The How and What on Cyber Threat Intelligence

In cyber threat intelligence, we gather information that allows us to map and even predict how threat actors will try to target assets that we are supposed to protect.

So it is of paramount importance for all of us to understand what the meaning of cyber threat intelligence is.

Well, the answer on that is this: Cyber Threat Intelligence is the act of gathering, analyzing and disseminating the motivation, intention and methods of cybercriminals.

In simple terms this means, that we want to know all about the adversaries that might be interested to target the assets we are supposed to protect.

This includes indicators like knowing where they usually host their command and control systems, which type of phishing kits they use and how their malware would operate once it is installed on a system.

Cyber Threat Intelligence

Actionable Threat Intelligence

Working with Actionable Threat Intelligence

Now that we understand what cyber threat intelligence is, we need to talk about actionable threat intelligence.

You might wonder what the difference is, and the answer to that is pretty simple.

Cyber threat intelligence comes in vast amounts of data, and it is not always clear on what can be done with that data.

While, with actionable threat intelligence, the cybersecurity teams are equipped with data that allows them to immediately take action on (persistent) threats.

In most situations, actionable threat intelligence will hold the following:

Specificity – Specific IOC that you need to give attention
Relevance – This part shows how important it is for you to take action.
Timeliness – How fresh is the information. Can action be taken?
Contextual information – TTP’s and more with a focus on the threat
Mitigation advice – Practical steps on how to reduce and mitigate the risk

Actionable threat intelligence powers cybersecurity teams to respond effectively to cyberattacks.

Threat Intelligence Types

We have taken a look at two types of threat intelligence already, but there are some more.

Take a look at this list, it holds 5 common types of Threat Intelligence:

Basic Threat Intelligence
Actionable (Tactical) Threat Intelligence
Technical Threat Intelligence
Operational Threat Intelligence
Strategic Threat Intelligence

To take a quick look at them.

Technical threat intelligence holds detailed information on malware, vulnerabilities and indicators of compromise.

Operational threat intelligence has a focus on current threats and IOC that should be used directly in security operation centers (SOC).

Last of them all is ‘strategic threat intelligence‘, this helps the C-level and decision makers to make up their minds and to make the right “calculated” decisions.

Quality Threat Intelligence

Now there are many vendors that claim to provide quality threat intelligence feeds.

After all, if you have done all of the hard work of gathering, analyzing and disseminating cyber attacks — there is just a minor chance of not being able to provide quality TI.

While, if you skip one of the steps, let’s say analyzing the attack, there is going to be a big chance of not being able to provide the quality TI the client needs.

Way too often have we seen Threat Intelligence providers that simply copied “Free Feeds” into “paid” commercial feeds. They provide big chunks of data (which often are incorrect or outdated) without any context.

Yes, they have a big chance on False positives.

Remember, Threat Intelligence is not just sharing IP addresses, it is about bringing context to the IOC that are presented to you.

Here at Threat Intelligence Lab (TIL), we appreciate the hard work that is done by all of those security specialists, and we see the value that these feeds/platforms give.

That is why, we have also started our ‘Threat Intelligence Feeds‘ topic.

There you can find all types of TI providers, which we have checked and actually can vouch for (if implemented and used correctly).

Useful links: