Introduction to Cyber Threat Intelligence



The digital transformation that

is being experienced in
companies around the world, se translates into a large number of advantages for them in relation to increased productivity, andThe company’s business is also a generalized and constant threat to the environment. in the area of information security and corporate assets. In general, organizations maintain reactive and reactive approaches traditional defenses that with the advancement of technology thatedan obsolete y,



surmountables by the attackers. Any organization, regardless of its sector or activity, is exposed to a number of threats such as denial of service, data breaches, cyber espionage, botnets, different types of malware, phishing or even insiders for unethical purposes. All of this translates into challenges and opportunities that can be key to business continuity and asset security, as can be seen in the following table. growing trend investment and awareness in cybersecurity.

In order to prevent the potential consequential impact of an information security attack, cyberthreat intelligence

cyber threat intelligence


Threat Intelligence (CTI) allows to know in detail the outer part of the security perimeter of the organizations, allowing them to get ahead of to potential attacks and improving asset security. A possible definition about the intelligence of cyberthreats to The methodology is proactive in nature and allows for an in-depth understanding of the different threats, including their main characteristics such as their capabilitiesavailable resources, motivation and objectives. This type of intelligence is based on the intelligence methodology, which is defined as follows The process of transforming data and information into knowledge for decision making.nes. Both methodologies rigorously comply with the intelligence cycle, understood as a circular sequence through which information and data are obtained and converted ton in the knowledgeThe aim is to ensure that the knowledge or information produced by theThe information provided is timely, accurate, actionable and relevant. The phases are divided into fourThe first of these consists of the AddressThe following table shows the requirements of the The following phases are planned and organized accordingly. During la phase of Obtaining
information is acquired from the different possible sources, in order to continue with the phase of






of intelligence
This is divided into four phases: evaluation of the information, analysis of the information, integration and interpretation of the knowledge produced. The
The last phase focuses on

The knowledge base for decision making, which must be specific to each situation as will be defined below.

To better understand the benefits of applying the intelligence methodology, we will cyberthreats to the business environment, is specified some of the actions that are part of the cycle and the results that can be obtained. During the first phase determine the specific needs of each organization, always depending on the sector or activity it performs, historical attack history, etc. to the organization or companies or specific needs. In the collection phase, different sources are used, such as the collection of feedsmonitoring in Internet, either in indexed or non-indexed sites, such as deep o dark use of information repositories of governmental or international organizations.nals, suppliers or specific sources of knowledge. Once the necessary information has been obtained, the various teams analyze the data through relevance assessments. and reliability of the samecorrelation analysis, correlation analysiss e identification of valuable informationamong others. Through this analysis, knowledge of the attack methodology and the processes and tools that are used in the attack is extracted. can useto be held during the next subphasethe production area, the production area, to gain knowledge of the specific of threats through the generation of scenariosmodeling and profiling of the various stakeholders and the attack tree or frequent patterns used in the attacks studied. Finally, the dissemination phaseThe project consists of the delivery of intelligence reports, executive summaries and presentations to decision-makers.and continuous monitoring for news and changes. This step may seem irrelevantng the decision making process, but it can make a difference in the decision making processThe appropriateness of the message for each interlocutor, as well as the content of the message is crucial. R
e remember that we are looking for the knowledge or


information produced to be timely, accurate, actionable and relevant.


and there will always be different professional profiles among decision makers and therefore different reports and content for them.

The fact of having to adapt the message, as well as the content of the message, is based on the different typologies on the different types of Cyber Threat Intelligence and the people and and functions and functions that compose them:

  • StrategicIt consists of crucial information for people whose background is not technical whose background is not technical such as information or impact economico, historical attacks or trends and relevant information that may affect business decisions. The target audience is usually the board of directors or senior decision makers at a higher level.
  • TacticsIncludes information about how the attackers perform their maneuvers, including tactics, techniques and procedures (TTP). Adds value to compression tThe main targets are those responsible for the attack chain and the threat actors, and are primarily aimed at those responsible for systems or infrastructure. systems or infrastructure.
  • Technique: It is based on specific information such as the type of malware used. It is usually aimed at research managers or Security Operations Center (SOC) analysts.
  • OperationalOperational: This type of intelligence is useful in the detection and mitigation of possible attacks for operational security personnel. possible attacks for the operational security personnel, since it gathers the necessary measures or actions to be taken in case of a possible attack to the organization.

In conc



the application of


threat intelligence methodology

threat intelligence
provides resources and capabilities to cope with potential attacks against the organization and its information assets, preventing and avoiding important impacts economicand, of course, reputational. In addition, it makes it possible to abandon the traditional focus on internal perimeter security for the knowledge of what is outside the perimeter. perimeterwhich ise results in a change in the security attitude, specifically shifting the focus from reactive to reactive. proactive and seeking to respond to what we know that we know, what we know that we don’t know, what we don’t know that we know, and what we don’t know that we don’t know.

Carlos Javier García García