the other side, as well as how they operate. Trying to defend against every possible threat with limited resources is a losing proposition. Use TI to protect your organization from all the relevant adversaries. Further, use TI to decide which adversaries are in fact relevant.”6
How Does Forescout Help?
Forescout Research – Vedere Labs shares original threat intelligence via reports, dashboards, and machine-readable threat feeds. This intelligence can be delivered to key stakeholders and ingested by The Forescout Platform. Vedere Labs is dedicated to helping ensure customers have timely, state-of-the-art defenses that are grounded in unique data and analysis. Vedere Labs are partners of several ISACs and intel-sharing associations, such as the EE-ISAC and the OT-ISAC.
To take advantage of the billions of data points collected from millions of deployed IT, IoT, IoMT and OT devices, as well as robust network data stored in a proprietary data lake, visit our Global Cyber Intelligence Dashboard. To access the latest Vedere Labs Reports go to our threat briefings page or follow our blog.
1 SANS Digital Forensics and Incident Response, “The Cycle of Cyber Threat Intelligence,” (2019)
2 NIST, Computer Security Resource Center Glossary, “Threat Intelligence,” https://csrc.nist.gov/glossary/term/threat_intelligence
3 EC-Council, “What Is Threat Intelligence Security?” (2024) https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/what-is-cyber-threat-intelligence/
4 National Council of ISACs https://www.nationalisacs.org/
5 CISA, Cybersecurity Automation and Threat Intelligence Sharing Best Practices, “Assessing The Potential Value Of Cyber Threat Intelligence (CTI) Feeds”, (2024) https://www.cisa.gov/sites/default/files/publications/Assessing%20Cyber%20Threat%20Intelligence%20Threat%20Feeds_508c.pdf
6 Gartner, “How to Use Threat Intelligence for Security Monitoring and Incident Response,” (2020) https://emt.gartnerweb.com/ngw/eventassets/en/conferences/hub/security/documents/how-to-use-threat-intelligence.pdf