What Is Cyber Threat Intelligence?

  • Cyber threat intelligence
  • The intelligence cycle
  • Defining your intelligence requirements
  • The collection process
  • Processing and exploitation
  • Bias and analysis

Cyber threat intelligence

Strategic level

Operational level

Tactical level

Figure 1 - CTI team center role

The intelligence cycle

Figure 2 - DIKW pyramid
Figure 3 - The intelligence cycle

Planning and targeting

Preparation and collection

Processing and exploitation

Analysis and production

Dissemination and integration

Evaluation and feedback

Figure 4 - The Core Functions of Intelligence (JDP 2–00) (3rd Edition)

Defining your intelligence requirements

The collection process

Figure 5 - Simple CMF example

Indicators of compromise

Understanding malware

  • Worm: An autonomous program capable of replicating and propagating itself through the network.
  • Trojan: A program that appears to serve a designated purpose, but also has a hidden malicious capability to bypass security mechanisms, thus abusing the authorization that’s been given to it.
  • Rootkit: A set of software tools with administrator privileges, designed to hide the presence of other tools and hide their activities.
  • Ransomware: A computer program designed to deny access to a system or its information until a ransom has been paid.
  • Keylogger: Software or hardware that records keyboard events without the user’s knowledge.
  • Adware: Malware that offers user-specific advertising.
  • Spyware: Software that has been installed onto a system without the knowledge of the owner or the user, with the intention of gathering information about him/her and monitoring his/her activity.
  • Scareware: Malware that tricks computer users into visiting compromised websites.
  • Backdoor: The method by which someone can obtain administrator user access in a computer system, a network, or a software application.
  • Wiper: Malware that erases the hard drive of the computer it infects.
  • Exploit kit: A package that’s used to manage a collection of exploits that could use malware as a payload. When a victim visits a compromised website, it evaluates the vulnerabilities in the victim’s system in order to exploit certain vulnerabilities.

Using public sources for collection — OSINT


Malware analysis and sandboxing

Processing and exploitation

The Cyber Kill Chain®

Figure 6 - Lockheed’s Martin Cyber Kill Chain®

The Diamond Model

Figure 7 - The Diamond Model

MITRE ATT&CK™ Framework

Figure 8 - The Enterprise Matrix

Bias and analysis




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



We help developers build better software | Email customercare@packtpub.com for support | Twitter support 9-5 Mon-Fri