HomeCybersecurity Lifehacks
What is Cyber Threat Intelligence
HomeCybersecurity Lifehacks
What is Cyber Threat Intelligence

Editor’s Note: This is an edited version of an article originally posted in October 2023. It has been updated with some new information about ANY.RUN’s threat intelligence products.

Cyber Threat Intelligence (CTI) — often referred to as “Threat Intelligence” or “Threat Intel” — is the practice of gathering and analyzing data to identify, understand, and counter existing and potential threats.  

Threat intelligence portals help security teams learn about new threats to stay ahead 

In cybersecurity, threat intelligence serves a similar function to reconnaissance in military operations. It provides insights into the specific threats facing your organization, the TTPs attackers are likely to employ, and the IOCs that can help in detection. 

The intelligence can be either: 

  • Strategic, looking at long-term trends and emerging threats. 
  • Operational, concerned with TTPs and effective defense strategies. 
  • Or tactical, focusing on immediate IOCs like IP addresses or file hashes. 

What makes threat intelligence a crucial aspect of your cybersecurity?

The malware threat landscape is highly dynamic, with some estimates indicating that a new malware variant is released every minute.

ANY.RUN’s Threat Intelligence homepage shows recent attacks and emerging threats 

Beyond keeping up with these rapid changes, your organization may also face targeted threats from APT groups. These actors typically deploy custom attacks tailored specifically to exploit vulnerabilities in your organization. 

Learn how ANY.RUN can help take your threat intelligence
to the next level 

Contact us

Even if you have strong SOC, DFIR and CSIRT teams, a purely reactive approach isn’t enough. You need current, context-rich intelligence from external sources to drive effective responses. Threat intelligence provides:

  • Proactive defense: Integrating IOCs such as hashes and IP addresses from threat feeds allows you to update SIEM, firewall, and EDR rules. This enables early detection and automated blocking of known threats before they penetrate the network. 
  • Faster incident response: During a breach, aligning indicators of intrusion with TTPs, and linking those TTPs to an attacker or threat profile, is crucial. This approach allows the CSIRT team to quickly understand the attacker’s tactics and pinpoint vulnerable systems, facilitating faster containment and remediation. 
  • Better strategic planning: CTI gives CISOs and Intel analysts critical data on threats tailored to your organization, both emerging and persistent. This data helps shape a security strategy focused on the most likely threats you’ll encounter. 

Threat intelligence provides context for likely threats

Simply tracking most common malware types or families isn’t enough for effective threat intelligence, because this approach lacks the specific insights needed to understand the risks your organization actually faces. 

Instead, effective threat intelligence strategies focus on gathering detailed, targeted data. They aim to answer key questions like: 

  1. Who is likely to target my organization? 
  1. What malware and TTPs will they probably use? 
  1. What parts of our network are most at risk? 
  1. What IOCs can help us detect an attack? 
  1. How can we fortify our defenses against these particular threats? 

Tools, people, and information comprising threat intelligence 

Threat intelligence impacts every team, tool, and process in your organization’s cybersecurity framework. This data often comes from multiple sources, such as OSINT, commercial threat feeds, and internal logs and historical data. Here are some ways how different teams use it: 

Data source  Team  Benefit  Type 
Threat feeds SOC  Expand automated threat coverage and detection  Tactical 
TI Lookup SOC  Related events and IOCs   Technical, Tactical 
Contextual IOC databases  CSIRT  More accurate and speedy threat identification  Tactical 
Forensic Data  CSIRT  Faster and more accurate incident response  Operational 
Detailed threat reports  Executive  Better risk assessment  Strategic 

Tactical vs Strategic vs Operational threat intelligence 

Threat intelligence data can be further categorized into three groups: tactical, strategic, and operational. 

Tactical threat intelligence focuses on immediate threats and technical indicators. It provides actionable data like IP addresses, hashes, and URLs that security teams can use for immediate defense measures. Mainly geared toward SOC analysts and incident responders, it helps in quick detection and mitigation of attacks.

Tactical data: artifacts related to a malicious IP address in ANY.RUN TI Lookup

Operational threat intelligence sits between tactical and strategic, focusing on the “how” behind attacks. It offers context around TTPs used by attackers. Useful for threat hunters and mid-level security managers, it helps in understanding the motivation, capabilities, and methods of potential threats, allowing for more informed defense strategies. 

Integrate ANY.RUN’s threat intelligence solutions in your company 

Contact us

Strategic threat intelligence is concerned with long-term security planning and risk assessment. It provides insights into broader threat landscapes, like emerging attack vectors or geopolitical factors that may influence threats. Strategic TI usually involves CISOs and high-level decision-makers and shapes the overall security strategy of a company.

ANY.RUN TI feeds provide technical threat intelligence

Technical Threat Intelligence: what is it? There is a fourth type of threat intelligence – technical. It refers to machine-readable IT data, such as indicators of recent threats, that is delivered to the SIEM and TIP system through threat intelligence feeds. 

6 steps of the threat intelligence lifecycle 

Like incident response, threat intelligence is a complex process. To keep the initiative focused, it follows a cyclical approach that involves setting objectives, taking specific actions, and then reviewing and iterating. 

The most common framework outlines 6 steps to create a continuous loop for improving your security posture: 

  1. Requirements: In this phase, the threat intelligence team lays out a roadmap for a specific intelligence operation. They outline required actions and set measurable objectives, such as creating a report about the TTPs of a new adversary. 
  2. Collection. Security analysts and engineers pool data from pre-determined sources like threat feeds, dark web forums, or internal logs. A successful criterion could be acquiring relevant IOCs within a set timeframe.
  3. Processing. Data scientists and engineers work to structure raw data. The aim is to transform it into machine-readable formats like STIX or human-readable formats like spreadsheets and diagrams. The focus is on filtering out false positives efficiently and compiling a dataset suitable for analysis.
  4. Analysis. Malware analysts examine the processed data, utilizing analytics platforms, sandboxing, and lookup services. They correlate events and map IOCs to TTPs. The goal is to add context. Potentially disjointed lists of indicators are transformed into cohesive description of attack patterns.
  5. Dissemination. Incident response and SOC teams receive the finalized intelligence. They use the information to update security systems like IDS, IPS, and firewalls.
  6. Feedback. Post-action reviews usually involve all teams. Feedback is used to adjust future intelligence requirements and operations. 

Threat Intelligence and ANY.RUN 

If you’re already using ANY.RUN or part of our community, you know we specialize in cloud-based interactive sandboxing. With over 16,000 daily submissions, mostly new malware strains, our sandbox community is on track to accumulate over 50,000,000 unique IOCs quarterly in 2024. 

Find threats by file content with YARA Search

We’re leveraging this rich dataset to help organizations improve their proactive security using our Threat Intelligence products: 

If you’re interested in ANY.RUN’s Threat Intelligence solutions, don’t hesitate to contact our sales team. They can provide pricing details and answer any questions you have about the product. 

Contact sales → 

Jack Zalesskiy
Technology writer at ANY.RUN at ANY.RUN | + posts

Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.

jack-zalesskiy
Jack Zalesskiy
Technology writer at ANY.RUN
Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.

What do you think about this post?

4 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.

0 comments