Nerd For Tech
Published in

Nerd For Tech

Threat Intelligence

New weapon against the Cyber Attacks

Intelligence is the collecting and processing of Data & Information about a competitive entity and its agents, needed by an organization or group for its security purpose.

Let’s start from beginning…
There are many Domains of Intelligence used by organizations as per need.

  • Threat Intelligence is define as,
    The Process of Collecting, Detecting, Evaluating & Analyzing the threats & Malicious events which are harmful for organization.
  • Threat Intelligence has become one of the more important functions of mature security organizations
  • You heard the team Threat Intelligence many times threat intelligence can reduce the time you spend investigating security events. Maybe you read a report about state-sponsored attacks and want to know how to protect your enterprise.
  • CTI is not all about creating & making Reports, PDF or some hand-on research from IR team but in real world CTI can helps in many ways to secure Cyber Space. Like, IOC(Indicators of Compromise) can helps the security team to identify the malicious activities, SOC(Security Operation center) are also helpful to detecting, analyzing, and responding to cybersecurity incidents and many more…

Identifying types of attacks
Defining, guiding, and prioritizing operational requirements
Understanding threat actor capability, tactics, techniques, and procedures
Deploying detection systems
Developing defense strategies

Insider threat
Data breaches
Identity theft
Information leakage
Advanced Persistent Threats (APTs)

Intelligence Life Cycle

1) Planning & Direction
Identify the set of scope & Area of on which you are going to perform intelligence.

2) Collection
Collecting the data is from multiple sources, including HUMINT, OSINT, imagery, electronic sources, intercepted signals, or publicly available sources.

3) Processing & Exploitation
After data is gathered, it must be processed into a comprehensible form. That can include translating it from a foreign language, decrypting it, or sorting data.

4) Analysis & Production
Evaluate and analyze the available data process the final production for the Intel process. The products of this stage are assessments and reports that summarize the data for decision makers

5) Dissemination & Integration
These reports and assessments are delivered to clients,LEA or the customers

The Cyber Kill Chain

  • The Cyber Kill Chain Developed by Lockheed Martin, It means to identify the steps the threat actor should follow in order to achieve their objective.
  • There are seven different steps:

1. Reconnaissance: Getting to know the victim using non-invasive techniques.

2. Weaponization: Generating the malicious payload that is going to be delivered.

3. Delivery: Delivering the weaponized artifact.

4. Exploitation: Achieving code execution on the victim’s system through the exploitation of a vulnerability.

5. Installation: Installing the final malware piece.

6. Command and Control (C2): Establishing a channel to communicate with the malware on the victim’s system.

7. Actions on objectives: With full access and communication, the attacker achieves their goal.

MITRE ATT&CK Framework

  • A useful framework for expressing and documenting tactics and techniques Supported by MITRE and contributed to through many in the community. Focuses on tactics and techniques that have been observed in the real world
  • The MITRE ATT&CK™ Framework is a descriptive model used to label and study the activities that a threat actor is capable of carrying out in order to get a foothold and operate inside an enterprise environment, a cloud environment, smartphones, or even industrial control systems.
  • The magic behind the ATT&CK™ Framework is that it provides a common taxonomy for the cybersecurity community to describe the adversary’s behavior. It works as a common language that both offensive and defensive researchers can use to better understand each other and to better communicate with people not specialized in the field.
  • On top of that, you not only can use it as you see fit, but you can also build on top of it, creating your own set of tactics, techniques, and procedures (TTPs).
  • 12 tactics are used to encompass different sets of techniques. Each tactic represents a tactical goal; that is, the reason why the threat actor is showing a specific behavior. Each of these tactics is composed of a set of techniques and sub-techniques that describe specific threat actor behaviors.
  • The procedure is the specific way in which a threat actor implements a specific technique or sub-technique. One procedure can be expanded into multiple techniques and sub-techniques.

Daily operations and responsibilities depend on the goal of each organization. Threat intelligence can help in many areas of the information security program; therefore, the role’s duties could be slightly different. Nevertheless, I can speak according to my experience and what I perceive to be the most common approach to solving a problem by implementing threat intelligence.

Threat intelligence could split into three primary topics.

  • Tactical
  • Strategic
  • Operational


Tactical focuses on day-to-day technical operations. An excellent example of this would be guiding security analysts on threats that they come across daily. To achieve that, a threat intelligence analyst should provide context and relevant indicators. This would enable the security analysts to concentrate on threats that matter and resolve the issue faster and efficiently. As discussed above, intelligence is nothing more than:

  1. Information
  • E.g. About a threat.

2. Context

  • E.g. Organization’s environment and its risk to the threat.


Strategic threat intelligence focuses on bringing the intelligence to the eyes of senior-level officials who are tasked with making decisions. For this reason, the ability to communicate risk becomes essential.

  • For example, as a threat intelligence analyst, you are required to translate any technical information to your organization’s leaders in the form of a finished intelligence product. Examples of this could include visual presentations, written reports or one-to-one meetings. The delivery and the product should be professional and concise. Topics may include threat analyses, trends or ongoing risk to the business.

It is important to highlight that strategic threat intelligence work is the most crucial piece. That being the case, all members of the threat intelligence team should contribute, cross-check and analyze the final product before any communication takes place.


Operational threat intelligence focuses on understanding the adversary by looking into the Tactics, Techniques and Procedures (TTPs). The primary source of information that provides us with the information we need comes from internal incidents. The main focus here is to understand the adversary’s intent, capability, and motive behind attacks and prioritize threats that could impact the organization you are trying to protect.

  • For example, a threat intelligence analyst would analyze internal intrusion attempts to understand the threats that the organization is phasing. The objective here is to provide related information to multiple teams, including incident response, threat hunting and vulnerability management.

Operational threat intelligence must be able to have an understanding of technical language and day-to-day tactical level operations and also be able to communicate risks to decision-makers. It can be seen as a function of a threat intelligence program that bridges the gap between tactical operations and, higher-level, strategic duties.

Key Point: Being able to explain the scale of cyber threat intelligence and who you would be potentially providing intelligence to is a great way to show you understand the role of intelligence within a business environment.

Implements a Incident Response Toolkit
Carry Out VAPT
Develop a cyber breach response plan
Third-party vendors must comply
Limit access to your most valuable data
Internal Audits
Security Awareness

Thanks for reading … 😊😊



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store