Frequently Asked Questions

According to Gartner, "threat intelligence is evidence-based knowledge, including context, mechanism, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard".

EC Council's definition is very similar, "threat intelligence is the analysis of data using tools and techniques to generate meaningful information about existing or emerging threats targeting the organization that helps mitigate risks".

The purpose of cyber threat intelligence is to help institutions and organizations understand the risks of cyber-attacks or cyber threats. These attacks can range from zero-day attacks, crypto viruses, APTs (Advanced Persistent Threat), botnets, or exploits. These threats are reported with the intelligence activities after reviewed by CTI analysts to provide special protection methods to assist in an active defense in your organization.

The skilled, well-funded, well-organized, and highly-sophisticated cyber attackers use techniques that reveal security strategies to the technology alone. In order to develop a defense strategy against attackers, organizations need to know how hackers operate, how they function, and what techniques they use.

Cyber-threat intelligence allows companies to identify the dynamics and consequences of risks, to improve security plans, structures, and to reduce their attack potential to minimize damage and defend their network.

CTI can identify and analyze cyber threats against your business. Therefore, CTI can help you to:

  • Focus on actionable alarms; the legacy threat intelligence solution provided only feeds and (Indicator of Compromise) IOCs which were not actionable. But organizations started to need more and more the latest intelligence about them. With real-time intelligence on threat actors, botnets, and malware, as well as data from the dark web and the deep internet, organizations need to detect phishing domains targeting their customers.
  • Collect, Verify, and Prioritize External Threats; CTI can deliver the hard work for your business with enriched intelligence that allows you to apply smarter defense and improvement processes.
  • Detect Forgotten Assets and Monitor Attack Surface in Real-time; CTI can determine the blind spots by following the changing attack surface all the time.
  • Prevent Data Loss; by using CTI, cyber threats can be detected and security breaches can be prevented from disclosing confidential information.

Various threatening knowledge and theoretical approaches are useful at various businesses’ level. The four categories of cyber threat intelligence have to do with different objectives:

  • Strategic Cyber Threat Intelligence; It utilizes comprehensive pattern and emerging risk analysis to provide an outline of future cyber-attack implications.
  • Operational Cyber Threat Intelligence; It is mainly used to make resource management decisions regarding actual and potential risks, historical resources, affiliations, and motives of threat actors.
  • Tactical Cyber Threat Intelligence; Primarily, its main target is a technically trained audience and allows them to learn more specific details on threat actors’ tactics, techniques, and procedures (TTPs).
  • Technical Cyber Threat Intelligence; It focuses on the technological details suggesting a cyber-security threat, such as phishing email lines or malicious URLs.

Information Intelligence
Unfiltered and raw data Processed and sorted data
Not evaluated Evaluated by Threat Intelligence Analysts
Too much-aggregated data Only useful data
Not actionable Actionable
Disconnected, incomplete, irrelevant Connected, completed, and relevant

Usually, cyber threat intelligence and cyber intelligence terms are used for the same meaning. But in theory, the two terms have different contexts.

CTI is the collection and revealing of threats that may harm business elements and security at any level to institutions and organizations. It is a type of intelligence that enables early measures to be taken by detecting the goals, methods, or types of attacks of the attackers as a result of analyzing the data collected and enriched from electronic media through a process.

CTI provides information on malicious actors, their tools, their infrastructure, and their methods for;

  • Identifying types of attacks,
  • Defining, guiding, and prioritizing operational requirements,
  • Understanding threat actor capability, tactics, techniques, and procedures,
  • Deploying detection systems,
  • Developing defense strategies.

Cyber intelligence (CI) is the mechanism of translating the data obtained from the attackers' networks into an operative report through "standard intelligence approaches."

As it can be understood from the definitions, while CTI focuses information on cyber threats CI focuses on useful Intel from the Internet.

The attack surface is the point or vector through which an attacker enters the environment and is merely a list of all possible ways in which the attacker can enter a device or network and extract data. In other words, the attack interfaces can be described as a collection of different points where unauthorized users could infiltrate an IT environment. There are a number of points from which attackers could attempt to penetrate the environment, such as access to the network, access from a remote location, or access via a network connection.

The attack surface can be categorized into 4 groups. All attack surfaces can be at least one of these 4 groups.

Attack surface refers to any asset such as domain infrastructure, web site services, cloud technologies, etc. that is open to the Internet and can be exploited by the attacker. It can be described as the network interface of an organization, its network infrastructure, and resources. The attack surface includes:

  • Known Assets: Known assets are the assets that are registered and managed by companies such as websites, servers, etc.
  • Unknown Assets: Unknown assets are like domains that have been opened and not closed for marketing purposes forgotten by the security team or some sensitive data that the development team forgot in repositories constitute unknown entities.
  • Impersonating Assets: Malicious infrastructures such as fake domains, malicious social media accounts seem like belonging to companies but created by attackers.
  • 3rd Party Assets: The attack surface does not end up only targeting companies’ own assets and companies. 3rd party JavaScripts on the websites used by the companies or hosting servers used to locate their assets are part of the attack surface in the ecosystems of the companies where data is exchanged.

Good attack surface management products monitor all systems around the clock for newly discovered new security vulnerabilities. Real-time visibility is critical to detecting the impact of an attack on the attack surface of a range of networks, software, protocols, and services that run online in an enterprise. Given the number and complexity of network and software protocols and services in an online business, it can be difficult to identify which parts of your attacks are the source of breaches and intrusions. The identification of injury risks, which is dynamic and highly complex, is characterized by several complex areas to be explored, such as network infrastructure, network security, data security, and network management.

Digital Risk Protection eliminates risks coming out of digital transformation to defend the company's data, brand, and attack surface from unauthorized disclosure to provide an accurate view into transparent, deep, to obscure network threats.

In order to manage the attack surface, it is necessary to first identify all assets open to the Internet. The digital footprint is important because companies have many assets that they do not know or forget, as well as assets they know and manage. For instance, some promotional pages that have been opened for marketing purposes may have been forgotten to shut down or may not have been notified to the security team. Any assets that are forgotten or not configured for security threats could be harmful to companies. Because attackers always prefer to attack companies over unmanaged assets.

An indicator of compromise is a way to classify possible forensic information that may lead to the identification and validation of suspected intrusions in remote or local networks.

Some of the most common IOCs are;

  • Unusual Geographical Anomalies
  • Unusual Activities by Privileged User Accounts
  • Unusual Network Traffic
  • Suspicious Registry Changes
  • High Volume Read in Database
  • Unusual Log-in Patterns
  • HTML Response Sizes
  • Large Numbers of Requests for the Same File
  • Indicators of Distributed Denial of Service (DDoS) Attacks
  • Unusual DNS Requests
  • Unusual System Patching

YARA is a tool intended (but not limited) to help malware researchers identify and classify their samples. It has become one of the important tools frequently used for analysis and research in the field of cybersecurity. With YARA, you can create rules for malware families based on textual or binary patterns.

Simply, TTPs are the behavior of threat actors. A tactic is the highest definition of this bridge of understanding while techniques offer a more in-depth explanation of the compatibility in a tactical sense. A procedure is even lower-level procedures with a less in-depth description of a technique.

STIX is a standardized language developed by MITRE for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner.

At a high level the STIX language consists of 9 key constructs and the relationships between them;

  • Observables describe what has been or might be seen in cyber
  • Indicators describe patterns for what might be seen and what they mean if they are
  • Incidents describe instances of specific adversary actions
  • Adversary Tactics, Techniques, and Procedures describe attack patterns, malware, exploits, kill chains, tools, infrastructure, victim targeting, and other methods used by the adversary
  • Exploit Targets describe vulnerabilities, weaknesses, or configurations that might be exploited
  • Courses of Action describe response actions that may be taken in response to an attack or as a preventative measure
  • Campaigns describe sets of incidents and/or TTPs with a shared intent
  • Threat Actors describe the identification and/or characterization of the adversary
  • Reports collect related STIX content and give them shared context

TAXII is an application protocol for exchanging CTI over HTTPS. TAXII defines two primary services to support a variety of common sharing models:

  • Collection: A Collection is an interface to a logical repository of CTI objects provided by a TAXII Server that allows a producer to host a set of CTI data that can be requested by consumers: TAXII Clients and Servers exchange information in a request-response model.
  • Channel: Maintained by a TAXII Server, a Channel allows producers to push data to many consumers and consumers to receive data from many producers: TAXII Clients exchange information with other TAXII Clients in a publish-subscribe model.

The MISP is a free and open-source threat intelligence platform and open standards for threat information for gathering, sharing, storing, and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or even counter-terrorism information.

A threat actor is an individual or organization responsible for an incident or activity that affects or has a potential effect on the safety or security of another entity.

Threat actors can be categorized into six groups:

  • Cyber Criminals
  • Competitors
  • Terrorists/Extremists
  • Hacktivists
  • State-Sponsored Attackers
  • Trusted Insiders

APT is a sophisticated, long-term malicious attack that seems to play the long game by spying on the target infrastructure for months or years before successfully breaking through the network.

APT groups are typically threat actors who receive guidance and support from the nation-states for targets that traditionally include data theft, intelligence, disruption, and destruction. APT attacks target governments that handle high-quality information or intelligence including sensitive information such as military operations, security files, advanced military technology documents, etc. These groups are different from other cybercriminals in that they tend to adapt to defenses and can maintain their presence in a system for months or even years.

The pyramid of pain represents different types of attack indicators that the analyst must lookout to detect the activities of an attacker and it is useful for incident response and threat hunting.

The types of indicators are placed in a pyramid from bottom to top:

  1. Hash Values
  2. IP Addresses
  3. Domain Names
  4. Network Artifacts
  5. Host Artifacts
  6. Tools
  7. Tactics, Techniques, and Procedures (TTPs)

Founded in 1958, MITRE is a non-profit company whose mission is to solve the problem of a safer world. A new curated knowledge base, known as MITRE ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge is a platform that organizes and categorizes tactics, techniques, and procedures (TTPs) used by threat actors in the digital world to help organizations identify gaps in their cyber defenses.

PRE-ATT&CK and ATT&CK show a variety of basic differences:

  • ATT&CK is closely connected to a particular business network (e.g., Microsoft Windows, Linux, or connectivity environment) and thus offers extensive technical information on adversarial behavior and defender mitigations for each technique. PRE-ATT&CK is agnostic to these variations because the opponent will work in any of these conditions for his pre-compromise preparation activities.
  • The ATT&CK mitigations can be very concrete and accurate. PRE-ATT&CK mitigations are under progress and will include mitigations based on technology and policy. These mitigations will not be as effective or thorough in many cases given the inability to completely capture all adversary actions, data, and resources.

TLP is a range of designations used to ensure the distribution of classified information to the relevant audience. It uses four colors to show anticipated beneficiaries sharing restrictions.

TLP: RED = Not for disclosure, restricted to participants only.
TLP: AMBER = Limited disclosure, restricted to participants’ organizations.
TLP: GREEN = Limited disclosure, restricted to the community.
TLP: WHITE = Disclosure is not limited.

IT-ISAC is a non-profit organization which provides a key resource to collect cyber threat information and to exchange information between private and public sectors on both sides of the infrastructure. The IT-ISAC is the ultimate source of knowledge on the protection that concerns the IT sector.

SOCRadar combines attack surface management, digital risk protection, and threat intelligence capabilities to support SOC teams.

SOCRadar’s ThreatFusion provides actionable insights into future cybersecurity threats with a big data-powered threat investigation module to assist in searching deeper context, real-time threat investigation and analysis. SOC teams, threat intelligence analysts and incident response teams can integrate with SIEM and SOAR platforms to leverage threat flows such as IOCs, malicious IP addresses, DDoS attackers, APT groups using SOCRadar to improve their security posture.

SOCRadar's RiskPrime builds on industry-leading instant phishing domain identification, internet-wide scanning and compromised credential detection technologies by aggregating and correlating massive data points into actionable intelligence alerts. SOCRadar continuously discovers its public-facing digital assets to eliminate blind spots and shadow IT risks, and alerts SOC teams with fast and targeted intelligence.

SOCRadar’s AttackMapper provides insight and visibility into these assets to discover and monitor everything related to your organization on the Internet to bring the enormous scale of your attack surface into focus. Through SOCRadar’s advanced internet-wide monitoring algorithms, AttackMapper provides SOC teams with direct visibility into all internet-facing technological assets in use as well as assets attributed to IP, DNS, Domain, and cryptographic infrastructure.