Cyber threat intelligence aims to help companies understand and address cybersecurity threats. It involves collecting and analyzing information on current and potential cyber attacks from sources like malware analysis and human intelligence. There are three main types of threat intelligence: strategic intelligence for executives, tactical intelligence for IT professionals, and operational intelligence from active attacks. Uncovering threats through cyber threat intelligence can help identify security issues like malware infections and prevent costly data breaches and ransomware attacks. The intelligence gathering process typically involves four phases: planning, data collection, threat analysis, and responding to threats.

1. Cyber Threat Intelligence

2. “If you know the enemy and know yourself,
you need not fear the result of a hundred
battles.”
-Sun Tzu

3. The cost of cyberattacks around the world has risen from $600 billion in 2018 to
$945 billion in 2020, an increase of more than 50% and more than 1% of global
GDP, according to a study by the Center for Strategic and International
Studies cited in a McAfee report.

4. What is cyber threat intelligence?
Cyber threat intelligence is an area of cybersecurity that
focuses on the collection and analysis of information about
current and potential attacks that threaten the safety of an
organization or its assets.

5. By implementing this tactic, businesses can take proactive steps to ensure that their systems are secure.
Through cyber threat intelligence and analysis, data breaches can be prevented altogether, saving you
the financial costs of setting any incident response plans in motion.
Cyber threat intelligence aims to give companies an in-depth understanding of the threats that pose the
greatest risk to their infrastructure and devise a plan to protect their business.
Part of the understanding that comes from cyber threat intelligence analysis is why a hacker would
attack your systems to begin with. Knowing the opposition’s motive can shed light onto what areas of
your systems could be the most vulnerable.

6. Types of cyber threat intelligence
There are three kinds of cyber threat intelligence: strategic, tactical and operational.
1.Strategic threat intelligence: This is a high-level assessment of potential threats, identifying who might be
interested in attacking the organization or companies in its industry and their motivations. It is presented
to executives in the form of whitepapers, reports and presentations to show them how the organization
needs to respond.
2.Tactical threat intelligence relates to how and where the organization may be targeted and focuses on
cybercriminals’ tactics, techniques and procedures. It is technical and is presented to IT and network
professionals, to have them put defenses in place to prevent these types of attacks.
3.Operational threat intelligence is information gleaned from active attacks, cyber honeypots (traps to
entice hackers to reveal their tactics) and data shared by third parties. It includes highly specific data
such as URLs, file names and hashes, domain names, and IP addresses, and should be used to block
attacks (if caught early enough), limiting damage and eliminating known threats in the network.
With enough information and forethought, you can then implement the right tools to monitor for certain
behaviors and conduct a potent incident response.

7. Why should you use cyber threat intelligence?
Cyber threat intelligence analysts work with cybersecurity or IT team of a client to hash out a plan for the
client business. Once hired, the service will investigate and explain any potential threats the client business
faces and what can be done keep those threats at bay.
Armed with that kind of information, whoever takes care of the client network can make the appropriate
adjustments.
Along with providing the client company the proper tools to stymie any cyberattacks, cyber threat
intelligence can determine if they already had a security issue. Through the use of indicators of
compromise, intelligence analysts can determine whether the systems have been hit with malware that, if
left undetected, could lead to stolen, corrupted or ransomed sensitive data.
One common type of malware is spyware, which can be installed on a system without your knowledge to
obtain internet usage data and other sensitive information. This could be credit card information,
customers’ and employees’ personal information, or other valuable data in a business setting.
Malware can become a costly problem for any business. In 2021, there were multiple attacks using a kind
of malware called ransomware. Ransomware locks systems down before demanding payment for the
user to gain access. It was used to shut down Colonial Pipeline, causing a gas shortage on the East Coast.
Ransomware attacks are particularly costly; the average ransom payment jumped from $5,000 in 2018 to
$200,000 in 2020, a 40-fold increase, according to the National Security Institute.

8. What to do if you uncover a cyberattack
When you discover that your organization has been attacked, time is of the essence. Take these steps immediately:
1.Mobilize your incident response team. This includes your IT and network personnel and may also include software
and external IT vendors, HR professionals if employee data was compromised, legal counsel if intellectual property was
compromised, and operations managers if ransomware halted operations.
2.Secure the systems. Depending on the type and scale of the breach, this might mean isolating or suspending the
compromised section(s) of your network temporarily, or possibly the entire network, until protections can be put in place.
3.Investigate the incident. Mobilize a team of internal technical professionals and, if needed, external experts to find out
what happened and how it happened, as well as to assess the amount of the damage.
4.Implement protections and countermeasures. This may include changing passwords, putting up or strengthening
firewalls, implementing data encryption, and removing malicious code. If an employee was complicit, the employee
should be fired and law enforcement alerted.
5.Reassess your cybersecurity measures to see where you could add to and strengthen your practices.
6.Check to see if the losses are covered under your business insurance policy, and make a claim if so.
7.Report the attack to the appropriate regulatory agency, if necessary.
8.Manage public relations if the attack compromised customer data.

9. Phase 1: Intel
Planning/Strategy
Description: Identify
intelligence needs of
organization, critical
assets, and their
vulnerabilities
Approaches: threat
trending, vulnerability
assessments, asset
discovery, diamond
modelling
Phase 2: Data
Collection and
Aggregation
Description: Identify
and collect relevant
data for threat analytics
Data sources: internal
network data, external
threat feeds, OSINT,
human intelligence
Phase 3: Threat
Analytics
Description: Analyze
collected data to
develop relevant,
timely, and actionable
intelligence
Approaches: malware
analysis, event
correlation,
visualizations, machine
learning
Phase 4: Intel
Usage and
Dissemination
Description: Mitigate
threats and
disseminate
intelligence
Approaches: manual
and automated threat
responses, intelligence
communication
standards (e.g., STIX)
CTI process

10. Questions & Comments