Summary

Cyber Threat Intelligence (CTI) provides organizations with data and information on potential cyber threats. Those threats can include various categories of malware, exploitation of vulnerabilities, web-based attacks, Distributed Denial of Service (DDoS) attacks, social engineering attacks, and others. Open Source Threat Intelligence (OSINT) leverages publicly available data sources such as social media, news feeds, court filings and arrest records, attackers’ disclosed information on their victims, activity in illicit forums, and many others.

Cybersecurity programs can make use of CTI in several ways including in Security Operations Centers (SOCs), to inform Cybersecurity Incident Response Teams’ (CIRT) investigations, to inform threat hunting, Red, Blue, and Purple teams’ efforts, and many others. Understanding the tactics, techniques, and procedures (TTPs) that attackers employ can provide some concrete ideas on how they can be mitigated. A tactic is the reason the attacker performs a particular action. Many security teams also use Indicators of Compromise (IOCs) to help determine if their enterprise IT environments have been compromised. Where TTPs can help protect, detect, and respond to attacks, IOCs can help post-compromise to try to determine when and how the initial compromise happened, and what the attackers did with their illicit access afterward.

The Traffic Light Protocol (TLP) has become a popular protocol for sharing CTI and other types of information. The “traffic light” analogy in this case has four colors: red, amber, green, and clear. The colors are used to communicate different information-sharing boundaries, as specified by the sender.

This chapter provided some context to help you understand the analysis of various threats in the next three chapters: Chapter 3, Using Vulnerability Trends to Reduce Risk and Costs, Chapter 4, The Evolution of Malware, and Chapter 5, Internet-Based Threats.