The concept of CTI is as old as war. Understanding a threat actor's intentions, capabilities, objectives, resources, and thought process leads to a better-informed defender. Ultimately, the end result of intelligence could be as simple as updating a firewall block policy with a feed of known malware Command & Control (C2) infrastructure. Additionally, it could be a dossier on threat actors targeting your organizational industry vertical. Ultimately, a better-informed defender can make actionable changes in an organization's risk profile by better directing all lines of business within an organization.

Ask any IT security professional what CTI is, and you'll likely get different definitions. The definition of threat intelligence almost always varies from organization to organization. This is often due to the differing motivations within each organization for having a threat intelligence program. We're not going to wax poetic about the differing threat intelligence definitions, so instead, we'll focus on the definition as it relates to this book.

If we were to distill down what CTI is, simply put, it is data and information that is collected, processed, and analyzed in order to determine a threat actor's motives, intents, and capabilities; all with the objective of focusing on an event or trends to better inform and create an advantage for defenders. Many organizations face challenges regarding CTI functions – such as a flood of alerts generated from an automated API feed. A properly executed CTI collection and enrichment program can help assist with those challenges.

Data, information, and intelligence

When talking about CTI, it's important to differentiate between data, information, and intelligence. It's important to understand the distinct differences between data, information, and intelligence so that you can store, analyze, and determine patterns more efficiently. As an example, a URL is a piece of data that contains a domain – the registrant data for that domain is information, and the registrant being commonly associated infrastructure with the Threat Actor Group (TAG) APT29 would be considered intelligence.

Important Note

This is the first time we've used the acronym of TAG. To clarify our vernacular, a threat actor is a person or entity responsible for malicious cyber activity. A group of threat actors working in unison is called a TAG and, often, is identified directly through naming conventions such as APT29, which was referenced earlier. We'll be covering more on TAG naming conventions in Chapter 2, Threat Actors, Campaigns, and Tooling.

Data is a piece of information, such as an IP address, malware hash, or domain name. Information is vetted data, but often lacks the context that is needed for strategic action, such as an IP address with no malicious/benign categorization or contextualization. And finally, intelligence is adding a layer of analysis and context to that information and data and, therefore, making the intelligence actionable, such as a feed of malware hashes associated with cybercrime actors operating out of Europe.

To help in adding context, examples of each can be found in Table 1.1:

Table 1.1 – Table demonstrating data, information, and intelligence

The process of converting data into threat intelligence includes a combination of collection, processing, analyzing, and production, which will be explored later in the chapter.

Understanding the importance of threat intelligence and the differentiation of data, information, and intelligence is paramount to a structurally sound CTI program. Now that we've looked at those important aspects, we're going to dive into understanding the difference between the different types of intelligence: tactical, strategic, operational, and technical.

When thinking about CTI, it's easy to assume that it is one discipline. On the surface, an analyst collects data from several sources, analyzes that data, and synthesizes intelligence, which, ultimately, helps the organization take action. However, closer inspection reveals there are really four distinct types of CTI.

Tactical CTI

Tactical CTI is the data and information related to the Tactics, Techniques, and Procedures (TTPs) used by threat actors to achieve their objective. Ultimately, tactical CTI is intended to inform defenders, threat detection and response engineers, incident responders, and other technical teams throughout the organization in order to motivate an action of some sort. Unlike strategic CTI, tactical CTI is almost exclusively used by technical resources. Usually, tactical CTI is consumed directly by those responsible for defending an organization.

The most common deliverables include targeted reports, threat feeds, and API feeds of malicious observables. Many of the reports that are generated focus on the technical details pertaining to a malware family, threat group, or campaign of activity. Some examples of what might be included in tactical CTI reports include the following:

• Targeted industries
• The infection vector of the threat actor
• The infrastructure used by the attacker
• Tools and techniques employed by the threat actor

To produce tactical CTI, a combination of open source and vendor-provided intelligence and data is most often used. To create tactical threat intelligence, the producer should employ an active collection and enrichment process. Some examples of sources of tactical CTI include the following:

• Malware analysis details
• Honeypot log analysis
• Internal telemetry data
• Scan data (such as Shodan.io)

Next comes strategic CTI.

Strategic CTI

Strategic CTI is often non-technical threat landscape information that is related to risk-based intelligence and, typically, includes relevant industry vertical intelligence. Strategic CTI is most often used by senior decision-makers throughout organizations.

The most common deliverables include reports or briefings. It's common for the data sources for strategic CTI to be open source and include a wide variety of sources. Take a look at the following:

• Local and national media
• Government policy documents
• Industry reporting
• Content produced by industry organizations
• Social media activity

Let's move on to operational CTI.

Operational CTI

In an ideal world, CTI would enable preventative action to be taken before a threat actor compromises an organization. Operational CTI is intelligence unearthed about possible incoming attacks on an organization. Operational intelligence is typically technical and strategic in nature and includes information pertaining to the intent, capabilities, and timing of impending attacks. This provides insight into the sophistication of the threat actor or group, helping dictate an organization's next steps. Operational CTI helps enable defenders to block activity before the activity even takes place, but due to this, operational CTI is, most often, some of the hardest to generate.

The most common deliverable for operational CTI is spot reports with technical indicators and context extracted from other strategic intelligence. There are many sources that can generate this type of CTI, including the following:

• Intercepting the chat logs of threat actor coordination
• Social media
• Chat rooms and instant messaging rooms (such as Discord or Telegram)
• Underground forums and marketplaces
• Public and private forums and message boards

Next, let's take a look at technical CTI.

Technical CTI

Technical CTI is exactly what it sounds like – technical indicators related to an actor's tools, malware, infrastructure, and more are used to conduct their activities. Technical CTI differs from tactical CTI because technical CTI most commonly focuses on Indicators Of Compromise (IOCs), and tactical CTI relies on analyzing TTPs.

For example, say tactical threat intelligence indicates that the financially motivated criminal group FIN7 has attacked the banking industry in the United States and Europe. Technical threat intelligence would provide the specific hashes, infrastructure, and other details pertaining to the specific attack.

Ultimately, technical CTI is intended to inform defenders, threat detection and response engineers, incident responders, and other technical teams throughout the organization. The most common deliverables include the following:

• Feeds or reports including malicious hashes, infrastructure, and other file attributes
• Changes to a system infected with specific malware; for example, registry modifications
• Confirmed C2 infrastructure
• Email subject lines
• Filenames or file hashes

Sourcing technical threat intelligence comes from a litany of locations, for example, consider the following:

• Information security industry blogs and white papers
• Malware analysis
• Industry trust groups
• Threat feeds

To wrap up, in the following table, let's examine the distinct differences when comparing and contrasting each intelligence type, their respective audiences, and length of intelligence value:

Table 1.2 – A table comparing intelligence types

Within each of the CTI types, there is often a conversation about Subject Matter Expertise (SME) and relative team function. In the following section, we're going to explore the concept of SME within each CTI type.

Subject matter expertise

The concept of SME is a common conversation among threat intelligence circles. When setting up a threat intelligence program, it's important to consider the possible positives and negatives associated with dividing relative team functions among three broad SME focus areas: vulnerability and exploitation, cyber (criminal and nation-state), and brand:

Table 1.3 – Intelligence SME types

While CTI functions employing subject matter experts don't fit every team structure, it's an important consideration to take into account when constructing a team focused on CTI. In the following section, we're going to dive into the importance of CTI and its relative uses and benefits to an enterprise.

I think it can wholeheartedly be stated anywhere within this industry that CTI is important to everyone as it provides contextual information that allows for strategic decision-making. This context allows it to be used by almost any level of analyst or researcher throughout any organization. Its use is not limited to some elite subset of intelligence analysts who claims to know every move of a TAG. Key judgments can be formed from contextual intelligence at any level of employment; from a Security Operations Center (SOC) analyst implementing a firewall policy change after receiving intelligence that a URL is serving a web shell that is known to be associated with several TAGs or even a C-level executive making informed strategic decisions to improve the security posture of their organization.

However, to utilize threat intelligence, several key factors need to exist for it to be useful. First, it needs to be timely in the sense that the delivery of information is provided to a key decision-maker before a key event so that a judgment can be formed around its context. Second, the intelligence must be actionable, that is, the intelligence provided should allow for that key judgment to be realized and a decision made that allows the individual or organization to make a decision based on its delivery. Third, intelligence should be relevant. By actionable, we're referring to the ability to take any action based on the intelligence itself. Finally, intelligence must be delivered in a format that has the lowest barrier to entry for consumption by an organization. This means that any individual or organization that wishes to benefit the most from the existence of CTI must incorporate it into their processes and procedures or even develop security automations around it.

The context of the threat provided by the intelligence is where its value truly lies, as it assists any individual or organization with prioritization, which is one of the most important benefits of threat intelligence. No matter what security role you play in an organization, your role will benefit from the context that threat intelligence provides, as this will allow you to prioritize your key decision-making around the data your organization is consuming.

For example, let's consider this paradigm. Organizations that are only now beginning to look at implementing some form of threat intelligence program into their security organization often start by identifying free data feeds or online services that contain some form of security information, usually in the form of a threat data indicator or IOC. While this is a great start in the collection of data and information that could be used to create threat intelligence, without the context surrounding this information and the appropriate indoctrination by people, processes, and technologies, this approach usually leads to just more information and the encumberment of your human workforce.

With all of this extra information, the burden is just added to your analyst to decide what to review and prioritize and what to ignore. This approach can lead to operational misses, such as incidents that could have been prevented if the appropriate prioritization were placed on the information you were receiving from your threat data feed. CTI can assist in providing context around this information that you receive and give you key insights into the TAG's TTPs. This will assist in informing your decision-making and help you prioritize your actions based on the contextual intelligence provided.

Now that you're aware of the uses and benefits of CTI, let's explore how to get CTI.