Source: Mohammad Metri via Unsplash.com
In the first part of our cyber threat intelligence (CTI) guide, I touched upon what CTI is, how to use it, and why a business needs it for cybersecurity. Now, the focus turns to the types of threat intelligence gathering.
The types of cyber threat intelligence depend on the company’s approach. For instance, you could opt for a very complex approach, while another company would choose to keep it simple.
Thankfully, some highly-efficient tools would make all these approaches easier. These tools would also reduce the cost of training and labor that would otherwise be necessary.
In the next part, I’ll go through all the cyber threat intelligence approaches. I’ll then touch upon the best tools you might want to use for your business for CTI.
Threat Intelligence Types
Depending on the level of data any intelligence gathering should protect, CTI has 4 types. Ideally, a full CTI team would cover all these types and provide a full list of cybersecurity solutions for all perceivable threats.
That said, you mostly wouldn’t need all these positions—nor would you be able to have them, in the first place. Thus, any smaller company should focus on rational threats to its data and daily functioning. Let’s start with an overview table before discovering the 4 types of CTI.
| Type | Use | Points of Use | Cost |
| Tactical CTI | Malware analysis External data collection Behavioral threats indication | SIEM Firewall IPS IDS | Low-cost |
| Technical CTI | Network analysis Employee behavior analysis Side-channel attack protection | Compromise Indicators Email servers Modems Web pages | Low to medium cost |
| Operational CTI | Adversary analysis TTP Target prioritization | Law enforcement SOC Analysts Vulnerability management Training officers | Medium to high-cost |
| Strategic CTI | Trend analysis Cybersecurity strategy composition Executive decisions | Executives Cybersecurity experts Financial experts Compliance experts | High-cost |
1. Tactical Threat Intelligence
When you hear that something is the lowest tier, you might think it doesn’t require a lot of experience and expertise. However, any CTI type requires either senior or at least medium-level cybersecurity specialists.
The benefit of tactical threat intelligence is that almost all the extensive research and testing has already been done. Namely, it’s only important to know existing threats and have their solutions ready. This reduces all the system improvements from research and development to simple updates.
That said, you’ll still need to explore the risks identified and the best options for defense. In most cases, it’ll be a general layer of security for the entire company, one more for the employees, and one for sensitive business or customer data.
Thankfully, some tools cover more than one of these points. It’ll also be up to the security manager to update the resources and prepare all the training materials to keep the company up to the current cybersecurity standard.
2. Technical Threat Intelligence
Technical threat intelligence mostly focuses on issues like side-channel attacks and physical intrusions to the system. This isn’t the whole scope for this type, though. In addition, you can use modems, networks, and any other point of entry to the system.
The main benefit here is you’ll face no unknowns concerning what you should protect. You’ll need to install each point of entry for the company and set it to work.
Regretfully, it’ll also require someone with both hardware and software expertise in cybersecurity, which is relatively rare. Most companies will need to find two people who can work closely together.
For technical threats, you can also use a variety of LAN guards, modem protection, and server protection. This will help assist in arranging security and improving the strategy.
3. Operational Threat Intelligence
Operational cyber threat intelligence, or OCTI, is the first step of advanced threat intelligence. This type of intelligence relies on what you can draw from the company resources aside from the information you can get from others.
This approach’s main benefit is that it’s proactive and focuses as much on threat-hunting as it does on defense. It’s also the job of the Security Operations Center (SOC) analyst to find out what’s looming over your company, analyze it, and, if possible, destroy it.
If not, you should at least build specific defenses to effectively secure the system from the discovered risks. You should do anything possible to secure the effective operations of the company at all times.
When it comes to OCTI, you won’t find a tool to assist directly. In most cases, it’s best to have good tracking, data collection, and data management on the protected system. From that point, expertise would also inform you on what to do against persistent threats.
4. Strategic Threat Intelligence
Lastly, is strategic threat intelligence or SCTI. This type includes the creation and implementation of the cybersecurity strategy presented.
The main benefit of strategic SCTI is that it provides a good vantage point to know where your company is cybersecurity-wise. A good strategy will also allow you to predict future attack risks and the budget required.
Primarily, the executives need to know which of the company’s data is essential and which is necessary for compliance. Next, it’s important to know the budget, the cost of cybersecurity, and the cost of an implementation plan.
Competence, finance, and experience are key for this type of intelligence. Step one is knowing the company well. You must then have a good idea about the industry the company works in, the threats others have faced, and where new threats might arise.
Additionally, have a plan for disaster recovery and secondary options for regular operations. The SCTI should discover how to attack and withdraw from cyber-attacks with minimal damage.
Before I go through the tools for threat intelligence, I‘ll discuss actionable threat intelligence and how to use it with your company.
Source: Nakamura Taichi via Unsplash.com
Key Components for Actionable Threat Intelligence
While it sounds very technical, actionable threat intelligence is simply information you can act upon. In theory, you can separate it into 4 categories:
1. Persistent Threats
Persistent threats are well-known and fairly proliferated. Issues like phishing (including spear phishing), malware attacks, and email scams are something every company should expect, regardless of the size. New threats are always on the rise, but most companies won’t be the first attacked by a specific threat.
You can stop these known threats with good anti-malware software. Additonally, you must ensure adequate training for anyone handling any type of sensitive data. In most cases, following the legal compliance requirements will also be enough.
| Threat Category — Direct Persistent threats are frequently categorized as “direct” and have known actors, attack vectors, and results. Any CTI operation should use the best practices for them. |
2. Overt Threats
Overt threats are different and troubling for many companies, but you should expect them at some point. These threats will appear on forums, hacking pages, or social media. Here, a malicious entity will point out your company as a possible attack.
Alternatively, they might point out a tool or service you might use as their goal. In that case, prepare both your defenses and your alternatives. You should also inform peers using the same tools and law enforcement.
In addition, overt cyber attacks might indicate that parts of the system have already been compromised. You should then change and update all passwords, access codes, and security protocols.
| Threat Category — Veiled You’ll often find overt threats called “veiled” threats, as the harm might be implied instead of explicit and already attempted. Any CTI here should determine the tools the threat actor might use and prepare the system to defend against them. |
3. Covert Threats
Covert threats are a bit more concerning than overt ones. The enemy you can’t see is always more difficult to manage than the one in the open. That said, it’s possible to deduce these threats and offer cybersecurity solutions for them.
A well-resourced CTI can infiltrate forums and groups where the discussions and planning of these attacks happen. Today, you’ll find this mostly on Telegram groups. That said, even without these capabilities, you can predict those threats.
It’s easy to know the goals of most types of cybercrime are; mainly, illicit financial gain. Ransomware and identity theft are also common goals. Thus, any part of the company concerning this data should be behind some type of sandbox security feature.
| Threat Category — Indirect You’ll find covert threats also being called “indirect”. That’s because they might not focus on your business specifically, but rather, in a broader sense. Good communication with others in the industry and cooperation in terms of cybersecurity solutions will always benefit in protection against these attempts. |
4. Potential Threats
When it comes to cybersecurity, you can never be too paranoid. In most cases, it’s beneficial to think about possible dangers before they ever come to be. Cybercriminals might not yet have considered these potential threats, but they might become known by your sources.
You can also use sandboxing here to test some of the more external features of your system for faults.
For other entry points, you’ll also find drills for the employees (like through email spoofing), attempts for side-channel attacks, and all other attack vectors your cybersecurity experts can think of.
It’s always better to find out the flaws in your cybersecurity yourself than to have any malicious entity point it out by hurting your business. You can then know if you need any tools to assist your CTI and which ones would work best.
| Threat Category — Conditional Actionable components for potential threats often correlate with so-called “conditional threats”. Here, the attack might not even happen, and the actor might not be capable of it. That said, indulging in the what-if threat scenarios will benefit you sooner or later. |
This brings us down to the tools. I will cite 3 that have been proven to work well. They’ll all be a bit different, and it’s up to you to determine the best choice in your case.
Source: Amanda Dalbjörn via Unsplash.com
3 Best Tools for Cyber Threat Intelligence
CTI tools differ from regular cybersecurity tools that both businesses and individuals might use. Primarily, their job is to assist a cybersecurity analyst in collecting, analyzing, and compiling intelligence gathered by the company or others.
These tools can show lists of persistent threats and everything known about them. Additionally, they’ll show feeds and trends from different sources and proposed solutions that have been proven to work.
The 3 mentioned are the best choices for mid-range or emerging companies.
| Intelligence quality | Spread of sources | Threat Actor Tracking | Information updates | Sharing capabilities | |
| LanGuard | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
| ThreatFusion | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| ThreatStream | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
1. LanGuard Vulnerability Scanning
Source: Gfisoftware
On the surface alone, LanGuard from GFI is a clean and easy-to-use software tool. The user interface is clean, and its learning curve is very accommodating, even for juniors.
Right off the bat, you’ll see threat research, reporting, and missing updates. This will be enough to get your system up to speed before you can get a hold of the more advanced features like patch management and network supervision.
Due to this wide range of capabilities and high-quality information, LanGuard is one of the best tools for cybersecurity intelligence for both small CTI teams and individual cybersecurity managers.
The downside here is the limited sharing within the program. That said, it’s always possible, albeit annoying, to save reports, audits, and threat tracking. It’s also easy to share it through more private and discreet means if you want to check your system against others.
2. SOCRadar’s ThreatFusion Cyber Threat Intelligence
Source: Socradar
ThreatFusion requires slightly more engagement and has a marginally worse learning curve than LanGuard. That said, it still offers top-notch results for persistent and possible threats to any company.
The tool’s main focus is vulnerability intelligence, showing what threat actors target and use. You can also track if any changes occur to the known threat actors in case of advanced persistent threats.
Additionally, using ThreatFusion, you can quickly go through lists of known frauds and other threats focused on your employees. These would be integral for any cybersecurity strategy, and ThreatFusion has the easiest way of managing it.
The one problem, at least compared to the other two options, is the width of the sources and frequency of updates, which is lesser. Not so much to make it a problem, but enough to be visible in comparison.
3. Anomali ThreatStream
Source: Anomali
ThreatStream by Anomali doesn’t have as good of a UI as the other two options mentioned above. That said, for tools as important as this one, this shouldn’t ever be a deal breaker. What matters is that it works well.
The quality of the presented data is excellent and covers a multitude of source streams frequently updated by the program. Additionally, you can easily determine which attacks are important for your business.
Aside from testing and reviewing threats, ThreatStream also allows for limited control over different points of entry like your Firewall, IPS, SOAR, EDR, and SIEM. Thus, you can check and turn off any point of ingress to the system that you find to be compromised.
The downside is that the tool takes little time to get used to the system and set it up according to your needs. Once you’re set up and up to speed, though, you rarely miss checking any threats.
Final Thoughts
The different types of threat intelligence can be classified as tiers. That said, even the simplest tier, tactical CTI, requires deep familiarity with cybersecurity, at least in the industry where you implement it.
Further down the line, you’ll find the technical, operational, and strategic types of cyber threat intelligence. Each of these expands the scope of the approach and provides more security in exchange for more time, resources, and information.
The goal of each type is to find threat actors and figure out actionable intelligence on how to answer those threats. These threats can range from persistent, which are common in the industry, to those which are potential, and only in your branch.
Thankfully, some tools will help any company implement cyber threat intelligence easier. These assist in monitoring all the different aspects of CTI and adjusting them to your company’s specific needs.
Hopefully, with the examples provided, any business owner would realize which types benefit their business. While there might be a learning curve to this approach, as the saying goes: “Knowing is half the battle.”
Hopefully, the contents of this article and Part 1 should give you a clearer picture of what CTI is and how you can use it. If you’ve got more questions, please check the FAQ and Resources sections below.
FAQ
Which companies need strategic cyber threat intelligence?
Many consider strategic CTI the most advanced since it involves intertwining all other types. It also includes producing a foolproof plan to defend your system from unknown threats. In most cases, it would require a change management approach. That said, if the top brass is already familiar with cybersecurity, it’ll only require putting that know-how to good use.
How do the 4 categories of CTI correlate with actionable intelligence?
The top feature of cyber threat intelligence is that everything connects with everything else. In return, this allows clear vulnerability and risk management. Generally, tactical, technical, operational, and strategic threat intelligence will protect from matching threats. These threats are persistent, overt, covert, and potential if we follow the same order.
What are the most common threat actors?
Separate from the common network security threats, the threat actors are different malicious entities behind these threats. In most cases, they’re individual cybercriminals. That said, they can also be cybercrime groups, syndicates, or even foreign government actors sometimes.
How much does cyber threat intelligence cost?
Depending on the cybersecurity potential and requirement of the company, CTI costs start with being integrated into the current cybersecurity budget with a bit more planning. It can then get to thousands in tools and hardware to elaborate operations. Potentially much more in labor if you want top cybersecurity talent.
Are cyber threats the same as cyber threat actors?
Cyber threat actors are an umbrella term for all the malicious entities that aim to harm your company, either on purpose or as a byproduct of their regular operations. Cyber threats are the products of these actors. Known cyber threat actors also produce new cyber threats regularly.
Resources
TechGenix: Article on Securing IoT Devices
Discover the ways to secure IoT devices the right way.
TechGenix: Article on Data Center Security
Educate yourself on data center security and its best practices.
TechGenix: Article on Backups and Ransomware Attacks
Read more about protection against ransomware attacks on your backups.
TechGenix: Article on the Use of CIEM for Businesses
Find out what are the benefits of CIEM for a multi-cloud enterprise.
TechGenix: Article on Secure Access Service Edge
Learn more about Secure Access Service Edge (SASE) and its benefits.
