Cyber Threat Intelligence: A Must-Have or Nice-To-Have?
What it is
Cyber threat intelligence has staked its claim as one of the most prominent proactive cybersecurity
measures because it helps organizations predict where and when threats will strike.
Threat intelligence, also known as cyber threat intelligence (CTI), is information gathered from
various sources about current or potential attacks against an organization. This information is
analyzed, refined and organized, and then used to minimize and mitigate cybersecurity risks, thus
fortifying the defense posture of an organization.
The main purpose of threat intelligence is to show organizations the various risks they face from
external threats, such as zero-day threats and advanced persistent threats (APTs)
What it entails
CTI may include the latest updates on the most prolific ransomware gangs, their innovations and
which sectors and countries are most targeted. It gives in depth information on various threat
actors, highlighting their Tactics, Techniques, and Procedures (TTPs), motives and intent. One
source of CTI is dark web monitoring. Through this, adversaries seeking to buy compromised
credentials from specific companies can be identified, as well as data leaks and password dumps.
CTI may also include Take Down services that scan search engines and domain databases to
automatically detect and report fake websites or anyone trying to impersonate brands. It may also
include Executive Monitoring, which entails monitoring Social media accounts mimicking
An investment in CTI should noticeably help the organization identify and lower security risk. In
order to get the most out of CTI, an Intelligence Analyst should read that information and
understand it, digest it, interpret it, and draw useful insights out of it. They should figure out where
it should be integrated, what are the best responses to alerts that come out of the investigation and
generate reports for decision making and strategy.
It is imperative that before anything, intelligence requirements based on agreed upon risk- based
priorities be established. Identifying the Intelligence Requirements for the organization means
identifying the policy and security issues in which cyber threat intelligence is expected to
contribute. Intelligence requirements can be classified into:
Intelligence Requirements (IRs) – Requirements for the general threat environment.
Priority Intelligence Requirements (PIRs) – Those that are most critical to be answered for
the organization, PIRs are more detailed and operationally focused also aligned to IRs.
Specific Intelligence Requirements (SIRs) – These are operational, tactical plus technical
and focus on particular facts, entities, or activities.
The value of CTI
Network defenders have opportunities to defeat the attack sequence at every stage of an attack
campaign. However, in order to do this, they need some kind of cyber threat intelligence capability
dedicated to tracking adversary behavior across the intrusion kill chain and deploying detection
and prevention controls.
The MITRE Attack Framework is an incredibly useful tool in helping companies design defenses.
However, it is too hectic to consider all threat actors and implement every possible defense in the
framework. Additionally, there are excessively many vulnerabilities in networks and systems to
patch all of them in the timeliest manner. There are also too many business impacts associated
CTI can help prioritize what is going to be patched first, highlighting critical vulnerabilities that
adversaries seek to exploit. Relatedly, CTI enables prioritization with regard to which Threat Actor
will most likely target that industry or specific company and allows them to zero in on where to
focus first. CTI, therefore, offers targeted intelligence, around which companies can design their
The current state of CTI can be deemed solid, as it provides a lot of information about threat actors.
However, as valuable as it is, it is not without its’ shortcomings. There is a plethora of information
on indicators whether it be domains, IPs or hashes. However, it is still hard for people to get value
out of these indicators. It is recommended that companies buy CTI tools that are most easy to
operationalize, preferably the ones that they can plug and play into their existing technology.
Another challenge that hinders the effectiveness of CTI is the latency that is part of the threat
intelligence production. Hash feeds get to consumers excessively slowly to be useful and so end
up being of no value. Sometimes this time goes up to years and in most cases, years is far too long
for it to be effective at all.
The lack of adequate information about how common a threat is. also presents a challenge. Ideally,
CTI needs to be specific and tailored to a particular consumer as a target. There might be a lot of
information out there about threat actors that are not interested in a company’s particular vertical
or industry. CTI should give consumers an idea of how rare something is or how important
something is. Suffice to say, Threat Intelligence should look like intelligence instead of a list of
strings. There is value in data look-ups but what is being missed is the opportunity to transform
that data into unique insights and into intelligence.
In the argument as to whether CTI is a must-have or nice-to-have, the challenge of CTI having
diminishing returns rears its ugly head. At the onset of companies using CTI, there is a flurry of
events as many threats are unveiled. Consequently, companies clean up their act, rendering the
subsequent CTI information less valuable.
How can we get the most out of CTI?
Currently, CTI tools are used to get more information about potential threats. A security system
will usually flag something as potentially suspicious, which means something is already happening
and CTI is being used to investigate how suspicious it is – whether that is an IP address or a specific
domain. An analyst or team of analysts then responds to this information, which not only makes
the process human intensive but reactive as well.
This begs the question, “how can CTI provide a more proactive than reactive approach to cyber
security?” A more proactive approach would be to take the human user out of the loop by building
a machine-to-machine connection. An example of this would be incorporating an End Point sensor
that sees that suspicious IP, issues an API call to a CTI service gets back a risk score, and then
based on that score, automates an action. Technically, this is still reactive but the reactive timeline
is collapsed from minutes or days, down to milliseconds.
Another proactive way to use CTI is by using it to see how your organization looks from the
internet; how it looks to an adversary. CTI can be used to see an organization’s vulnerabilities
from the vantage point of the adversary, and further prioritize and close those gaps. This is
especially useful in the case of internet visible assets that the organization might not be aware of. An
example of this could be a subdomain that was created to test out new software and good security
measures were not implemented. These present real risks that are not visible when you take a
‘what’s on my network view”
In a nutshell, the best use of CTI is to use it to close the gap between your defensive posture and
the adversaries’ offensive posture and get ahead of them. Agility is important as the Offense
typically moves faster. They usually have many things they can target at a fairly low expense and
at a high speed. The defense then has to match their time advantage as close as possible to counter
Regarding the extent of the necessity of CTI, it boils down not to what information companies
receive, but what they are able to glean from it and do with it.
Article by Lorna Asiimwe
Lorna is an experienced System Administrator with a passion for Cybersecurity. She has over eight years experience in System Administration, managing and maintaining complex IT systems as well as End User Training. This experience has equipped her with a deep understanding of network security, threat detection and risk management. LinkedIn: Lorna Asiimwe Twitter:@LornaAsiimwe