147:
product. Since information is not intelligence, it must be transformed and therefore must go through the processing and analysis phases: in the processing (or pre-analytical phase) the raw information is filtered and prepared for analysis through a series of techniques (decryption, language translation, data reduction, etc.); In the analysis phase, organized information is transformed into intelligence. Finally, the dissemination phase, in which the newly selected threat intelligence is sent to the various users for their use.
25:
111:
In recent years, threat intelligence has become a crucial part of companies' cyber security strategy since it allows companies to be more proactive in their approach and determine which threats represent the greatest risks to a business. This puts companies on a more proactive front, actively trying
183:
Operational: This is the most technical level of threat intelligence. It shares hard and specific details about attacks, motivation, threat actor capabilities, and individual campaigns. Insights provided by threat intelligence experts at this level include the nature, intent, and timing of emerging
146:
In planning and directing, the customer of the intelligence product requests intelligence on a specific topic or objective. Then, once directed by the client, the second phase begins, collection, which involves accessing the raw information that will be required to produce the finished intelligence
284:
technical information about the information and operational technology, devices, network and computers between the attacker(s) and the victim(s) can be collected, stored and analyzed. However, identifying the person(s) behind an attack, their motivations, or the ultimate sponsor of the attack, -
187:
Strategic: Usually tailored to non-technical audiences, intelligence on general risks associated with cyberthreats. The goal is to deliver, in the form of white papers and reports, a detailed analysis of current and projected future risks to the business, as well as the potential consequences of
292:
A number of recent cyber threat intelligence analytical reports have been released by public and private sector organizations which attribute cyber attacks. This includes
Mandiant's APT1 and APT28 reports, US CERT's APT29 report, and Symantec's Dragonfly, Waterbug Group and Seedworm reports.
88:) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include
139:
The process of developing cyber threat intelligence is a circular and continuous process, known as the intelligence cycle, which is composed of five phases, carried out by intelligence teams to provide to leadership relevant and convenient intelligence to reduce danger and uncertainty.
184:
threats. This type of information is more difficult to obtain and is most often collected through deep, obscure web forums that internal teams cannot access. Security and attack response teams are the ones that use this type of operational intelligence.
127:- which makes companies' data more vulnerable. Due to the growing threats on one hand, and the growing sophistication needed for threat intelligence, many companies have opted in recent years to outsource their threat intelligence activities to a
261:
Utility: For threat intelligence to have a positive impact on the outcome of a security event, it must have some utility. Intelligence must provide clarity, in terms of context and data, about specific behaviours and
952:- the Documentary thriller about warfare in a world without rules - the world of cyberwar. It tells the story of Stuxnet, self-replicating computer malware, known as a 'worm' for its ability to burrow from computer
155:
There are three overarching, but not categorical - classes of cyber threat intelligence: 1) tactical; 2) operational; 3) strategic. These classes are fundamental to building a comprehensive threat assessment.
309:
Sharing of "classified and declassified cyber threat indicators in possession of the federal government with private entities, nonfederal government agencies, or state, tribal, or local governments";
180:(TTP) used by cybercriminals is beginning to be deepened. Insights generated at the tactical level will help security teams predict upcoming attacks and identify them at the earliest possible stages.
201:
Gives organizations, agencies or other entities, the ability to develop a proactive and robust cybersecurity posture and to bolster overall risk management and cyber security policies and responses.
222:
It helps to more easily and better identify risks and threats, as well as delivery mechanisms, indicators of compromise across the infrastructure, and potential specific actors and motivators.
399:
305:
encouraged the sharing of CTI indicators between government and private organizations. This act required the U.S. federal government to facilitate and promote four CTI objectives:
871:"S.754 - 114th Congress (2015-2016): To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes"
43:
326:(NIST) issued a publication (NIST SP 800-150) which further outlined the necessity for Cyber Threat Information Sharing as well as a framework for implementation.
900:
323:
254:
Evidence-based: For any intelligence product to be useful, it must first be obtained through proper evidence-gathering methods. Through other processes, such as
335:
286:
999:
97:
524:
400:
https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/understanding-cyber-threat-intelligence-operations.pdf
231:
Communicates threat surfaces, attack vectors and malicious activities directed to both information technology and operational technology platforms.
944:
Anca Dinicu, "Nicolae Bălcescu" Land Forces
Academy, Sibiu, Romania, Cyber Threats to National Security. Specific Features and Actors Involved
696:
620:
302:
100:, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the
280:
Cyber threats involve the use of computers, storage devices, software networks and cloud-based repositories. Prior to, during or after a
177:
827:
683:. IFIP Advances in Information and Communication Technology. Vol. 579. Cham: Springer International Publishing. pp. 96–109.
798:
455:
855:
61:
112:
to find their vulnerabilities and preventing hacks before they happen. This method is gaining importance in recent years since, as
265:
Actionable: Action is the key element that separates information or data from threat intelligence. Intelligence must drive action.
841:
219:
Enables sharing of knowledge, skills and experiences among the cyber security community of practice and systems stakeholders.
75:
494:
216:
It helps and provides instructions to institutions on how to implement security measures to protect against future attacks.
752:
729:
586:
Digital
Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats
989:
204:
Drives momentum toward a proactive cybersecurity posture that is predictive, not simply reactive after a cyber attack.
285:
termed attribution is sometimes difficult. Recent efforts in threat intelligence emphasize understanding adversary
961:
676:
93:
250:
There are three key elements that must be present for information or data to be considered threat intelligence:
340:
128:
89:
143:
The five phases are: 1) planning and direction; 2) collection; 3) processing; 4) analysis; 5) dissemination.
663:
345:
161:
895:
973:
315:
Sharing of "information with entities under cybersecurity threats to prevent or mitigate adverse effects";
994:
740:
116:
estimates, the most common method companies are hack is via threat exploitation (47% of all attacks).
955:
365:
418:
318:
Sharing of "cybersecurity best practices with attention to the challenges faced by small businesses.
238:
207:
It provides context and insights about active attacks and potential threats to aid decision making.
702:
626:
213:
Reduce costs. Since data breaches are costs, reducing the risk of data breaches helps save money.
870:
431:
856:"Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms"
692:
616:
234:
Serve as fact-based repository for evidence of both successful and unsuccessful cyber attacks.
120:
101:
967:
905:
684:
608:
355:
275:
255:
958:- Blog post providing context and adding to the discussion of defining threat intelligence.
605:
2018 International
Conference on Intelligent and Innovative Computing Applications (ICONIC)
894:
Johnson, C.S.; Badger, M.L.; Waltermire, D.A.; Snyder, J.; Skorupka, C. (4 October 2016).
769:
210:
It prevents data breaches from releasing sensitive information, thus preventing data loss.
943:
74:
This article is about cyber threat intelligence. For computer telephony integration, see
842:"Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments"
390:
388:
386:
384:
382:
380:
983:
776:
730:
https://cdn-cybersecurity.att.com/docs/SANS-Cyber-Threat-Intelligence-Survey-2015.pdf
706:
173:
630:
396:
CBEST Intelligence-Led
Testing: Understanding Cyber Threat Intelligence Operations
688:
677:"Exploring the Value of a Cyber Threat Intelligence Function in an Organization"
612:
281:
169:
124:
937:
Mastering
Communication in Cyber Intelligence Activities: A Concise User Guide
600:
360:
165:
949:
910:
551:
828:"Dragonfly: Western energy sector targeted by sophisticated attack group"
664:
https://www.kaspersky.com/resource-center/definitions/threat-intelligence
105:
197:
Cyber threat intelligence provides a number of benefits, which include:
679:. In Drevin, Lynette; Von Solms, Suné; Theocharidou, Marianthi (eds.).
350:
970:- What is Cyber Threat Intelligence? - Definitive guide for beginners.
753:"APT1: Exposing One of China's Cyber Espionage Units | Mandiant"
228:
Provides indicators of actions taken during each stage of the attack.
805:
119:
Threat vulnerabilities have risen in recent years also due to the
419:
https://www.cyberproof.com/cyber-101/managed-threat-intelligence/
225:
Helps in the detection of attacks during and before these stages.
495:"What is Cyber Threat Intelligence used for and how is it used?"
681:
Information
Security Education. Information Security in Action
113:
18:
237:
Provide indicators for computer emergency response teams and
16:
Data that is useful in detecting or predicting cyberattacks
770:"APT28: A Window Into Russia's Cyber Espionage Operations"
599:
Trifonov, Roumen; Nakov, Ognyan; Mladenov, Valeri (2018).
160:
Tactical: Typically used to help identify threat actors.
660:
What is threat intelligence? Definition and explanation
601:"Artificial Intelligence in Cyber Threats Intelligence"
301:
In 2015 U.S. government legislation in the form of the
39:
964:- Short article explaining cyber threat intelligence.
456:"MSSP - What is a Managed Security Service Provider?"
312:
Sharing of "unclassified indicators with the public";
799:"Grizzly Steppe - Russian Malicious Cyber Activity"
188:
threats to help leaders prioritize their responses.
34:
may be too technical for most readers to understand
432:"IBM Security X-Force Threat Intelligence Index"
741:Levi Gundert, How to Identify Threat Actor TTPs
417:. CyberProof. Retrieved on April 03, 2023 from
901:National Institute of Standards and Technology
324:National Institute of Standards and Technology
935:Boris Giannetto - Pierluigi Paganini (2020).
726:Who’s Using Cyberthreat Intelligence and How?
552:"Threat Intelligence: Planning and Direction"
336:Cyber Intelligence Sharing and Protection Act
8:
896:"Guide to Cyber Threat Information Sharing"
950:Zero Day: Nuclear Cyber Sabotage, BBC Four
532:(1st ed.). Routledge. pp. 17–23.
909:
62:Learn how and when to remove this message
46:, without removing the technical details.
675:Berndt, Anzel; Ophoff, Jacques (2020).
376:
258:, threat intelligence can be produced.
976:- A Step-by-Step Guide for beginners.
720:
718:
716:
654:
652:
650:
648:
646:
644:
642:
640:
588:(2nd ed.). Packt Publishing Ltd.
303:Cybersecurity Information Sharing Act
193:Benefits of cyber threat intelligence
44:make it understandable to non-experts
7:
579:
577:
575:
573:
571:
569:
567:
565:
545:
543:
541:
539:
526:Understanding the Intelligence Cycle
518:
516:
514:
489:
487:
485:
483:
481:
479:
477:
475:
409:
407:
322:In 2016, the U.S. government agency
946:- Bulletin Ştiinţific No 2(38)/2014
662:. Retrieved on April 03, 2023 from
178:tactics, techniques, and procedures
1000:Intelligence gathering disciplines
14:
129:managed security provider (MSSP)
23:
176:) are used and the analysis of
550:Kime, Brian (March 29, 2016).
76:Computer telephony integration
1:
974:Threat Intelligence Platform
956:What is threat intelligence?
869:Burr, Richard (2015-10-28).
135:Process - intelligence cycle
689:10.1007/978-3-030-59291-2_7
613:10.1109/ICONIC.2018.8601235
415:Managed Threat Intelligence
1016:
273:
73:
968:Cyber Threat Intelligence
939:. Cyber Defense Magazine.
584:Gerard, Johansen (2020).
394:Bank of England. (2016).
94:social media intelligence
82:Cyber threat intelligence
962:Threat hunting explained
724:Shackleford, D. (2015).
413:CyberProof Inc. (n.d.).
341:Denial-of-service attack
162:Indicators of compromise
90:open source intelligence
911:10.6028/nist.sp.800-150
523:Phythian, Mark (2013).
346:Indicator of compromise
607:. IEEE. pp. 1–4.
460:Check Point Software
366:Zero-day (computing)
658:Kaspersky. (n.d.).
990:Computer forensics
808:. 29 December 2016
728:. SANS Institute.
430:IBM (2022-02-23).
98:human Intelligence
698:978-3-030-59291-2
622:978-1-5386-6477-3
239:incident response
125:working from home
121:COVID-19 pandemic
72:
71:
64:
1007:
940:
923:
922:
920:
918:
913:
891:
885:
884:
882:
881:
875:www.congress.gov
866:
860:
859:
852:
846:
845:
838:
832:
831:
824:
818:
817:
815:
813:
803:
795:
789:
788:
786:
784:
774:
766:
760:
759:
757:
749:
743:
738:
732:
722:
711:
710:
672:
666:
656:
635:
634:
596:
590:
589:
581:
560:
559:
547:
534:
533:
531:
520:
509:
508:
506:
505:
499:blog.softtek.com
491:
470:
469:
467:
466:
452:
446:
445:
443:
442:
427:
421:
411:
402:
392:
356:Malware analysis
276:Cyberattribution
256:malware analysis
170:Internet domains
123:and more people
67:
60:
56:
53:
47:
27:
26:
19:
1015:
1014:
1010:
1009:
1008:
1006:
1005:
1004:
980:
979:
934:
931:
929:Further reading
926:
916:
914:
893:
892:
888:
879:
877:
868:
867:
863:
854:
853:
849:
840:
839:
835:
826:
825:
821:
811:
809:
801:
797:
796:
792:
782:
780:
772:
768:
767:
763:
755:
751:
750:
746:
739:
735:
723:
714:
699:
674:
673:
669:
657:
638:
623:
598:
597:
593:
583:
582:
563:
549:
548:
537:
529:
522:
521:
512:
503:
501:
493:
492:
473:
464:
462:
454:
453:
449:
440:
438:
429:
428:
424:
412:
405:
393:
378:
374:
332:
299:
278:
272:
248:
195:
153:
137:
79:
68:
57:
51:
48:
40:help improve it
37:
28:
24:
17:
12:
11:
5:
1013:
1011:
1003:
1002:
997:
992:
982:
981:
978:
977:
971:
965:
959:
953:
947:
941:
930:
927:
925:
924:
886:
861:
847:
833:
819:
790:
761:
744:
733:
712:
697:
667:
636:
621:
591:
561:
556:SANS Institute
535:
510:
471:
447:
422:
403:
375:
373:
370:
369:
368:
363:
358:
353:
348:
343:
338:
331:
328:
320:
319:
316:
313:
310:
298:
295:
274:Main article:
271:
268:
267:
266:
263:
259:
247:
244:
243:
242:
235:
232:
229:
226:
223:
220:
217:
214:
211:
208:
205:
202:
194:
191:
190:
189:
185:
181:
152:
149:
136:
133:
70:
69:
31:
29:
22:
15:
13:
10:
9:
6:
4:
3:
2:
1012:
1001:
998:
996:
993:
991:
988:
987:
985:
975:
972:
969:
966:
963:
960:
957:
954:
951:
948:
945:
942:
938:
933:
932:
928:
912:
907:
903:
902:
897:
890:
887:
876:
872:
865:
862:
857:
851:
848:
843:
837:
834:
829:
823:
820:
807:
800:
794:
791:
778:
777:FireEye, Inc.
771:
765:
762:
754:
748:
745:
742:
737:
734:
731:
727:
721:
719:
717:
713:
708:
704:
700:
694:
690:
686:
682:
678:
671:
668:
665:
661:
655:
653:
651:
649:
647:
645:
643:
641:
637:
632:
628:
624:
618:
614:
610:
606:
602:
595:
592:
587:
580:
578:
576:
574:
572:
570:
568:
566:
562:
557:
553:
546:
544:
542:
540:
536:
528:
527:
519:
517:
515:
511:
500:
496:
490:
488:
486:
484:
482:
480:
478:
476:
472:
461:
457:
451:
448:
437:
433:
426:
423:
420:
416:
410:
408:
404:
401:
397:
391:
389:
387:
385:
383:
381:
377:
371:
367:
364:
362:
359:
357:
354:
352:
349:
347:
344:
342:
339:
337:
334:
333:
329:
327:
325:
317:
314:
311:
308:
307:
306:
304:
296:
294:
290:
288:
283:
277:
269:
264:
260:
257:
253:
252:
251:
245:
240:
236:
233:
230:
227:
224:
221:
218:
215:
212:
209:
206:
203:
200:
199:
198:
192:
186:
182:
179:
175:
171:
167:
163:
159:
158:
157:
150:
148:
144:
141:
134:
132:
130:
126:
122:
117:
115:
109:
107:
103:
99:
95:
91:
87:
83:
77:
66:
63:
55:
45:
41:
35:
32:This article
30:
21:
20:
995:Cyberwarfare
936:
915:. Retrieved
899:
889:
878:. Retrieved
874:
864:
850:
836:
822:
810:. Retrieved
793:
781:. Retrieved
764:
747:
736:
725:
680:
670:
659:
604:
594:
585:
555:
525:
502:. Retrieved
498:
463:. Retrieved
459:
450:
439:. Retrieved
435:
425:
414:
395:
321:
300:
291:
282:cyber attack
279:
249:
246:Key elements
196:
166:IP addresses
154:
145:
142:
138:
118:
110:
85:
81:
80:
58:
52:October 2015
49:
33:
436:www.ibm.com
297:CTI sharing
270:Attribution
984:Categories
917:3 December
880:2021-06-09
812:3 December
783:3 December
504:2023-04-12
465:2022-05-29
441:2022-05-29
372:References
361:Ransomware
707:221766741
164:(such as
631:57755206
330:See also
262:methods.
351:Malware
241:groups.
38:Please
705:
695:
629:
619:
174:hashes
806:NCCIC
802:(PDF)
773:(PDF)
756:(PDF)
703:S2CID
627:S2CID
530:(PDF)
151:Types
108:web.
919:2023
814:2023
785:2023
779:2014
693:ISBN
617:ISBN
287:TTPs
106:dark
104:and
102:deep
906:doi
685:doi
609:doi
172:or
114:IBM
86:CTI
42:to
986::
904:.
898:.
873:.
804:.
775:.
715:^
701:.
691:.
639:^
625:.
615:.
603:.
564:^
554:.
538:^
513:^
497:.
474:^
458:.
434:.
406:^
398:.
379:^
289:.
168:,
131:.
96:,
92:,
921:.
908::
883:.
858:.
844:.
830:.
816:.
787:.
758:.
709:.
687::
633:.
611::
558:.
507:.
468:.
444:.
84:(
78:.
65:)
59:(
54:)
50:(
36:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.