“Cyber Threat Intelligence: The No-Nonsense Guide for CISOs and Security Managers” Notes

“Cyber Threat Intelligence: The No-Nonsense Guide for CISOs and Security Managers” by Aaron Roberts

The Cybersecurity Wild West

Free, open-source Threat Intelligence Platforms (TIPs): Malware Information Sharing Platform (MISP), OpenCTI.

Cyber Threat Intelligence — What Does It Even Mean?

The Intelligence Cycle

  1. Planning and Direction
  2. Collection
  3. Processing and Exploitation
  4. Analysis
  5. Dissemination
  6. Feedback

Structured Intelligence — What Does It Even Mean?

OpenIOC has been superseded by ATT&CK because industry has moved away from pure IOC detection and mitigation.

Determining What Your Business Needs

Data types required by different customers

  • SOC: reporting, IOCs, TTPs, Courses of Action (CoA)
  • Threat hunting: IOCs, TTPs, Yara rules, detection signatures
  • CISO: Reporting
  • Threat and vulnerability management: reporting, CVEs, CoAs
  • Executives: reporting
  • Broader security team: reporting
  • Fraud: reporting, indicators
  • Product owners: reporting, CVEs, CoAs
  • Wider staff: awareness reporting

Tactical intelligence

  • Focused on strengths and vulnerabilities of organization’s network defense and adversary TTPs.
  • About short-term, daily moments. Content can be highly technical, often involves sharing IOCs.
  • Reporting often contains details about malware, what it does, and indicators and TTPs to look for.

Operational intelligence

  • Next step up from tactical intelligence.
  • Reports are usually long-form and include detailed breakdowns of particular threats (specific malware, campaigns, threat actors, incidents, etc.); more detailed than tactical reports.
  • Goal of report is to give a more detailed and rounded view of a specific threat to enable the organization to respond appropriately and swiftly.

Strategic intelligence

  • Designed to take a broader, more holistic view of overall landscape and trends and provide contextualized intelligence. Usually aimed at more senior leaders.
  • Reports can cover wide variety of topics, but usually broad threats (phishing, ransomware), industry sectors (finance, telecommunications, etc.), geopolitical events. Point is to provide overview of subject, why it matters to organization, high-level potential impact.

Most popular open source free TIPs

  • Malware Information Sharing Platform (MISP)
  • OpenCTI
  • ThreatConnect Open
  • Anomali STAXX

How Do I Implement This? (Regardless of Budget)

Threat analysis tools

  • VirusTotal
  • Any.run
  • Hybrid Analysis
  • Joe Sandbox

Reasons for CTI

  • Requests for information (RFIs): about particular malware, threat, actor, etc.
  • Incident response (IR): study IOCs or TTPs to give team intel to understand and remediate immediate risk
  • Proactive research: info on business priorities

Things to Consider When Implementing CTI

Most people in CTI call themselves analysts.

Traits of good intel analysts

  • Curiosity
  • Critical Thinking
  • Self-Awareness: awareness of your conscious and unconscious biases
  • Analysis
  • Data Validation: consider source reliability, info accuracy
  • Inductive/Deductive Reasoning
  • 5WH (Who, What, Where, When, Why, How)
  • Structured Analytical Techniques: pattern analysis (emerging trends, common characteristics, etc.), network/link analysis (visualization of common data points such as people, infrastructure, IOCs, etc.), analysis of competing hypotheses (ACH), red teaming
  • Information Security Fundamentals: at minimum, comfortability with core cybersecurity concepts; malware analysis and threat hunting are hugely beneficial

The Importance of OSINT

Free threat feeds are a useful starting point, but probably aren’t enough to provide the best protection.

OSINT platforms (all with free or community versions)

  • VirusTotal
  • Any.run
  • Hybrid Analysis
  • URLScan
  • Joe Sandbox

OSINT environment

  • Dedicated hardware or VM
  • Burner device if accessing dark web, underground forums
  • VPN or 4G/5G connection
  • Sockpuppets/aliases

Sockpuppet creation & use

  • Create account using phone, to look more legit. Don’t use a VM, VPN, or Tor.
  • Use uniquely generated/edited profile pictures.
  • Use account as a normal person would (browse, like, comment, search, etc.).

I Already Pay for Vendor X — Should I Bother with CTI?

Commercial TIPs: EclecticIQ, Anomali, ThreatConnect.


Author’s top takeaway: adopt a formalized intel requirements process to ensure you’re providing info business needs.

CTI next steps

  • Identify where to get value from existing tools, and find vendors to meet additional needs.
  • Ensure org adopts standardization; use ATT&CK mappings in reports and provide mitigation and prevention advice.
  • Consider using STIX/TAXII when sharing threat data to promote standardization.
  • Use OSINT as much as possible, in addition to commercial and closed sources.

Useful Resources

Concepts CTI analysts must understand

  • Intelligence cycle
  • Intelligence requirements
  • Intelligence writing
  • Ways of classifying intelligence (confidentiality, source evaluation, etc.)
  • Structured analytical techniques (analysis of competing hypotheses, cone of plausibility, contrarian/imaginative techniques, etc.)
  • Conscious/unconscious bias
  • CTI-specific concepts (diamond model, ATT&CK, STIX/TAXII)
  • Collection and analysis specifics (infrastructure pivoting, link analysis, OSINT tooling)
  • Yara rules, other basic hunting methods (adversary use of DNS, domain registrations, metadata)
  • Using different infrastructure (virtual machines, cloud service providers, third-party tools, etc.)

Online resources

  • otx.alienvault.com: Community-driven threat information, available as a feed
  • threatcrowd.org: search engine for threat data; has a Maltego Transform
  • threatintelligenceplatform.com: TIP providing threat information on a given threat (domain/IP/hash etc.)
  • exchange.xforce.ibmcloud.com: threat intel reporting, IOC feed, sharing platform
  • threatminer.org: search engine for threat data; has a Maltego Transform
  • hybrid-analysis.com: malware analysis service
  • whatsmyname.app: searches ~285 resources for a matching username
  • boardreader.com: aggregates data from several social sites and forums
  • social-searcher.com: social media search engine



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store