Cyber Threat Intelligence is Just Information Collection, Right?

No time to read? Listen to this episode here:



Before we jump into the business of the day, here are the cybersecurity news you might've missed this week:


  • Major US pipeline shut down due to cyberattack. The latest victim of a cyberattack attack is Colonial Pipeline which was forced to shut down operations after a ransomware attack. In a statement, the company, which delivers about 45% of the fuel used along the Eastern seaboard, noted that the hack has caused a delivery issue, not a gasoline production issue, and will not have much impact on prices.

  • Big tech and the US government team up to tackle ransomware. The Institute for Security and Technology is setting a task force to aggressively tackle and respond to ransomware attacks. This task force is comprised of the FBI, Cisco, Microsoft, Amazon Web Services, Department of Homeland, and the UK's National Crime Agency.

  • Crypto Stealer, Panda, distributed via Discord. The new villain in town is Panda - a crypto-stealer, siphoning unsuspecting users' cryptocurrency and other vital information via spam emails. Panda is reported to disguise as business quote requests to cajole users into clicking on malware-infested Excel files we previously reported on. In a world where crypto is quickly becoming the cornerstone of many people's hopes for realizing their get-rich-quick dreams, the irony is uncanny.


And now to the topic of the day.

Cyber Threat Intelligence is Just Information Collection, Right?


You must admit, digitalization in just about every industry has made operations smoother and more efficient. The proliferation of digital technology has almost single-handedly revolutionized and strengthened the economic landscape of most businesses and corporations today, much like the Industrial Revolution did in the days of yore.


But that’s just the perks. The process came bearing challenges in the form of cyberattacks and data breaches, and today, these challenges are increasingly persistent. Over 4,000 ransomware attacks occur around the world on a daily basis. A study speculates that this year ransomware attacks will occur every 11 seconds and will incur a total loss of an estimated $20 billion.


Cybersecurity, data protection, and privacy remain a challenge today, perhaps more than ever. According to a survey, 22% of organizations worldwide highlight cybersecurity as a top concern, and as such, private sector players are just as motivated to tackle these threats effectively as national governments.


A comprehensive Cyber Threat Intelligence (CTI) program is the difference between preventing a highly damaging Advanced Persistent Threat (APT) cyber-attack seen a mile away, and embracing it with both hands. However, some view CTI as purely a process of gathering and collating information about threat actors in cyberspace; the truth is more complicated.


Information is more or less unfiltered data curated from several (sometimes unverifiable) sources that may be misleading. On the other hand, intelligence is culled from reliable sources, sorted out, and fact-checked by experts before becoming useful.


It may be obvious, but the military agencies will always prioritize and act based on intel from a verifiable source rather than actioning hearsays and rumors that make their way into the control room. The risk is drastically reduced, and the course of action is much clearer when information becomes a processed piece of intelligence.


Information is more or less unfiltered data curated from several (sometimes unverifiable) sources that may be misleading. On the other hand, intelligence is culled from reliable sources, sorted out, and fact-checked by experts before becoming useful.

Cyber Threat Intelligence is more than just collecting information about a threat. It is a holistic outcome combining evidence-based knowledge, indicators, impacts, and pre-emptive measures about new and existing threats particular to an organization’s industry, or even a country. It is also an understanding of the threats, techniques, and procedures (TTPs) of bad actors and even the motivation behind the attack.


Processes Involved in Cyber Threat Intelligence Lifecycle.


There are a few distinct phases involved in collecting and actioning Cyber Threat Intelligence:


  • Planning and Direction. This is perhaps the most critical phase of the entire Cyber Threat Intelligence lifecycle. In this phase, you highlight the goals, objectives, and intelligence requirements (or essential elements of information) of your CTI team. Determine the values the intelligence will establish - for example, quicker attack detection and response, strategic risk mitigation, or even more efficient cybersecurity budget expenditures. You should decide how it aligns with your organizational objectives (for example, expanding into a new geographic region) and how impactful it will be when implemented.

  • Collection. Here, you implement a strategy that will ensure what data is collected to fulfill the previous requirement. The best CTI programs and tools collate the internal data from your infrastructure with the records of past and current incidents, as well as non-public external sources, such as the Dark Web.

  • Processing. At this point, you’ve got a lot of raw, unfiltered data from several sources; information, if you will, often too disjointed for a human analyst to process efficiently. Time to start turning it into clear and organized intelligence data. Luckily, you don't have to reinvent the wheel: there is no shortage of sophisticated CTI platforms on the market, from our very own AEGIS™ that makes use of cutting-edge AI algorithms and machine learning to filter millions of data points into structured views for analysts to act on to great tools from Recorded Future and ThreatConnect.

  • Analysis. Here, you evaluate the processed information, identify potential cybersecurity concerns and risks, and notify relevant teams within your organization for prompt assessment and adequate response.

  • Dissemination. After thorough analysis, the finalized intelligence products are delivered to your key stakeholders through briefings and intelligence reports. These products should align with stakeholders' expectations and subject matter expertise, so it is important to tailor both the language and the perspective accordingly.

  • Feedback. The final phase of the process is to receive feedback from stakeholders and fine-tune the deliverables accordingly. It is key that CTI is actioned upon, thus one of the areas of focus must always be the ease of interpretability and clear prioritization.


A final point to remember: these days, cybersecurity is a holistic business risk issue, not an IT problem, directly affecting customer loyalty, reputation, stability of your supply chains, and ultimately the organization's bottom line. Making sure this is understood across the corporate hierarchy and functions will go a long way towards ensuring the survival of the business in today's highly competitive environment.


Don't forget to subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

Recent Posts

See All