Cyber Threat Intelligence (CTI) refers to all the processes, tools and data used to collect, analyse and share information on cyber threats.
The aim is to answer these questions in order to anticipate
malicious actions and strengthen the defence of systems
information.
- Identifying threat actors
- Recognising attack techniques
- Anticipating exploited vulnerabilities and malicious campaigns
- Strengthening prevention, detection and response measures
- Strategic and operational decision-making support in cybersecurity
| THE CHARACTERISTICS OF CYBER THREAT INTELLIGENCE | EXPLANATIONS |
|---|---|
| Types of information | Tactics: Information on techniques, tactics and procedures (TTP) Operational : Details of specific current or past events. Strategic : High-level analysis of threats, their motivations and objectives | Technical details : Raw data and indicators that can be used directly with tools |
| Sources of CTI | OSINT | Commercial sources : Threat Intelligence providers | Community sharing : ISACs, open-source projects, exchanges between CERTs | Internal sources : logs, past incidents, malware or network analyses |
| CTI tools and platforms | MITRE ATT&CK : database of TTPs used by attackers | MISP : threat intelligence sharing platform | STIX/TAXII : standard formats for exchanging information Monitoring tools : VirusTotal, Shodan, ThreatConnect... |
"To compete with the great powers
particularly the United States and
China, the EU Member States
European countries have every interest in pooling
their skills in
cybersecurity and to strengthen their cooperation.
This text is part of this dynamic by
including the strengthening of
prerogatives of ENISA, the promotion of
large-scale certification schemes
and consolidating synergies
between Member States.
- Planning: what needs, what threats?
- Information gathering (tools, monitoring, sources)
- Processing the data collected
- Analysis process: correlation, sorting, contextualisation
- Distribution: sharing with the right people or tools
- Feedback: assessing relevance and continuous improvement
To be relevant, threat intelligence must be contextualised, shared and used effectively within the organisation. Similarly, data manipulation must not involve confidential or personal data.