What is cyber threat intelligence?

Cyber threat intelligence is evidence-based information about an existing or emerging threat to an organisation.

Cyber threat intelligence is created from the collection and analysis of data pulled from multiple sources, including open source, deep and dark web and finished intelligence sources.

The insights delivered must be unbiased and reliable so decision-makers can make timely decisions, to reduce risk.

“Cyber threat intelligence is evidence-based knowledge (such as context, mechanisms, indicators, implications, and actionable advice) about an existing or emerging threat that can be used to inform an organisation’s decisions and response to it.” Gartner

The intelligence cycle

The intelligence cycle is a process used by intelligence teams to prioritise and respond to the top risks to their organisation.

It starts with identifying priority intelligence requirements (PIRs), automating the selection, collection, and aggregation of multiple sources of data, analysing the data, and creating reports which can be disseminated across the organisation.

This allows for the identification of intelligence gaps and the creation of new collection requirements based on continual feedback, restarting the cycle.

Types of cyber threat intelligence

There are typically four types of cyber threat intelligence.

Tactical intelligence: Tactical intelligence identifies the tactics, techniques, and procedures (TTPs) of malicious actors. It helps security teams understand the capabilities and goals of the attackers alongside the attack vectors. This enables organisations to detect and respond to cyberattacks to mitigate risks.
Operational intelligence: Operational intelligence focuses on current and near-term threats. By investigating threat actors’ techniques, behaviours, motivations, and timings of an attack, it helps inform security teams day-to-day operations, including incident response and threat hunting.
Technical intelligence: Exploring the evidence of an attack provides security teams with the ability to understand the specific technical details of a threat. This type of intelligence analyses threats including malware, indicators of compromise (IOCs), IP addresses, phishing email content and malicious webpages.
Strategic intelligence: Strategic intelligence provides a long-term view of the threat landscape. It enables organisations to understand the financial and reputational impact of cyber threats to their business. It is used to inform strategic decision making, resource allocation and when organisations need to strengthen their security posture.

Types and sources of cyber threat intelligence

Types. Cyber threat intelligence data can be structured or unstructured. Structured data is organised and formatted. Examples include names, dates, addresses, credit card numbers or bank account numbers. It is easy to manipulate, search and sort.

Unstructured data includes written content on news sites and blogs, messaging platforms, social media posts or audiofiles, images and videos. It has no particular format and is not organised into a defined structure. It can’t be easily entered into a database and is difficult to process and analyse at scale.

Sources. The sources of cyber threat intelligence are both broad and varied.

The majority of cyber intelligence is gathered from open or publicly available sources that can be accessed and used by anyone. Open-source intelligence (OSINT) includes information available on the internet, in news, articles, blogs and social media posts, as well as data that is collected and shared by people or organisations.

Examples of open-source cyber intelligence include:

Malware mentions involving third-party vendors, as well as malware threat campaigns and their tactics, techniques and procedures
Lists of publicly disclosed Common Vulnerabilities and Exposures (CVEs)
Finished intelligence feeds, reports and bulletins and analyst research
Physical security developments like protests and conflicts that can impact cybersecurity
News, blogs and social media posts that expose zero-day threats and other breaking cybersecurity news

The deep web and dark web can also be sources of cyber threat intelligence.

Monitoring these communications can provide intelligence about new and emerging threats as well as potential vulnerabilities that organisations may need to address, the types of data that have been compromised, the tactics, techniques, and procedures (TTPs) being used by these groups and the organisations that have been targeted.

Why organisations need cyber threat intelligence

Cyber threats are rising in volume and complexity. Organisations need to be able to detect, understand and prioritise relevant cyber threats and vulnerabilities, accurately and in a timely manner.

Threat intelligence helps organisations identify ransomware, data breaches and phishing attacks that target executives, allows asset and ATP monitoring and minimises supply chain risk.

Effective real-time threat intelligence provides the context of an attack so security teams can understand the background and relevance to their organisation. It can then be used to prioritise risks and take the appropriate action to protect the organisation, in advance.

How organisations monitor cyber threats using cyber threat intelligence

Manual analysis

Many organisations use manual processes to select, collect and aggregate cyber data intelligence.

This can include searching for information using search-engines, like Google, social media platforms like Twitter, LinkedIn, and Reddit. It also involves subscribing to threat intelligence feeds and newsletters.

This requires time-consuming, labour intensive validation, de-duping and standardising of data, that can result in biased, inaccurate data that cannot be relied on for accurate decision-making.

Threat intelligence platforms

Threat intelligence teams often use cyber threat intelligence platforms. These can select, collect and aggregate data from multiple sources, to deliver context and analysis. This helps organisations better understand the motivations, tactics, and capabilities of threat actors and make confident decisions to defend and respond to cyber threats quickly and effectively.

Silobreaker streamlines the intelligence cycle. Security teams can analyse and process complex data, create relevant reports and communicate to multiple stakeholders in a single workflow. This means security teams can track the development of incidents in real-time, seamlessly pivot between data sets, use cases, locations, and entity profiles. This approach delivers substantial efficiency gains when meeting priority intelligence requirements (PIRs), to reduce risk and response times, providing decision-makers with actionable intelligence faster.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_1737047_9	1 minute	Set by Google to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

What is cyber threat intelligence?

The intelligence cycle

Types of cyber threat intelligence

Types and sources of cyber threat intelligence

Why organisations need cyber threat intelligence

How organisations monitor cyber threats using cyber threat intelligence

Threat intelligence platforms

FAQs

Get started today

Product

Log in

Resources

Partners

Company

Contact

Cookie	Duration	Description
_clck	1 year	No description
_clsk	1 day	No description
AnalyticsSyncHistory	1 month	No description
CLID	1 year	No description
li_gc	5 months 27 days	No description
SM	session	No description available.