In today's interconnected world, digital technologies power almost every industry. While their automation and connectivity have transformed economies and cultures, they also expose us to cyber threats. Thankfully, we have tools like threat intelligence at our disposal. Often likened to open-source intelligence (OSINT), threat intelligence equips us with the knowledge to prevent or minimize cyberattacks.

This data-driven knowledge provides crucial context: who the attackers are, their motivations and capabilities, and tell-tale signs in your systems to watch out for. Armed with this information, you can make informed decisions to bolster your security posture.

As Gartner defines it, "threat intelligence is evidence-based knowledge that provides context, mechanisms, indicators, implications, and actionable advice about existing or emerging threats to your assets. This intelligence empowers you to respond effectively to these threats and hazards."

Cybersecurity Threats Are Evolving, But Threat Intelligence Can Help. Traditional security methods struggle with complex threats, information overload, and limited expertise. Businesses face attacks from various angles, demanding a broader understanding of risk.

Threat intelligence offers a solution:

Actionable insights:

By leveraging threat intelligence, organizations can gain a proactive edge in today's dynamic cybersecurity landscape.

Forget the mystique: threat intelligence isn't just for cybersecurity ninjas. It's a powerful tool that can benefit every function within your security team, regardless of size or budget.

The problem: Isolating threat intelligence as a separate department leaves valuable insights locked away from those who need them most.

The solution: Integrate threat intelligence seamlessly with your existing security systems. This allows everyone to benefit from:

Explore our these cases to see how specific roles can leverage threat intelligence for maximum impact. Don't let valuable information stay siloed – make it accessible to everyone who can put it to good use, strengthening your overall security posture.

A 2022 Statista report revealed that published threat intelligence and real-time alerts were widely used by organizations, highlighting its versatility and critical role for various teams. Threat intelligence goes beyond merely stopping attacks, offering valuable insights for: prioritizing incidents (triage), assessing risks, managing vulnerabilities, and making informed decisions across the organization.

Security analysts in charge of incident response report some of the highest levels of stress in the industry, and it’s no wonder why — the rate of cyber incidents has steadily climbed over the last two decades, and a high proportion of daily alerts turn out to false positives. When dealing with real incidents, analysts must often spend time painstakingly sorting through data manually to assess the problem.

Threat intelligence reduces the pressure in multiple ways:

Most SOC teams must deal with huge volumes of alerts generated by the networks they monitor. Triaging these alerts takes too long, and many are never investigated at all. “Alert fatigue” leads analysts to take alerts less seriously than they should. Threat intelligence solves many of these problems — helping gather information about threats more quickly and accurately, filter out false alarms, speed up triage, and simplify incident analysis. With it, analysts can stop wasting time pursuing alerts based on:

Effective vulnerability management means shifting from taking a “patch everything, all the time” approach — one that nobody can realistically ever achieve — to prioritizing vulnerabilities based on actual risk.

Although the number of vulnerabilities and threats has increased every year, research shows that most threats target the same, small proportion of vulnerabilities. Threat actors are also quicker — it now only takes fifteen days on average between a new vulnerability being announced and an exploit targeting it appearing.

This has two implications:

Threat intelligence helps you identify the vulnerabilities that pose an actual risk to your organization, going beyond CVE scoring by combining internal vulnerability scanning data, external data, and additional context about the TTPs of threat actors.

Risk modeling can be a useful way for organizations to set investment priorities. But many risk models suffer from vague, non-quantified output that is hastily compiled, based on partial information, based on unfounded assumptions, or is difficult to take action on.

Threat intelligence provides context that helps risk models make defined risk measurements and be more transparent about their assumptions, variables, and outcomes. It can help answer questions such as:

To keep your organization safe, it isn’t enough to only detect and respond to threats already exploiting your systems. You also need to prevent fraudulent uses of your data or brand.

Threat intelligence gathered from underground criminal communities provides a window into the motivations, methods, and tactics of threat actors, especially when this intelligence is correlated with information from the surface web, including technical feeds and indicators.

Use threat intelligence to prevent:

CISOs and other security leaders must manage risk by balancing limited available resources against the need to secure their organizations from ever-evolving threats. Threat intelligence can help map the threat landscape, calculate risk, and give security personnel the intelligence and context to make better, faster decisions.

Today, security leaders must:

Threat intelligence can be a critical resource for all these activities, providing information on general trends, such as:

It can also enable security groups to assess whether an emerging threat is likely to affect their specific enterprise based on factors such as:

With these types of intelligence, gathered from a broad set of external data sources, security decision makers gain a holistic view of the cyber risk landscape and the greatest risks to their enterprise.

Here are four key areas where threat intelligence helps security leaders make decisions:

Countless organizations are transforming the way they do business through digital processes. They’re moving data from internal networks to the cloud, and gathering more information than ever before.

Making data easier to collect, store, and analyze is certainly changing many industries for the better, but this free flow of information comes with a price. It means that to assess the risk of our own organization, we also have to consider the security of our partners, vendors, and other third parties.

Unfortunately, many of the most common third-party risk management practices employed today are lagging behind security requirements. Static assessments of risk, like financial audits and security certificate verifications, are still important, but they often lack context and aren’t always timely. There’s a need for a solution that offers real-time context on the actual threat landscape.

Threat intelligence is one way to do just that. It can provide transparency into the threat environments of the third parties you work with, providing real-time alerts on threats and changes to their risks and giving you the context you need to evaluate your relationships.

So, how does threat intelligence get produced? Raw data is not the same thing as intelligence — threat intelligence is the finished product that comes out of a six-part cycle of data collection, processing, and analysis. This process is a cycle because new questions and gaps in knowledge are identified during the course of developing intelligence, leading to new collection requirements being set. An effective intelligence program is iterative, becoming more refined over time.

To maximize the value of the threat intelligence you produce, it’s critical that you identify your use cases and define your objectives before doing anything else.

The first step to producing actionable threat intelligence is to ask the right question.

The questions that best drive the creation of actionable threat intelligence focus on a single fact, event, or activity — broad, open-ended questions should usually be avoided.

Prioritize your intelligence objectives based on factors like how closely they adhere to your organization’s core values, how big of an impact the resulting decision will have, and how time sensitive the decision is.

One important guiding factor at this stage is understanding who will consume and benefit from the finished product — will the intelligence go to a team of analysts with technical expertise who need a quick report on a new exploit, or to an executive that’s looking for a broad overview of trends to inform their security investment decisions for the next quarter?

The next step is to gather raw data that fulfills the requirements set in the first stage. It’s best to collect data from a wide range of sources — internal ones like network event logs and records of past incident responses, and external ones from the open web, the dark web, and technical sources.

Threat data is usually thought of as lists of IoCs, such as malicious IP addresses, domains, and file hashes, but it can also include vulnerability information, such as the personally identifiable information of customers, raw code from paste sites, and text from news sources or social media.

Once all the raw data has been collected, you need to sort it, organizing it with metadata tags and filtering out redundant information or false positives and negatives.

Today, even small organizations collect data on the order of millions of log events and hundreds of thousands of indicators every day. It’s too much for human analysts to process efficiently — data collection and processing has to be automated to begin making any sense of it.

Solutions like SIEMs are a good place to start because they make it relatively easy to structure data with correlation rules that can be set up for a few different use cases, but they can only take in a limited number of data types.

If you’re collecting unstructured data from many different internal and external sources, you’ll need a more robust solution. Recorded Future uses machine learning and natural language processing to parse text from millions of unstructured documents across seven different languages and classify them using language-independent ontologies and events, enabling analysts to perform powerful and intuitive searches that go beyond bare keywords and simple correlation rules.

The next step is to make sense of the processed data. The goal of analysis is to search for potential security issues and notify the relevant teams in a format that fulfills the intelligence requirements outlined in the planning and direction stage.

Threat intelligence can take many forms depending on the initial objectives and the intended audience, but the idea is to get the data into a format that the audience will understand. This can range from simple threat lists to peer-reviewed reports.

The finished product is then distributed to its intended consumers. For threat intelligence to be actionable, it has to get to the right people at the right time.

It also needs to be tracked so that there is continuity between one intelligence cycle and the next and the learning is not lost. Use ticketing systems that integrate with your other security systems to track each step of the intelligence cycle — each time a new intelligence request comes up, tickets can be submitted, written up, reviewed, and fulfilled by multiple people across different teams, all in one place.

The final step is when the intelligence cycle comes full circle, making it closely related to the initial planning and direction phase. After receiving the finished intelligence product, whoever made the initial request reviews it and determines whether their questions were answered. This drives the objectives and procedures of the next intelligence cycle, again making documentation and continuity essential.

If you wish to delve deeper into how this cycle functions, we invite you to check out our post on the Cyber Threat Intelligence LifeCycle, where we explore the phases in detail and provide insights on optimizing each stage for enhanced security posture.

On your journey to security intelligence, comprehensive, real-time intelligence must be woven tightly into your security processes, third-party risk management program, and brand protection strategy. But in order to get there, how can you develop threat intelligence that truly adds value to your organization? And how can you ensure the intelligence you deliver is actionable for teams across security functions?

To answer these questions, it’s important to view threat intelligence production as a multi-step, cyclical process — not a point-in-time task.

First, the goals of the cyber threat intelligence cycle must be defined by key stakeholders. These objectives may vary widely from organization to organization depending on use cases, priorities, and risk. From there, data must be gathered from a range of sources — internal, technical, and human — to develop a complete picture of potential and actual cyber threats. Then, this data must be processed and turned into actual intelligence that is timely, clear, and actionable for everyone — whether they’re staffing a SOC, responding to security incidents, managing vulnerabilities, analyzing third-party risk, protecting your digital brand, or making high-level security decisions. This finished intelligence output then goes back to key stakeholders, who can use it to continuously improve future intelligence cycles and hone their decision-making process.

The following excerpt from “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program” has been edited and condensed for clarity. In it, we'll examine each of the six phases of the threat intelligence lifecycle, review sources of threat intelligence, and look at the roles of threat intelligence tools and human analysts.

The cyber threat intelligence cycle is pivotal for security teams as it provides a structured methodology to gather, analyze, and utilize threat intelligence. This cycle aids in understanding the threat landscape better, which in turn helps in preparing for and reacting to security threats efficiently. Through this cycle, actionable intelligence is generated which is instrumental in making informed decisions to bolster the organization's security posture against cyber attacks.

Implementing a threat intelligence program empowers organizations with the capability to anticipate, prepare for, and mitigate potential security threats. This program is an integral part of the threat intelligence process, facilitating a deeper understanding of threat actors and their tactics. It thereby enables the threat intelligence team to deliver finished threat intelligence crucial for proactive defense measures. Moreover, a threat intelligence program enriches incident response strategies and fosters a culture of continuous learning and adaptation to the evolving threat landscape.

Organizations operating in sectors with high-value data such as finance, healthcare, and government are often prime targets for threat actors, hence they greatly benefit from the cyber threat intelligence cycle. This cycle, with its defined threat intelligence lifecycle stages, aids in intelligence collection and threat intelligence analysis, crucial for understanding and mitigating potential risks. Additionally, organizations with a significant online presence, businesses that focus heavily on uptime, or those subject to regulatory compliance also find the cyber threat intelligence cycle indispensable in navigating the complex security landscape.

The common challenges during implementation include the initial setup of a robust threat intelligence platform, ensuring continuous and relevant intelligence collection, and analyzing data accurately to generate actionable insights. The effectiveness of threat intelligence reports can be hindered by a lack of skilled personnel or inadequate resources. Furthermore, integrating the insights obtained from the threat intelligence analysis into the existing incident response procedures and ensuring a seamless flow of information can also pose significant challenges.

As demonstrated by the intelligence lifecycle, the final product will look different depending on the initial intelligence requirements, sources of information, and intended audience. It can be helpful to break down threat intelligence into a few categories based on these criteria.

Threat intelligence is often broken down into three subcategories:

Tactical threat intelligence outlines the tactics, techniques, and procedures (TTPs) of threat actors. It should help defenders understand, in specific terms, how their organization might be attacked and the best ways to defend against or mitigate those attacks. It usually includes technical context, and is used by personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff.

Stakeholders and consumers of tactical threat intelligence can include:

Reports produced by security vendors are often the easiest way to get tactical threat intelligence. Look for information in reports about the attack vectors, tools, and infrastructure that attackers are using, including specifics about what vulnerabilities are being targeted and what exploits attackers are leveraging, as well as what strategies and tools that they may be using to avoid or delay detection.

Tactical threat intelligence should be used to inform improvements to existing security controls and processes and speed up incident response. Because many of the questions answered by tactical intelligence are unique to your organization, and need to be answered on a short deadline — for example, “Is this critical vulnerability being exploited by threat actors targeting my industry present in my systems?” — having a threat intelligence solution that integrates data from within your own network is crucial.

Operational intelligence is knowledge about cyber attacks, events, or campaigns. It gives specialized insights that help incident response teams understand the nature, intent, and timing of specific attacks.

Stakeholders and consumers of operational threat intelligence can include:

Because this usually includes technical information — information like what attack vector is being used, what vulnerabilities are being exploited, or what command and control domains are being employed — this kind of intelligence is also referred to as technical threat intelligence. A common source of technical information is threat data feeds, which usually focus on a single type of indicator, like malware hashes or suspicious domains.

But if technical threat intelligence is strictly thought of as deriving from technical information like threat data feeds, then technical and operational threat intelligence are not totally synonymous — more like a Venn diagram with huge overlaps. Other sources of information on specific attacks can come from closed sources like the interception of threat group communications, either through infiltration or breaking into those channels of communication.

Consequently, there are a few barriers to gathering this kind of intelligence:

Threat intelligence solutions that rely on machine learning processes for automated data collection on a large scale can overcome many of these issues when trying to develop effective operational threat intelligence. A solution that uses natural language processing, for example, will be able to gather information from foreign-language sources without needing human expertise to decipher it.

Strategic threat intelligence provides a broad overview of an organization’s threat landscape. It’s intended to inform high-level decisions made by executives and other decision-makers at an organization — as such, the content is generally less technical and is presented through reports or briefings. Good strategic intelligence should provide insight into areas like the risks associated with certain lines of action, broad patterns in threat actor tactics and targets, and geopolitical events and trends.

Stakeholders and consumers of strategic intelligence can include:

Common sources of information for strategic threat intelligence include:

Producing strong strategic threat intelligence starts with asking focused, specific questions to set the intelligence requirements. It also takes analysts with expertise outside of typical cybersecurity skills — in particular, a strong understanding of sociopolitical and business concepts.

Although the final product is non-technical, producing effective strategic intelligence takes deep research through massive volumes of data, often across multiple languages. That can make the initial collection and processing of data too difficult to perform manually, even for those rarified analysts who possess the right language skills, technical background, and tradecraft. A threat intelligence solution that automates data collection and processing helps reduce this burden and allows analysts who do not have as much expertise to work more effectively.

Data processing takes place at a scale today that requires automation to be comprehensive. Combine data points from many different types of sources — including open, dark web, and technical sources — to form the most robust picture possible.

Recorded Future uses machine learning techniques in four ways to improve data collection and aggregation — to structure data into categories, to analyze text across multiple languages, to provide risk scores, and to generate predictive models.

Ontology has to do with how we split concepts up and how we group them together. In data science, ontologies represent categories of entities based on their names, properties, and relationships to each other, making them easier to sort into hierarchies of sets. For example, Boston, London, and Gothenburg are all distinct entities that will also fall under the broader “city” entity.

If entities represent a way to sort physically distinct concepts, then events sort concepts over time. Recorded Future events are language independent — something like “John visited Paris,” “John took a trip to Paris,” “Джон прилетел в Париж,” and “John a visité Paris” are all recognized as the same event.

Ontologies and events enable powerful searches over categories, letting analysts focus on the bigger picture rather than having to manually sort through data themselves.

With natural language processing, entities and events are able to go beyond bare keywords, turning unstructured text from sources across different languages into a structured database.

The machine learning driving this process can separate advertising from primary content, classify text into categories like prose, data logs, or code, and disambiguate between entities with the same name (like “Apple” the company, and “apple” the fruit) by using contextual clues in the surrounding text.

This way, the system can parse text from millions of documents daily across seven different languages — a task that would require an impractically large and skilled team of human analysts to do. Saving time like this helps IT security teams work 32 percent more efficiently with Recorded Future.

Machine learning and statistical methodology are used to further sort entities and events by importance — for example, by assigning risk scores to malicious entities.

Risk scores are calculated through two systems: one driven by rules based on human intuition and experience, and the other driven by machine learning trained on an already vetted dataset.

Classifiers like risk scores provide both a judgment (“this event is critical”) and context explaining the score (“because multiple sources confirm that this IP address is malicious”).

Automating how risks are classified saves analysts time sorting through false positives and deciding what to prioritize, helping IT security staff who use Recorded Future spend 34 percent less time compiling reports.

Machine learning can also generate models that predict the future, oftentimes much more accurately than any human analysts, by drawing on the deep pools of data previously mined and categorized.

This is a particularly strong “law of large numbers” application of machine learning — as we continue to draw on more sources of data, these predictive models will become more and more accurate.

Examples of threat intel usage encompass identifying emerging cyber threats to better understand the cyber threat landscape, detecting indicators of compromise (IOCs) to promptly detect and respond to security incidents, and informing decision making with evidence-based assessments to enhance security practices.

To implement cyber threat intel, organizations should establish a threat intelligence lifecycle to organize the collection, analysis, and dissemination of threat data. Utilizing a threat intelligence vendor can aid in aggregating and analyzing data, thereby identifying attack vectors. Furthermore, training personnel on different types of threat intel, like tactical intelligence, is crucial for effectively interpreting intelligence reports and responding to threats.

Measuring the effectiveness of cyber threat intelligence can be achieved by monitoring the rate at which cyber threat intel aids in detecting and mitigating threats. Evaluating the accuracy and relevance of the intelligence reports in aiding timely response to incidents is also key. Additionally, assessing how well the intelligence informs decision making in managing cyber threat actors is crucial for ensuring the organization is well-protected.

Common challenges in cyber threat intel deployment include data overload and false positives. Solutions may involve employing artificial intelligence to filter and prioritize threat data, and enhancing collaboration between different organizational units for better threat intel utilization, which in turn improves the organization's ability to detect and respond to threats.

The latest trends and developments in cyber threat intel involve the integration of artificial intelligence and machine learning for automated analysis and prediction of cyber threat actors and emerging cyber threats. There's a growing emphasis on collaborative and shared threat intel platforms to better understand and mitigate evolving threats in the cyber threat landscape, which is instrumental in improving the organization's security posture.

The cyber threat intelligence cycle is pivotal for security teams as it provides a structured methodology to gather, analyze, and utilize threat intelligence. This cycle aids in understanding the threat landscape better, which in turn helps in preparing for and reacting to security threats efficiently. Through this cycle, actionable intelligence is generated which is instrumental in making informed decisions to bolster the organization's security posture against cyber attacks.

Implementing a threat intelligence program empowers organizations with the capability to anticipate, prepare for, and mitigate potential security threats. This program is an integral part of the threat intelligence process, facilitating a deeper understanding of threat actors and their tactics. It thereby enables the threat intelligence team to deliver finished threat intelligence crucial for proactive defense measures. Moreover, a threat intelligence program enriches incident response strategies and fosters a culture of continuous learning and adaptation to the evolving threat landscape.

Organizations operating in sectors with high-value data such as finance, healthcare, and government are often prime targets for threat actors, hence they greatly benefit from the cyber threat intelligence cycle. This cycle, with its defined threat intelligence lifecycle stages, aids in intelligence collection and threat intelligence analysis, crucial for understanding and mitigating potential risks. Additionally, organizations with a significant online presence, businesses that focus heavily on uptime, or those subject to regulatory compliance also find the cyber threat intelligence cycle indispensable in navigating the complex security landscape.

The common challenges during implementation include the initial setup of a robust threat intelligence platform, ensuring continuous and relevant intelligence collection, and analyzing data accurately to generate actionable insights. The effectiveness of threat intelligence reports can be hindered by a lack of skilled personnel or inadequate resources. Furthermore, integrating the insights obtained from the threat intelligence analysis into the existing incident response procedures and ensuring a seamless flow of information can also pose significant challenges.

Before you start gathering threat intelligence, you must answer a simple question: “What am I trying to achieve?”

The obvious answer is “an improved cyber security profile,” but if you really want to maximize your return on investment you’ll need to be much more specific.

Cyber security is a tremendously complex operation, with many moving parts, so in order to be maximally useful your threat intelligence program must deliver intelligence that can be used to mitigate or prevent specific cyber attacks.

But cyber attacks are complex affairs in their own right. It’s not simply a case of picking a target and attacking it, the cyber attack kill chain is an established and often lengthy process, with multiple phases.

Before we look at the kill chain, it’s important to have an understanding of threat actor types.

In a previous article, we explained how threat actors can be split into four primary types. During the webinar, however, Konrad went a step further and split threat actors into six categories.

In this case, rather than arranging threat actors by levels of skill or organization, Konrad ordered them by the level of specificity typically involved in their target selection.

On the left-hand side of the image above you’ll see criminals that are all about mass targeting. A low-level criminal actor, for instance, will tend to choose targets almost at random, using mass attack vectors to spread their net as wide as they possibly can.

Even as we move closer to the middle of the scale to consider hacktivists and criminal hackers, targeting is usually based purely on industry or organization type, for example any healthcare organization, or any financial institution.

At the other end of the scale, a disgruntled employee is interested in causing damage to one specific organization. Foreign nations and competitors may cast their net a little wider, but they’re still interested in a very specific set of targets.

So why order threat actors by their target selection, rather than by the level of sophistication normally observed in their attacks? Well, when it comes to gathering intelligence, the way in which threat actors select targets has a huge bearing on the quality and quantity of threat intelligence typically available.

Threat actors on the left of the scale tend to do their targeting right out in the open. Low-level criminals, for example, often discuss their targets through dark web forums, IRC, and even Twitter. In the same vein, hacktivists routinely announce their intended targets through public channels. As a result, collecting actionable threat intelligence is very achievable.

Threat actors on the right of this scale, however, are far more secretive. Disgruntled employees are a prime example of a threat that are hard to identify through external threat intelligence (although monitoring network activity may be effective), as they invariably act alone. Foreign nations and competitors, meanwhile, have their own internal means of communication, making interception functionally impossible.

Of course, that’s not to say threat intelligence is entirely ineffective at identifying threats from these actors. More than one insider has been caught attempting to sell stolen data through dark web markets, and, if you have the expertise, there are ways to predict nation-state attacks with surprising accuracy.

As a rule, though, the more specific a threat actor’s targeting becomes, the harder it will be to gather valuable intelligence on their activity.

The term 'Cyber Kill Chain', a concept and framework in cybersecurity developed by Lockheed Martin, describes the stages of a cyber attack. This model, which has its origins in military terminology, aids security teams in comprehending and countering cyber threats. It delineates the progression of steps an attacker undertakes, from reconnaissance to the command and control phase, to infiltrate a network and access sensitive data.

According to Lockheed Martin Corporation, in their white-paper titled: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains“:

“Through this model, defenders can develop resilient mitigations against intruders and intelligently prioritize investments in new technology or processes.”

Understanding each phase of a cyber attack is critical. This includes recognizing the deployment of malicious code and the execution of brute force attacks. Such knowledge enables security teams to enhance their security controls, vital in defending against both internal and external attacks. This comprehensive approach encompasses protecting against insider threats and ensuring the integrity of perimeter security. Additionally, integrating insights from the Diamond Model of Intrusion Analysis can further refine this understanding, offering another layer of analysis to complement the Cyber Kill Chain framework.

The Cyber Kill Chain framework is more than just a theoretical construct; it's a practical tool for intrusion prevention systems and a cornerstone in preventing security breaches. Whether it's guarding against cyber kill chain protect strategies or identifying the signs of a cyber kill chain model in action, this methodology equips professionals with the knowledge to thwart cyber attacks. For organizations, it represents a proactive measure against the ever-present and evolving cyber threats, ensuring the robustness of their internal or external attack prevention strategies.

When they consider threat intelligence, most people think about uncovering threat actors’ plans, and foiling incoming attacks before they start. But while that is a highly valuable function of threat intelligence, it’s far from being the only application.

Among other things, threat intelligence offers:

In short, threat intelligence is useful not simply for thwarting individual attacks, but for improving your organization’s security profile against all future attacks.

For now, though, let’s assume you are looking to identify and block specific incoming attacks. For a cyber attack to be successful, it will typically need to go through seven discrete stages, and at each of these stages there are opportunities to gather actionable threat intelligence.

Before anything else can happen, threat actors must select a target. Naturally, the organization they choose to attack will reflect their motive.

Cyber criminals and criminal hackers, for instance, are almost always financially motivated, and historically have targeted everything from banks and online payment companies to small businesses and sports clubs. At the other end of the scale, state actors will have a very specific set of targets based on the content of their nation’s five-year plan.

As already mentioned, many hackers, particularly low-level cyber criminals, pick their targets in public or semi-public forums. Hacktivists, similarly, tend to announce their targets publicly as part of their agenda.

But whether or not threat actors discuss their targets openly, threat intelligence plays a vital role at this stage of the cyber attack kill chain. As already mentioned, there will be times when you’re able to identify and thwart an incoming attack before it happens, but in all honesty that’s not the primary benefit of threat intelligence.

Instead, threat intelligence can help you understand which attackers are most likely to target your organization, enabling you to prepare your defenses in advance. As a small organization with high employee satisfaction, for instance, you’re unlikely to be targeted by nation states, insiders, competitors, or hacktivists, but very likely to be targeted by common cyber criminals and hackers.

No matter how large your organization, there is always going to be a limit to the resources that can be allocated to security. Understanding the types of threat actors most likely to target your organization is a crucial first step in allocating your security budget.

During the second stage of the cyber attack kill chain, threat actors attempt to learn as much as possible about their intended target. And as Konrad explained during the webinar, for the most part this process happens in private.

Of course, with some lower-level threat actors, some research may be conducted through dark web forums and IRC channels, and in those instances threat intelligence may provide a valuable early warning. Most of the time, however, threat intelligence will have little to offer during this stage of a cyber attack.

Once a target has been selected and researched, threat actors will select an attack vector. Unsurprisingly, this tends not to be something that happens in the open, making the chances of using threat intelligence to catch an incoming attack at this stage exceedingly minimal.

But, once again, threat intelligence isn’t really about detecting specific attacks. One of its most valuable functions, in fact, is in learning about current threat actor TTPs.

Once you know which threat actors are most likely to target your organization, the next logical step is to use threat intelligence to identify who, when, and how they typically attack. Most threat actors have preferred attack vectors, such as spear phishing or browser attacks, and knowing this can be a huge help when planning defenses and allocating security resources.

Another hugely valuable product of threat intelligence comes in the form of post-mortem analysis of past attacks, which can help your analysts understand exactly how threat actors have conducted successful attacks against similar organizations. For example, threat intelligence can help you understand precisely how the latest malware variants function, making the task of tightening your technical controls much more achievable.

Of course, once all the planning is done, threat actors have a job to do: compromise your network.

To do this, they’ll generally use an initial attack to gain a foothold inside your network. This could, for example, be a phishing attack that tricks a user into downloading malware, or giving up their credentials.

Of all the stages of the cyber attack kill chain, this is perhaps the area in which the most valuable intelligence is available. A powerful threat intelligence capability will provide you with a constantly updating set of IPs, domains, and hashes that are associated with malicious activity, as well as the latest post-mortem analysis of each discrete attack vector.

With all that intelligence at your fingertips, tightening your technical controls to thwart the vast majority of incoming attacks is very achievable, particularly if your analysts have access to a tool that can help them quickly triage potential threats. Even better, if an attack does bypass your technical controls, your incident response team will be armed with everything they need (IOCs, etc.) to identify compromised assets before serious harm is done.

It’s important to understand that tricking a user into downloading malware doesn’t automatically grant a threat actor access to your network. At this stage in the kill chain, assuming their attack is successful, the threat actor achieves a minor compromise of your network, perhaps by taking control of a terminal or user account.

This stage of the kill chain is largely reliant on your technical controls, which should already have been tightened based on past attack forensics and other related intelligence. If you haven’t been able to identify and block the attack at stage four, though, you’ll need to focus on network activity to spot the attack before it goes any further.

Once again, using threat intelligence to identify malicious activity will add tremendously to your chances of quickly separating false positives from real threats, but only if you employ a tool that can take the brunt of the work out of analysts’ hands.

Many cyber attacks, and particularly those that rely on malware, rely on a process called “command and control.” The malicious payload, once it has gained a foothold within the target network, sends communications back to a server owned (or compromised) by the threat actor.
The reason for this is simple: While malware is designed to exploit specific vulnerabilities to compromise a target, it usually isn’t pre-programmed to act independently once the infection has taken place. Instead, threat actors make use of C2 servers to remotely control their infection and achieve their end goal.

Once again, threat intelligence has a role to play in blocking these communications. New servers are constantly being identified as malicious, so if you have an effective threat intelligence capability and routinely monitor network activity there’s a strong chance you’ll be able to block an attack if it gets to this stage.

Once a threat actor has the access they need, it’s time for them to do the deed they came for. Depending on the type of actor, this could be anything from stealing funds, to destroying data, to committing espionage.

Realistically, if an attack gets to this stage, it’s going to be difficult to prevent it. With that said, post-mortem analysis of past attacks can help you to identify anomalous behavior, which alongside honeypots and darknets may be enough for your incident response team to contain the threat before too much damage is done.

Equally, if data or sensitive assets are stolen, threat intelligence can often provide an early warning system by alerting you when they turn up for sale on dark web markets. There have been many such cases where organizations have successfully worked with law enforcement to prevent these sales, which can drastically limit the damage caused by a successful attack.

A comprehensive study conducted by Glorin Sebastian from the Georgia Institute of Technology, utilizing the Lockheed Martin Cyber Kill Chain model, revealed critical insights into several high-profile data breaches. This research meticulously traced the stages of these breaches, from reconnaissance to the final actions on objectives, offering a detailed understanding of how each attack unfolded and the key vulnerabilities exploited. The analysis covered the following breaches:

Sebastian's research uses these breaches to demonstrate the practical application of the Cyber Kill Chain model in cybersecurity. Each case highlights different aspects of cyber threats and the importance of comprehensive security strategies across various stages of an attack.

Threat intelligence feeds are real-time streams of data that provide information on potential cyber threats and risks.
Feeds are usually made up of simple indicators or artifacts, and individual feeds usually focus on a single area of interest. For example, a feed might present a stream of information on:

These feeds aggregate publicly available data from blogs, forums, and other open sources. They are usually free but can require a significant amount of time and expertise to sift through and identify relevant information.

These are provided by commercial vendors and often come with a subscription fee. They offer curated and often real-time intelligence, and usually provide a higher level of detail compared to open source feeds.

These feeds focus on threats relevant to specific industries. They can be either open source or paid, and are valuable for organizations looking for insights on threats pertinent to their particular sector. Some examples include Google SafeBrowsing, or VirusTotal.

Governments and NGOs sometimes provide threat intelligence feeds to help organizations within their jurisdiction or sector stay informed about relevant cyber threats. These feeds can be either freely available or provided at a cost, and might also include sharing platforms for mutual exchange of threat intelligence among different entities. Examples include the Department of Homeland Security: Automated Indicator Sharing, or the FBI InfraGard project. While all these 4 types of threat intelligence feeds offer valuable data, solely relying on these feeds can lead to a narrow view of the threat landscape. The crucial step lies in meticulously analyzing, enriching, and integrating this data within a broader cybersecurity framework, transitioning it from mere information to actionable insights for robust threat detection and response. TechTarget highlights the value of threat intel feeds by stating: “Properly integrating threat intelligence feeds helps to rapidly detect and identify nascent attack techniques”.

For feeds and threat information to be actionable, they generally need to have content, be enriched with information, and be easily integrated into security platforms so that the external information they provide can be correlated allowing you to identify potential attacks.

Once a potential threat is compared with internal telemetry and identified as a concern, an alert will be created. If analysts determine that a new security control is needed (like a new rule for the firewall), it can be completed as with any other security update, and the alert marked as completed.

Without more comprehensive solutions, each alert will still need to be manually triaged. But the tools that consolidate and combine the right feeds can free up a huge amount of analyst time to focus on producing more complex threat intelligence. And some threat intelligence solutions can automatically resolve more routine alerts.

Because feeds are essentially non-prioritized lists of data that come without context, they can sometimes add to the burden of whoever’s consuming them, rather than reduce it. So selecting the right threat feeds and correlating the information properly means setting intelligence goals first and then prioritizing threat information based on those goals.

Assess your organization’s capabilities and goals by asking questions like:

With that framework in mind, assess the feeds and information you may want to use according to these criteria:

Return on Investment: Calculating the ROI of a particular feed will usually involve tracking the correlation rate, which is the percentage of alerts that correspond with your internal telemetry in a given week, month, or quarter.

Beyond this, you could go a step further and track the effectiveness of any new security controls created as a result of each feed. For instance, a new security control resulting in more malicious connection attempts being blocked reflects positively on the feed that informed it.

All of this assumes that you have a tracking process in place. Most threat intelligence and SIEM platforms include these types of monitoring functions, particularly if they have access to your network telemetry, so if you have the option, this is certainly the easiest way to go — manual tracking is possible but cumbersome.

When they first appeared, threat intelligence feeds constituted a huge leap forward, enabling security professionals to manage higher levels of relevant information than ever before. As the cyber threat intelligence cycle evolved, it became apparent that the abundance of free feeds in particular became “noisy" and filled with errors and false positives. These issues, coupled with the sheer volume of data available, started to pose problems.

Instead of viewing dozens of feeds separately, using a threat intelligence platform not only combines them all but also curates and compares the internal telemetry, generating customized alerts for your incident response and threat intelligence team.

The most powerful intelligence platforms, like the Recorded Future Intelligence Cloud, automatically curate intelligence feeds, sifting through data to identify and prioritize threat intelligence for your organization to action.

An example of a threat intelligence feed is the URLhaus project, which is an Open Source Threat Intelligence feed (OSINT) that collects, tracks, and shares malware URLs, aiding security teams in identifying malicious websites. This is one of many threat intelligence feeds available that help in staying updated on the cybersecurity threats landscape.

Creating a threat feed involves several steps. Initially, it's essential to collect data from various sources like logs, network traffic, and external intelligence sources. Security tools can then be employed to analyze and filter this data, identifying relevant threat intelligence data. This data is then formatted into threat intelligence feeds formats which can be integrated into threat intelligence platforms, aiding in threat hunting and analysis.

An Intelligence Feed is a broader term that encompasses various types of data feeds, not limited to cybersecurity. On the other hand, a Threat Intelligence Feed is a subset of intelligence feeds, specifically focused on providing data about cybersecurity threats, such as malware signatures, malicious IP addresses, and activities of threat actors. It helps security analysts and other cybersecurity professionals in identifying and mitigating potential threats.

The terms "Threat Feeds" and "Threat Intel Feeds" are often used interchangeably. However, they can be nuanced; Threat Feeds might refer to raw data about emerging threats, while Threat Intel Feeds imply a level of analysis or context has been added to the raw data to provide actionable intelligence. This actionable intelligence is crucial for security teams to devise actual threat strategies. Threat reports generated from Threat Intel Feeds are more refined and provide insights that aid in understanding the behavior and tactics of threat actors.

OSINT (Open Source Intelligence) Feeds and Paid Intelligence Feeds differ in source and information range. OSINT feeds are free, community-managed, and often focus on distinct threats like malware URLs. Some notable examples of open source intelligence feeds could be URLhaus or the Spamhaus Project. On the flip side, Paid Intelligence Feeds may use open-source data but also access closed sources or aggregate various feeds for wider insights. Though they provide more data, they could overwhelm staff, risking overlooked threats. Regardless of the feed type, it's essential for the IT team to decipher the data to act on critical insights effectively.

A resource threat feed is a type of data feed that focuses on providing information regarding the resources that are threatened by cyber adversaries. It encompasses details about the cyber threat landscape that could impact the security infrastructure of an organization. These feeds collect data on potential vulnerabilities, ongoing attacks, and emerging threats. The information can be presented in various threat intelligence feed formats like Structured Threat Information Expression (STIX). Resource threat feeds play a crucial role in enabling security operations teams to understand the threats to their resources and take appropriate measures to safeguard them.

Determining the "best" threat intelligence feed largely depends on the specific needs and requirements of an individual or organization. The cyber threat intelligence field is vast, with multiple data feeds available, each catering to different aspects like strategic threat intelligence, infrastructure security, or government agency-focused intelligence.

Some feeds might offer broad analysis and insights, while others could be specialized in certain areas like Artificial Intelligence-driven analysis or industry-specific threats. Government agencies might have different preferences compared to private sector entities. The Infrastructure Security Agency, for example, may require a different set of data compared to a tech startup. Therefore, the best threat intelligence feed would be one that aligns well with the user's needs, providing relevant, actionable intelligence that aids in fortifying the security infrastructure against cyber threats.

The "Diamond Model of Intrusion Analysis" was initially introduced by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in a technical report for the U.S. Department of Defense in 2013. In their own words: “The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim”.

This model emphasizes the relationships and characteristics of four basic components: the adversary, capabilities, infrastructure, and victims. The main axiom of this models states, “For every intrusion event, there exists an adversary taking a step toward an intended goal by using a capability over infrastructure against a victim to produce a result.” This means that an intrusion event is defined as how the attacker demonstrates and uses certain capabilities and techniques over infrastructure against a target.

Understanding the adversary is pivotal in decoding the threat landscape in the model of intrusion analysis. It dives into the who and why behind cyber attacks, illuminating the motivations and entities involved. This understanding enables security teams to better predict and prepare for cyber threats. The following points elaborate on this aspect:

Unveiling the infrastructure employed by attackers exposes the technical backbone of malicious operations. This encompasses the compromised systems, command and control servers, and data management tactics, acting as the logical communication structures for the operations. The details are as follows:

Evaluating the capability of attackers provides insight into their skill set and sophistication. This assessment is crucial for security analysts to develop proactive countermeasures against potential threats. The specifics are highlighted below:

Identifying the target underscores the attackers' ultimate objective. It covers the geographical, industrial, individual, and data spheres in the crosshairs of malicious activities. Knowledge management and threat data gathered here can be shared via threat intelligence exchange protocols to bridge intelligence gaps. The following elements shed light on this aspect:

Across these facets, the Diamond Model intersects with other planning frameworks like the linear Cyber Kill Chain Model to extend a multidimensional view. By integrating meta features and contextual indicators into the analysis, security professionals can establish clear linkages between the different components of a cyber attack, from initial reconnaissance to eventual data exfiltration.

The process also entails devising mitigation strategies based on the analysis of activity threads and diamond events, which in turn refines the attack surface management. Central to this model is the focus on centered approaches that enhance the incident response through better detection mechanisms and threat information sharing. This comprehensive approach not only addresses the immediate threats but cultivates a culture of continuous improvement and adaptation in the face of evolving cyber threat landscapes.

Analyzing FIN8's Attack on Financial Institutions: A prime example of the Diamond Model in action is its application in unraveling the strategies of the FIN8 hacking group. Investigations uncovered that FIN8 leveraged PowerShell scripts as their attack infrastructure, deploying a sophisticated "Sardonic Backdoor" as their primary capability. This targeted attack on financial institutions highlights a critical 'diamond event' in the model, fitting neatly into the Execution/Persistence phase of a cyberattack's lifecycle.

Dissecting LAPSUS$ Ransomware by Meghan Jacquot and Kate Esprit: In a significant case, cybersecurity analysts Meghan Jacquot and Kate Esprit utilized the Diamond Model to decode the operations of the LAPSUS$ ransomware and hacking group. They identified key components of LAPSUS$'s strategy: using open-source hacking tools, Telegram, and underground forums as their infrastructure; skills in social engineering, DDoS attacks, and credential theft among their capabilities; with victims predominantly in telecommunications, software, technology, and gaming industries.

Carnegie Mellon University's Honeynet Project: The study “Using Honeynets and the Diamond Model for ICS Threat Analysis'' by John Kotheimer, Kyle O’Meara, and Deana Shick at Carnegie Mellon University offers another insightful application. Their focus was on how adversaries interact with honeynets in industrial control systems. By applying the Diamond Model, they successfully mapped these interactions, providing a comprehensive view of the attack strategies used in these specialized environments.

These examples underscore the versatility and efficacy of the Diamond Model in providing a structured approach to analyzing and understanding diverse cyber threats, a crucial tool in the arsenal of today's cybersecurity professionals.

Understanding the Diamond Model of Intrusion Analysis is crucial for security teams as it provides an analytical framework to dissect cybersecurity incidents. By delving into the adversary's infrastructure and understanding the general class of attackers, including malicious insiders, it offers a cognitive model that enriches the analytical workflow. The model's core features provide a lens to scrutinize various aspects of cyber threats, enabling a more strategic mitigation approach.

It also identifies specific elements like e-mail addresses used in attacks, shedding light on the technology enabling these threats. This analytical process is a valuable tool for developing a tailored mitigation strategy, transitioning teams from reactive measures to a more proactive stance in combating cyber threats. Hence, the Diamond Model becomes an integral part of the security protocol, providing a structured method to analyze and respond to threats in a more informed manner.

By looking at a threat actor Intelligence Card™ in Recorded Future, we can see that this entity qualifies as the adversary component of the Diamond Model quite nicely. For example, the Dark Caracal Intelligence Card™ (below) shows us information about this adversary, including name, any nation-state affiliations, and analytical notes added in by the Insikt Group.

The Diamond Model threads adversaries with developing capabilities and techniques that are unique to that group. In Recorded Future, the Methods context directly translates to the Capabilities edge of that model. As shown below, it’s obvious that this adversary uses distinct malware and attack vectors as part of its capabilities and TTPs (tactics, techniques, and procedures). We can study additional capabilities by clicking the Timeline link below the Methods list to get a temporal visualization of the capabilities leveraged.

Adversaries also operate within an infrastructure to conduct their intrusions. This infrastructure can be composed of IP addresses, domains, botnets, and technologies in general. In our example, we can see that Dark Caracal is associated with a combination of indicators. As a starting point, these entities represent possible infrastructure and should be immediately correlated with internal network data to qualify intrusion investigations. A scenario would be seeing compromised Android devices connected to the corporate network communicating with command-and-control (C2) servers. The Technology, IP Address, Domain, Product, and Email Address sections of the Context in the Dark Caracal Intelligence Card™ can be used to describe part of that infrastructure, as shown below.

Finally, we can attribute the victims component of the Diamond Model using a combination of the Target list and any associated Operations. Threat actors who are affiliated with nation states often have an objective that is different than those of non nation-state actors. The main differentiator here is that nation-state threat actors display advanced persistence and are not directly motivated by financial gain — rather, they conduct their operations over a long period of time to extract intelligence in support of larger objectives. Therefore, any targets and operations should be looked at more closely to determine who the victim ultimately is. In our example, we see that several targets and one operation are listed in the Methods, Targets, and Operations section of the Intelligence Card™.

Although some of the targets include technologies and products, a close examination of the operation “Operation Manul” reveals that journalists, lawyers, activists, and government institutions were targeted. Therefore, it makes sense that the threat actor targeted physical devices and products as a means to compromise those victims.