Transcript for:
Cyber Threat Intelligence Program Overview

Working Document A Quote from the Author/s [Photo] Digital Signature Table of Contents [TBA] Intended Audience Building a Cyber Threat Intelligence (CTI) program requires collaboration across multiple teams. The following roles can benefit from and contribute to this model: Leadership & Key Decision-Makers * CTI Directors & Team Leaders – Individual roles or part of larger teams (e.g., Cyber Defense Centers). * Cybersecurity Executives & Senior Leaders * Chief Information Security Officer (CISO) – Responsible for an organization's information and data security. * Chief Information Officer (CIO) – Oversees information technology and computer systems. * Security Operations Center (SOC) Manager/Director – Leads teams monitoring and analyzing security posture. Intelligence & Security Practitioners * Threat Intelligence Analyst – Gathers, processes, analyzes, and disseminates threat intelligence. * Incident Response (IR) Manager/Specialist – Leads or responds to security incidents. * CTI Team Lead/Manager – Manages a cyber threat intelligence team. * Cybersecurity Manager – Oversees security strategy and implementation. * Security Architect – Designs and implements security infrastructure. * Network Security Engineer – Implements and manages network security. Risk, Compliance & Business Resilience * Risk and Compliance Manager – Manages risks and ensures regulatory compliance. * Business Continuity Manager – Develops plans to sustain business operations during disruptions. IT & Infrastructure Leaders * IT Director – Oversees IT infrastructure and operations. Cybersecurity Stakeholders * SOC Analysts, Incident Responders, and Cybersecurity Researchers By integrating insights from these cross-functional roles, organizations can strengthen their CTI maturity, enhance threat detection, and improve resilience against evolving cyber threats. Purpose of the E-Guide One of the biggest challenges in cybersecurity is operationalizing threat intelligence. In today’s rapidly evolving threat landscape, businesses struggle to identify and act on relevant intelligence. This guide provides practical strategies to help security teams: * Filter through overwhelming alerts to prioritize risks effectively. * Enhance immediate protection through actionable intelligence. * Integrate threat intelligence into broader security operations, creating an end-to-end defense strategy. Introduction Defense without intelligence is like having four eyes yet knowing nothing about your enemy—who they are, how they’ll strike, or when. The result? Your digital identity, assets, data, stakeholders, customers, and entire network could face devastating blows from cyber threats or disruptions. Having no context on what hit you could render retaliation efforts ill-informed and ineffective, leading to extinguished resources, overworked teams, and significant losses. This agony can result in long-lasting impacts—all of which could have been avoided with the right insights into your unique threat landscape. By staying a step ahead of cyber adversaries, businesses can confidently say, ‘I see you, and I’ll outwit you.’ Combined with precision, intelligence becomes a robust counter-strategy against modern threats. However, in today’s ever-shifting landscape, keeping up is increasingly challenging. The complexity of mapping risks and aligning real-world threats with the theoretical models outlined in frameworks often feels like chasing a runner. Moreover, if you’re an organization with a mature security function and source threat intelligence from multiple points, the data is often fragmented, multi-modal, and non-contextualized. Operationalizing threat intelligence remains an ongoing challenge for organizations. Depending on their maturity scale, some might struggle to find meaningful insights and draw contextual semantics to address challenges. In contrast, others might struggle to understand why they even need threat intelligence in the first place. This e-guide is designed to be an all-in-one source on CTI—its relevance and how you can make intelligence actionable to stay ahead of cyber challenges specific to your region, industry, and business. **The guide will be useful for newly formed teams that have yet to establish their processes and structure. It may also prove valuable for existing threat intelligence team leaders, offering new insights or a different perspective on CTI. At Group-IB, we have often reorganized the CTI process and teams—it’s always an evolving journey. So, keep developing your own team and processes; there is always room for improvement. What is CTI and its components? Cyber Threat Intelligence (CTI) is the process of systematically collecting, processing, analyzing, and disseminating information about cybersecurity threats, vulnerabilities, and adversaries. It involves gathering multi-source data, transforming it into meaningful information, and delivering it in a way that can be used to detect, respond to, and combat cyber threats proactively. CTI converts threat information into evidence-based intelligence that uncovers adversaries' intents, motives, and capabilities. This is essential for effective defense against all types of threats. By defining threat models and prioritizing threats, CTI helps organizations make informed investments in cybersecurity. Building Components of CTI: * Data are pieces of information that function out of context. For example, data would include IP addresses or domain names. The collected, processed, and analyzed data becomes information. * Context is a set of circumstances and/or conditions surrounding a particular cybersecurity risk that may affect an organization's security posture. * Intelligence results from data collection, processing, and analysis by the task at hand, allowing us to draw conclusions and make further decisions. CTI is critical to building an organization’s risk profile and implementing security measures specifically tailored to address the organization's unique threats and vulnerabilities. CTI Feeds & Data Feeds are usually used to automate the integration of data sources with currently installed solutions on the organization's network. These feeds are sources of structured and often real-time data related to cybersecurity threats, vulnerabilities, indicators of compromise (IoCs), and other relevant information. CTI feeds usually consist of the following: Type of data Feed Common formats IoC (Indicators of Compromise) * Domain names * Malicious URLs * IP addresses * Malware hashes * Malicious Emails csv, json, txt, STIX/TAXII, openIOC Malware signatures * Suricata/Snort rules * YARA rules YARA rules, Suricata, Snort, SIGMA TTPs (Tactics, Techniques and Procedures) * MITRE ATT&CK heatmap json Reports * Reports in text & pictures * Can also include OSINT data like cybersecurity news pdf, json (text, pictures) Vulnerabilities * CVE, CVSS, Impact Subscore, Exploitability Subscore, Temporal score, PoCs json Compromises * Compromised accounts * Compromised PII * Compromised credit cards data * Public breaches raw data, json, Cronos, databases, csv Dark web * Messages, threads raw data, images These feeds can be used to integrate detection blocking, attribution, and IOC database enrichments. For example, some feeds can be integrated with an XDR/EDR solution to enrich detection and add attribution for visibility; compromised cards can be integrated with transaction or/and session antifraud, and so on. Between the source of TI and the detection solution, there could also be additional layers such as TIP/SOAR/SIEM/etc. For Group-IB Threat Intelligence feeds, you can check available API endpoints here. Levels of Data Different teams can use and apply three data types to solve various tasks: strategic, operational, and tactical. In terms of detail and time frame, they progress from the low to the high level, and these levels involve different goals, tasks, and results. Specific examples in the case of Group-IB Threat Intelligence: Strategic Intelligence (Level 1) * Analyst reports, auto-generated reports in a profile * Threat Landscape * Dashboard widget “Trends” * Dashboard “My company” Operational Intelligence (Level 2) * Threats & Malware sections, including TA profiles, malware profiles, TTPs, kill chain of attacks * Open threats * DLS feeds and phishing kits * Graph and malware detonation tools * Dark Web / Instant Messengers Tactical Intelligence (Level 3): * IoC: * Malware database - CNCs & hashes * All suspicious IP sections * Attacks/Phishing * Attacks/DDoS * Attacks/Deface * Threat Actors - CNCs, email addresses, hashes * Malware configurations files * Malware Suricata rules * Malware Yara rules * Vulnerabilities feed * Used legitimate tools by Threat Actors * Procedures filtered by MITRE ATT&CK in Threats * Compromises & leaks feed CTI Data Flows Threat Intelligence can be represented as a central object among processes, each of which receives some data from sources or supplements them with new data. For example: * Log Management - Enrichment of logs * Monitoring - New IOCs, reports, attribution * Incident Response - IoC contextualization, threat reports, TTPs * Vulnerability Management - Vulnerabilities, scoring, impact, exploit * Treat Hunting -Threat contextualization, threat reports, TTPs * Fraud Protection - Fraud schemes, compromised cards, etc. The exact dataflows are presented in the diagram below: Overall, the data flow between CTI and other cybersecurity processes enables organizations to build a more resilient defense against cyber threats by leveraging timely, relevant, and actionable intelligence to detect, respond to, and mitigate security incidents effectively. Specialists collect, process, and store data in various formats throughout the cycle. These data formats can be stored in centralized storage (e.g., TI Platform), parallelized across different systems, or processed manually by analysts. Types of Threat Actors, Common Tactics and Techniques (TTs) Threat actors might be individuals or a syndicate group that operates maliciously to compromise and tamper with the security of target businesses, governments, and other institutions. They can be financially or politically motivated and come from both beyond (prolific threat actors behind multiple attacks or competitors performing espionage to know your trade secrets) and within your organization (inside threats). Understanding the types of threat actors and their intrinsic motivations could help businesses understand the types of groups prominent in their local landscape, their level of sophistication, and their ultimate goal. Types of Threat Actors Threat Actors Motivation Resources Recent Associated Attacks Nation-state threat actors Usually linked to a government, these threat actors use cyberattacks targeting other governments, businesses, or entities. Their objectives often include damaging critical infrastructure, waging war, gaining illicit access to classified data or intelligence, and pursuing other goals of national significance. Multiple motivations behind their advanced persistent threats (APTs) Massive resources supported by governments or certain departments Highly sophisticated attacks Midnight Blizzard Attack on Microsoft (January 2024): Microsoft detected a nation-state attack on its corporate systems by a group dubbed "Midnight Blizzard." The company activated its response process to investigate and mitigate the malicious activity. UK Government Cybersecurity Concerns (January 2025): The UK's National Audit Office reported significant vulnerabilities in critical government IT systems, highlighting the severe and advancing threat of cyber-attacks from nation-state actors. Unskilled, less-experienced attackers or hackers Often referred to as "noob" threat actors, they typically rely on the tools, expertise, and infrastructure of skilled cybercriminals for their independent attacks. They may use pre-existing scripts without the knowledge to modify or adapt them, making their attacks less sophisticated but still potentially harmful. Financial and data exfiltration are motivated by hunting and personal reasons. Lacking resources or expertise, these attackers rely on open-source tools or scripts and often leverage the services of other, more skilled threat groups. Their attacks don’t rank high on sophistication. Exploitation of WinRAR Vulnerability by Head Mare (September 2024): The hacktivist group Head Mare exploited a vulnerability in WinRAR (CVE-2023-38831) to target organizations in Russia and Belarus, demonstrating how less-experienced attackers can leverage existing vulnerabilities. . Insider Threats Insider threats can be premeditated or unintentional, caused by individuals within an organization—such as employees, contractors, or business partners—who harm the organization's assets, systems, or reputation. Can arise from sheer negligence, inadequate cyber hygiene, or intentional Their motivations vary: financial incentives, sabotage, or even coerced actions by external parties Their motivations vary: financial incentives, sabotage, or even coerced actions by external parties British Library Cyber-Attack (2024): The British Library experienced a cyber-attack, underscoring the risks associated with insider threats and the need for robust internal security measures. Hacktivists Hacktivists operate under various goals, often driven by a political or social agenda. Their activities typically aim to generate attention through website defacement, DDoS attacks, confidential data leaks, phishing, and more. Unauthorized access, financial or ideological incentive, or just disruptive behavior They use low-cost tools, botnets, or support from like-minded individuals KillNet's DDoS Attacks on U.S. Airports (November 2022): The pro-Russian hacktivist group 'KillNet' claimed responsibility for large-scale distributed denial-of-service (DDoS) attacks against the websites of several major U.S. airports, rendering them inaccessible. Organized crime Organized crime groups are professional cohorts focused on financial gain. They operate like businesses, investing in advanced tools, recruiting skilled personnel, and even offering cybercrime-as-a-service to less skilled or motivated cybercriminals, including leaked data, phishing toolkits, ransomware-as-a-service Financial motivation is their primary driver They have significant resources, including custom malware, exploit kits, and money laundering networks LockBit Ransomware Attack on Indonesia's National Data Center (2024): The LockBit ransomware group targeted Indonesia’s National Data Center, disrupting immigration and licensing systems. Shadow IT The term shadow IT refers to any IT asset—physical hardware devices, cloud instances, or software and services—that is unmanaged and unknown to the IT and InfoSec teams, who are responsible for IT infrastructure security within an organization. Arises from employees seeking to circumvent official processes for convenience Resources include unsanctioned apps, cloud storage, or hardware that bypass security controls Unmanaged Device Exploitation by Hacktivists (2024): Hacktivist groups shifted from distributed denial-of-service (DDoS) attacks to exploiting unmanaged devices within organizations, highlighting the dangers of shadow IT MITRE ATT&CK® & Group-IB Threat Intelligence The MITRE ATT&CK® framework became the industry standard to describe attack tactics and techniques. Group-IB Threat Intelligence, including the MITRE Matrix, allows you to explore highly contextualized details about threat actors, including curated information from our threat intelligence, manual research, and investigations from sources. Any event or activity reporting is assigned to a threat actor, either cybercriminal or nation-state. We do this because every attack has a threat actor behind it, with distinct behaviors, preferred methods, and known infrastructure. Campaign Lifecycle & Attacker Timeline Group-IB Threat Intelligence MITRE Matrix A cybercriminal campaign typically progresses through these stages: * Reconnaissance – It is the phase where threat actors collect intelligence about their targets, including their network, exploitable vulnerabilities, coworkers, and more. * Resource Development – Attackers acquire or build infrastructure such as malware, compromised accounts, command-and-control servers, or phishing kits before launching an attack. * Initial Access – Threat actors infiltrate systems through phishing techniques, use of exploits, or leaked/stolen credentials to get into systems. * Execution – The attacker uses scripts, vulnerabilities, or malware execution to run malicious code on a compromised system. * Persistence—Actors try maintaining access to the network (even after security systems are in place) through backdoors, scheduled tasks, registry modifications, or pseudo accounts. * Privilege Escalation – Attackers elevate their privileges to gain administrative control by exploiting vulnerabilities or misconfigurations. * Defense Evasion – Security is bypassed through encryption, obfuscation, or disabling endpoint protection. * Credential Access – Attackers illicitly access login credentials via keylogging, credential dumping, phishing, or brute-force attacks. * Discovery – Mapping out the victim's network, identifying sensitive data, security configurations, and high-value systems. * Lateral Movement – By moving laterally in the network, attackers can obtain higher privileges. * Payload Deployment – Ransomware, trojans, or backdoors are activated. * Data Exfiltration & Impact: Adversaries post stolen data on the dark web or underground forums or use extortion tactics to manipulate financial markets. Group-IB Threat Intelligence & MITRE Matrix Explaining Threat Scenarios in a Multi-Stepped Phased Attack Sequence Understanding Campaigns and Tooling with Group-IB’s Research into Threat Actors 1. Ransomware Operations – Financially Motivated Extortion Threat Actor/Group: Qilin Ransomware, BlackCat (ALPHV), LockBit Attack Lifecycle: * Initial Access: * Exploitation of phishing emails, RDP brute-force attacks, or vulnerabilities (e.g., unpatched VPNs). * Some groups purchase access from Initial Access Brokers (IABs). * Execution & Persistence: * Deployment of Remote Access Trojans (RATs) or fileless malware for covert access. * Use of PowerShell scripts or LOLBins (Living-off-the-Land Binaries) for stealthy execution. * Lateral Movement & Privilege Escalation: * Tools like Mimikatz or Cobalt Strike are used to steal credentials. * Attackers disable endpoint security and move laterally through Active Directory abuse. * Data Exfiltration: * Sensitive data is stolen via cloud sync abuse, FTP, or TOR-based exfiltration. * Threat actors use double extortion tactics, threatening to leak data if the ransom isn’t paid. * Payload Deployment & Impact: * Ransomware encrypts files across the network, blocking access to company information. * Victims are coerced into ransom payments for data recovery or decryption. Research Links: https://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/ https://www.group-ib.com/blog/qilin-revisited/ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a?utm_source 2. APT Espionage Campaigns – State-Sponsored Cyber Operations Threat Actor/Group: APT41, Dark Pink APT Attack Lifecycle: * Reconnaissance: * Attackers leverage social media profiling, job sites, and OSINT to gather intelligence. * Watering hole attacks compromise high-traffic websites. * Initial Access: * Spear-phishing emails containing trojanized ISO files or weaponized documents. * Exploitation of zero-day vulnerabilities or supply chain attacks. * Execution & Persistence: * Deployment of custom malware like Ctealer to extract browser credentials. * Establishing long-term persistence via scheduled tasks or registry modifications. * Command & Control (C2): * Use of encrypted Telegram bots or DNS tunneling for covert data transfer. * Cloud storage services provide attackers cover by blending in with normal traffic. * Impact: * Espionage, intellectual property theft, and long-term surveillance on high-profile companies. * Operations can last months or years, providing intelligence for future attacks. Research Links: Group-IB research: https://www.group-ib.com/media-center/press-releases/dark-pink-apt/?utm_source https://www.group-ib.com/blog/dark-pink-episode-2/?utm_source https://thesecmaster.com/blog/double-dragon-apt41?utm_source 3. Banking Malware & Financial Fraud – Targeting Financial Institutions Threat Actor/Group: Silence Group, IcedID, Dridex Attack Lifecycle: * Initial Access: * Phishing campaigns mimic financial authorities, banks, or payment providers. * Malvertising spreads banking trojans via compromised ad networks. * Malware Deployment: * Silence.Downloader or IcedID trojans are delivered via malicious email attachments. * Man-in-the-browser (MitB) attacks intercept and modify banking transactions. * Credential Theft & Lateral Movement: * Login credentials are harvested using keyloggers or session hijacking. * Attackers move laterally within banking networks to manipulate financial systems. * Exfiltration & Fraud: * Stolen credentials are sold on dark web markets or used in account takeover fraud. * Fraudulent transactions are laundered through money mule networks. * Covering Tracks: * Attackers use DNS tunneling and encryption to disguise malicious traffic. * Some banking malware includes self-destruct mechanisms to evade forensic analysis. Research Links: * The Silence Group * Silence Attacks Report * MITRE ATT&CK: G0091 * IcedID & Malvertising 4. Infostealer Malware & Identity Theft Threat Actor/Group: RedLine Stealer, Raccoon Stealer, Vidar Attack Lifecycle: * Initial Access: * Malvertising and fake software downloads deliver info stealers. * Compromised websites inject malware into legitimate downloads. * Credential Theft & Data Collection: * Infostealers extract: * Browser-stored passwords * Session cookies * Cryptocurrency wallets * Saved credit cards * Exfiltration & Monetization: * Stolen data is sold in bulk on dark web markets. * Attackers use stolen credentials for account takeovers (ATOs) and identity fraud. * Persistence & Evasion: * Some variants use anti-VM strategies to evade sandbox detection. * Infostealers frequently receive updates and rebranding to bypass security measures. Research Links:https://securelist.com/the-silence/83009/?utm_source https://www.group-ib.com/media-center/press-releases/silence-attacks/?utm_source https://attack.mitre.org/groups/G0091/?utm_source https://gridinsoft.com/blogs/gozi-iceid-malvertising/?utm_source Discover the latest adversary tactics in the forecasts and recommendations section of Group-IB’s Hi-Tech Crime Trends Report 2025! For in-depth insights into different malware behaviors, including infostealers, Group-IB provides a free Malware Reports tool. This resource gives you access to over 2 million detailed malware reports featuring comprehensive behavioral analysis, process trees, indicators of compromise, and network activity dumps. CTI Lifecycle: Gather, Action on, and Use Intel to Maximize Protection An effective, continuous, and security-strengthening use of threat intelligence (TI) relies on having a well-defined cycle with clear points for collection, ingestion, and analysis. This iterative cycle ensures incremental improvements in information gathered, analyzed, and disseminated. The end of one cycle serves as the starting point for the next, enhancing the capability to detect and mitigate risks. This process is essential for strengthening the overall security function. To stay ahead of modern threats, Security Operations Centers (SOCs) must: * Leverage security intelligence continuously. * Analyze vast volumes of data. * Focus on information relevant to their industry, geography, and unique attack patterns. Outdated methods—such as manually updating SIEM watchlists with adversarial IP addresses—are no longer effective. Organizations must adopt real-time threat intelligence processes that provide: * Comprehensive insights into all facets of an attack, including tactics, tools, and global campaigns. * Proactive detection and response to sophisticated and adaptive threats. Stages of CTI Lifecycle 1. Planning The success of a CTI program depends on its ability to bring value to stakeholders by supporting decision-makers in protecting the organization. To maximize stakeholder value: * Build capabilities that enhance their activities. * Ensure the program aligns with organizational objectives and security goals. 2. Intelligence Gathering Once objectives (e.g., network components needing protection) are defined, the focus shifts to sourcing information. Effective gathering involves: * To create a comprehensive view of potential threats, beyond just buying threat feeds, raw data must come from multiple sources (commercial, government, OSINT, industry groups, dark web, vulnerability databases). * Answering key questions about data sources and their relevance to specific risks. * Enriching and identifying the contextual parameters of actionable intelligence is crucial. This includes validating sources, ensuring threat intelligence is updated and relevant to your industry and organization, and clearly offering guiding steps to tackle identified threats. 3. Intelligence Processing Collating data from various sources requires normalization (commonality) of formats and languages to support effective analysis. This step ensures consistency and prepares the data for detailed intelligence evaluation. 4. Intelligence Analysis and Grading Receiving information is only the first step; the challenge is determining its reliability and accuracy Any organization can incorporate threat data feeds into its network, but managing the analysis of all that data can be challenging. Analysts might not be sure what to prioritize, so they can end up making the wrong decisions in the end. .Key aspects include: * Grading Information: * Rated on a scale of 1 to 5 for validity and accuracy, based on the collection methods and source trustworthiness. * Reliability and credibility are often rated on a six-point sliding scale, from completely unreliable to highly reliable. * Additional Evaluation Factors: * Contextualization and reconfirmation of details. * Validity checks and critical judgment. * Continuous reassessment to refine and improve confidence in intelligence. This step also ensures the collected information aligns with the goals outlined in the planning phase. Systematic re-evaluation allows the grading to evolve, improving overall reliability. 5. Sharing Intelligence This step involves converting the data into actionable intelligence and integrating it into the organization’s security infrastructures so stakeholders can use it to perform intentional operations. Tailoring the format and content to meet their strategic, operational, and tactical needs ensures maximum impact. 6. Feedback & Optimizations This is the phase where the entire cycle is reviewed, and continuous refinements are made to optimize the cycle, improve the quality and relevance of the data to maximize results and adapt to emerging threats and shifting organizational priorities. Indicators of Compromise (IoCs) and the Pyramid of Pain in Threat Detection Learn what IoCs are and how to use the Pyramid of Pain for effective threat detection. Indicators of Compromise (IoCs) are crucial artifacts that provide evidence of potential threats within your network perimeter. These indicators can appear on various endpoints, such as workstations, servers, mobile devices, APIs, or network logs. They often highlight unusual user behavior, unauthorized changes in access, malware presence, or vulnerability exploitation. IoCs play an important role in building and operationalizing the Pyramid of Pain. By correlating IoCs with attacker Tactics, Techniques, and Procedures (TTPs), security teams can understand the maturity of their defenses and build capabilities to target higher levels of the pyramid for better threat detection. This approach forces attackers to expend more resources and effort, making their operations significantly more difficult. Enhanced Pyramid of Pain The Pyramid of Pain by David Bianco is a CTI concept that describes a hierarchical approach based on the various attacker attributes used during an intrusion. The pyramid comprises several layers, each representing how easily the adversary could change anything they use. By focusing on the layers at the top of the pyramid, organizations can more effectively disrupt and deter cybercriminals while making it more costly and difficult for them to carry out attacks. As part of our consulting and training services, we have taken inspiration from Bianco and developed the Group-IB Enhanced Pyramid of Pain: Building CTI Maturity: Moving Up the Pyramid Advancing up the Pyramid of Pain increases the cost for attackers, ultimately leading to the failure of their campaigns. While threat actors can swiftly change hashes, IP addresses, and domains, disrupting their techniques, tools, and procedures (TTPs) forces them to overhaul significant portions of their operations. To achieve this, cybersecurity teams must develop capabilities to identify, research, and block attackers based on operational and strategic intelligence. When executed effectively, this compels adversaries to rebuild their processes, tooling, and infrastructure, significantly hampering their ability to launch attacks. Building and Enriching Raw Intelligence At this stage, the Cyber Threat Intelligence (CTI) team transitions from merely consuming intelligence to becoming a collector and creator of raw intelligence. The team lays the groundwork for uncovering larger campaigns and long-term trends by systematically documenting observations from internal investigations and analysis. A structured knowledge management process becomes essential, ensuring that insights from past incidents contribute to improved detection and response strategies. To support this effort, the team must focus on: * Collecting, storing, processing, and disseminating intelligence systematically. * Implementing a Threat Intelligence Platform (TIP) to centralize and manage intelligence workflows. While analytic capabilities will develop, the initial focus remains on correlating multiple data sources rather than producing intelligence products for external dissemination. This stage also involves leveraging threat intelligence partnerships for data from underground forums rather than engaging in direct collection. The latter is avoided due to the significant time investment, OPSEC risks, and infrastructure requirements to conduct safe and effective intelligence gathering. Forming a CTI Coss-Functional Team and Positioning It in the Security Stack How to structure and position the team to maximize effectiveness A Cyber Threat Intelligence (CTI) team is a specialized group within an organization focused on identifying, analyzing, and mitigating cyber threats and, sometimes, fraud. They collect and interpret data about potential and existing cyber threats and help the organization use this intelligence to protect digital assets. The CTI team is critical in improving the security posture by providing actionable insights and strategic guidance on emerging threats to ensure proactive defenses are in place. Furthermore, the CTI team will begin providing critical input to risk management and business processes—arguably its highest-value function at this stage. By integrating with the risk management (RM) framework, the CTI team helps drive strategic decision-making, enhance corporate security, and mitigate risks at the leadership level. This alignment ensures that threat intelligence is not just a technical function but a key contributor to the company's growth, maturity, and long-term resilience. To support this evolution, the CTI team must establish clear internal structures, including: * Documented analytical processes to ensure consistency and efficiency. * Defined request channels for teams seeking intelligence support. * Centralized access to reports and findings to streamline information sharing. The CTI team strengthens its organizational role by formalizing these processes, ensuring intelligence-driven decision-making is embedded at all levels. Key functions of CTI Team and related Group-IB TI sections and tools: Function Description Group-IB TI sections and tools Data Collection The CTI team collects data from various sources, including internal logs, external threat feeds, enterprise and open-source intelligence, dark web monitoring. * Threats * Compromises * Suspicious IPs * Attacks Analysis Analysts analyze the collected data to identify potential threats, vulnerabilities, and patterns of malicious activity. This analysis helps to understand the threat landscape and generate new TI * Graph * Hunting Rules Detections * Threats/Analyst reports * Global search across whole portal * Malware/Detonation Vulnerability Intelligence The team assesses software and system vulnerabilities to understand their potential impact on the organization's security * Malware/Vulnerabilities * Threats/Open Threats Reporting They create intelligence reports, often in a standardized format, and disseminate them to relevant stakeholders within the organization * Dashboard * Reports generation Security Awareness The CTI team may contribute to security awareness programs, educating employees about current threats and safe cybersecurity practices * Reports generation * Threats/Analyst reports * Explanation guides Threat Feed Management For organizations that use threat intelligence feeds, the CTI team manages the acquisition, monitoring, and integration of these feeds * Integrations * API endpoints * TI Data Export Utility Policy and Strategy Development They contribute to the development of security policies, procedures, and long-term cybersecurity strategies based on threat intelligence * Threat Landscape * Hunting Rules Detections Information Sharing CTI teams may participate in external information-sharing groups or collaborate with other organizations to share and receive threat intelligence * Integrations * API endpoints * TI Data Export Utility * TI Python library Inside the CTI Team, there are two main roles - as a starting point: * CTI Team Lead * CTI Analyst In many organizations, there is no dedicated team. However, these roles can be distributed within the SOC Team, Information Security department, Red team, etc. As the team grows, more roles can be introduced, such as dedicated Malware Reverse Engineers, Vulnerability Researchers, Dark Web Analysts, and many more specific roles focused on the specific domain of Threat Intelligence. Writing Intelligence Reports and Sharing Intelligence [FREE TEMPLATE DOWNLOAD] Get to grips with writing reports and sharing actionable intelligence within your organization and the community. Threat intelligence gathering, integration, analysis, and dissemination are performed to achieve the desired security outcomes. Effective reporting is crucial to record and establish the achievement of these outcomes enterprise-wide. These reports contain key information and context that keep employees informed about the latest threats targeting their industry and security gap management while helping stakeholders make better security investments and decisions. Threat intelligence reporting targets different stakeholders, requiring different formats to effectively share intelligence internally (within the organization) or externally (within the community). Reporting should be standardized by frequency, format, and key metrics. Here's the basic template for your reporting needs. You can pivot it based on stakeholders, organizational information requirements, current program maturity, etc. Section 2: Practical Application of CTI and Group-IB TI Platform Attackers aren’t blatantly obvious with their tactics; they carefully maneuver to reach their end goals without getting caught. Discovering, understanding, and combating these moves is the ultimate road to risk management, and it all starts with gathering the right intelligence. The sources you have that provide strong cues about the enemy’s idiosyncrasies—are these sources trusted and reliable? A steady feed of information on possible attack sources is paramount to an organization’s security. Therefore, operational threat intelligence (TI) requires strategic planning and careful collaboration, all of which require a robust TI platform as the bedrock. TI Platform or Vendor: What’s the Right Choice for Your Business? Threat Intelligence (TI) platforms combine external threat data with internal data to contextualize and prioritize alerts for security teams. These platforms support threat identification and response while offering various features, integrations, and flexible deployment options, such as on-premise or cloud-based infrastructure. In contrast, Threat Intelligence vendors provide contextualized or processed threat intelligence that helps organizations prioritize and respond to threats. Vendors like Group-IB deliver high-fidelity intelligence aggregated from multiple sources, including proprietary research across the clear, deep, and dark web. This intelligence is delivered as alerts, feeds of Indicators of Compromise (IOCs), or detailed reports, making it easy to use and implement. Vendors also offer technical support to help evaluate threats in their appropriate context. Some Group-IB TI features include IOC prioritization, Threat scoring, Integrations with open-source intelligence, dark web feeds, TTP-based threat Analysis, Attribution and threat Actor Profiling, Real-time Visibility, and Automated Threat Feeds. CTI Practical Use Cases Real-time Monitoring and Visibility: The constant monitoring of the attack surface and network-wide visibility into the risks emerging in an organization’s environment (multi-environments) helps businesses act ahead to uncover potential threats before they cause harm. It supports businesses by providing proactive defense. Data from diverse sources, such as dark web marketplaces, underground forums, and communities, can give companies an exclusive view of how and if vulnerabilities are exploited. Illegal mentions, such as personally identifiable information (PII) and intellectual property (IP), digital assets, and credentials, are often traded, making this visibility crucial. Situational Awareness & Context: A business's region, geopolitics, and industries must be analyzed to understand its threat landscape. Threat intelligence derived from this analysis helps create threat profiles by identifying trends, patterns, and potential IoCs or TTPs. This enhanced situational awareness is crucial for anticipating potential attack vectors and enables proactive defense. Proactive Defenses: Understanding the most relevant threat actors and threats to your business and industry allows for active, proactive defense. By examining the timeline of different campaigns by a threat actor, the TTPs they use, and changes in their capabilities—then mapping this against the MITRE ATT&CK framework—organizations gain threat profiles they can defend against. These insights can then be provided to the blue or red team for simulation, emulation, or further security testing. Improved security posture: By regularly collecting and analyzing data on potential threats, businesses can improve their security posture and better protect themselves from cyber-attacks. This may involve identifying and mitigating vulnerabilities, improving incident response processes, and implementing stronger security controls. Simulation, Emulation, and Other Offensive Operations: CTI can build and improve how you detect, respond, and recover from cyber threats by helping you replicate attackers' behavior and their methods. Copying the exact TTPs with an extra layer of visibility into the lower level of data required for emulation activities creates a realistic interpretation and an extra layer of evaluation of your own defenses. Both these endeavors are essential for red teaming, vulnerability assessment, and other intrusive activities to understand how resilient you are in the face of cyber threats. Threat Response and Its Three Stages: CTI helps teams detect and prevent threats before a breach occurs when integrated early into an intelligence program. It enables: 1. Prevention: Identifying and mitigating threats before they materialize. 2. Early Detection and Response: Detecting and responding before a threat causes material impact requires CTI visibility and swift action to combat the threat actor. 3. Incident Response: During active incidents, Cyber Threat Intelligence (CTI) helps teams understand the scope and nature of the attack, including the TTPs (Tactics, Techniques, and Procedures) used. It also aids response efforts to effectively contain and neutralize the threat. Threat Hunting: Threat Intelligence serves as a foundation for Threat Hunting by providing context on known threats while enabling proactive discovery of unknown threats. CTI helps react to incidents or address “known known” (well-understood and documented) threats in the wild, but what about the “unknown unknowns” (completely new and undiscovered threats)? This is where threat hunting proves indispensable. Analysts actively search for undocumented threats by looking for anomalies—such as misused permissions, configuration errors, data leaks, or emerging attack patterns that evade traditional alerts. Their expertise in adversary tactics and deep understanding of the environment allows them to spot subtle signs of compromise that automated tools might overlook. Threat hunters don’t just search for risks on the surface of internal infrastructure—they go deeper to uncover hidden attacker infrastructure, map out the kill chain, and connect the dots for effective attack correlation and attribution. Risk Assessment: Each organization has an asset inventory, the security priority of which needs to be scored based on how critical the information or asset is. Every organization continually assesses its network—data and communication devices—for risks to ensure threats are proactively averted. By identifying and evaluating risks to each asset (software, hardware, data, digital assets), we can prioritize security measures and assess the impact caused by violating a security property. This helps organizations avoid making scanty or uninformed security decisions. TI enhances risk assessment by providing real-time insights into threats, helping organizations make data-driven decisions instead of relying on universal risk models. Post-Incident Analysis: Cyber Threat Intelligence (CTI) enhances a business’s defense by learning from past incidents. This process improves detection and response strategies, prevents similar attacks, and strengthens overall security posture. Intelligence gathered after an incident becomes a critical layer of defense against potential future attack vectors. It also helps determine whether the threat has fully subsided or is lingering. The insights from the incident response are integrated into security systems, including new Indicators of Compromise (IOCs), target information, and TTP. This integration bolsters defenses by securing systems against similar or evolving threats. Prioritization of Resources: The sheer volume of information when ingesting CTI can lead to analysis paralysis. Aggregating data helps teams identify the most relevant TTPs. With intelligence-informed security decisions, businesses can focus resources on threats most relevant to them rather than investing in a one-size-fits-all approach to intelligence. CTI reduces the cost and impact of cyber risks by preempting attacks or providing a complete understanding of an attack’s scope. This enables organizations to minimize implications and implement defensive measures promptly. How do you choose the right tools and technologies for your specific needs? Building a CTI function starts with selecting tools that align with your requirements. Instead of choosing a vendor that claims to provide intelligence from all sources, focus on one that delivers relevant, continuously updated intelligence. Any threat intelligence vendor you select should have access to many or all of the following sources: * Forums, Threat Feeds, and Paste Sites * Dark Web and Telegram * News, Mainstream, and Alternative Social Media * Blogs and Code Repositories * Technical Data – Network telemetry, passive DNS, netflow, endpoint data, etc. * Foreign Language Sources * Vendor-Created Finished Intelligence Key Business Considerations Define Your Goals and Objectives The first step in setting up a CTI function is to define its overall objectives and identify the benefits it will provide to the department. These objectives should include both technical and non-technical goals and address: * Key deliverables – What outputs will the CTI function produce? * Intelligence collection – What types of information will be gathered? * Threat actor focus – Which adversary groups will be prioritized? * Integration with MSPs – How will intelligence fit within managed security services? These objectives help the department prioritize threats effectively, track CTI maturity, and measure success. Business Impact of Threats While departmental assets are often assessed broadly regarding business impact, a mature CTI function must be structured around key business units. This ensures critical assets are evaluated individually, with specific threat actors and attack scenarios considered. Key Tool Considerations A well-equipped CTI function requires tools with the following capabilities: * IOC Ingestion – Seamless integration of indicators of compromise (IOCs) to enhance detection and response. * Visualized Intelligence – Uncovering hidden links between criminal activities and infrastructure. * * Actionable, Relevant, and Timely Intelligence – Enabling faster threat identification and mitigation. * Scalability – Intelligence that adapts to changing network architectures and emerging threats. * Defined Scope and Intelligence Focus – Tailored insights that align with your organization’s risk profile. * Automated Analysis and Real-Time Insights – Supporting intelligence-driven security decisions. * Integration with Existing Security Infrastructure – Ensuring smooth interoperability across your cybersecurity ecosystem. * Threat Actor Profiling – Mapped to MITRE ATT&CK, cyber kill chain models, and attacker TTPs for deeper analysis and security improvements. * Clear Communication of Threat Intelligence – Ensuring efficient collaboration and response across internal and external teams. By incorporating these elements, organizations can develop a proactive, intelligence-driven cybersecurity strategy that effectively mitigates threats. Collecting Threat Intelligence and Gaining Insights Relevant to Your Business The threat landscape is a combination of relevant threats and threat actors (based on industry, region, and partners), which is then divided into TTPs (Tactics, Techniques, and Procedures), the tools used by the threat actors (such as malware and living-off-the-land tools), IOCs, intent and motivation, and contact details for the threat actors (such as crypto wallet addresses, usernames on forums, and email addresses), as well as the vulnerabilities used in their intrusions. The Threat Landscape is specific to the platform (Windows, Linux, Android, etc.) and infrastructure type (Enterprise/ICS/Mobile, in line with the terminology of MITRE ATT&CK). You can build a Threat Landscape Techniques Heat map by combining all tactics, techniques, and procedures relevant to your company. This allows different SOC teams (such as Incident Monitoring, SOC Architecture and Engineering, and SOC Management) to make informed and prioritized detection and mitigation strategies decisions. You must ensure that your investigation covers techniques, CVEs, and threat actors relevant to your industry, mapping them across MITRE ATT&CK to strengthen your prevention and detection controls. With numerous techniques and sub-techniques evolving and heat maps continuously updating, staying aligned with the latest intelligence is critical. Build Threat Profiles for Your Business (Attached Template) Once intelligence is collected, analyzed, and contextualized, threat profiling refines it further by identifying key threat actors, motivations, and attack scenarios relevant to the organization. As discussed in previous sections, the attack kill chain expands on it to provide the framework for integrating the assets (proper categorization, attribute mentions), threat actors, and actions. IOCs * Mention the related IOCs Detection & Response Recommendations * Specific guidance for security teams. Historical References * Past Campaigns: [If the attack is linked to previous incidents] * Similar Threat Actors: [Other groups using similar techniques] Based on threat profiles, which clearly understand how attacks are launched and what defense strategies need to be implemented to mitigate the risk, risk management and incident response teams can analyze and contextualize related threats while building a future probability of being affected by such attacks. Automating the collection and correlation of threat data to detect suspicious patterns in network activity leads to prompt and real-time detection. Additionally, automation helps predefine response actions based on threat profiles to enable swift containment and mitigation. Operationalizing Threat Intelligence in Security Workflows Automating Threat Intelligence How successful a CTI program is depends on the continuous gathering of updated technical and non-technical insights for detecting and preventing attacks. While defensive infrastructure regularly ingests base-level indicators such as IP addresses, domains, and hash values, the volume at which this needs to be constantly ingested and updated makes manual processing impossible. Moreover, raw threat data like this lacks context unless enriched with details about threat profiles. Without this context, security teams may struggle to prioritize threats effectively. Therefore, automation plays an important role in creating a constant stream of tactical and operational intelligence (on baseline-level indicators that can be automated), leaving the security team to focus from manually looking at threats and managing them to focus on strategic intelligence (based on TTP-level and above indicators), geopolitical and situational awareness, perform threat-hunting and pivoting activities, all to inform corporate security decisions for better knowledge and risk management. Cyber Threat Intelligence (CTI) Ingestion, operational and optimization Workflow Cyber Threat Intelligence (CTI) Ingestion, Operational, and Optimization Workflow Technical execution of intelligence integration into security operations. 1. Threat Intelligence Collection * Sources: OSINT feeds, mainstream media and sites, ISACs, dark web monitoring, Group-IB Research customer signals, commercial CTI providers, and malware sandboxes. * Automation: API ingestion, STIX/TAXII connectors, web scraping. 2. Threat Intelligence Processing & Enrichment * Providing enriched data with normalized outputs, allowing contextualization. * Data Parsing: Convert raw feeds into structured formats (JSON, STIX, CSV). * Enrichment: Enriching IOCs, risk scoring, WHOIS lookups, VirusTotal, MITRE ATT&CK mapping. * Logs are ingested, normalized, duplicates are removed,feeds correlated, and alerts are created for suspicious events. 3. Data Routing to Security Tools * SIEM (Security Information and Event Management): * Ingest IOCs for log correlation and real-time alerting. * Generate detection rules based on intelligence. * SOAR (Security Operations, Response, and Detection): * Automate incident response workflows. * Create security tickets for analyst review. * XDR (Extended Detection and Response): * Correlate IOCs with endpoint/network telemetry. * Automate blocking of malicious entities (IPs, domains, hashes). 4. Automated Threat Response There is a growing library of remedial actions, such as escalating an incident, disabling actions, quarantining systems, and marking an incident as benign. * SOAR (Security Orchestration, Automation, and Response): * Trigger playbooks for automated containment (firewall rules, EDR quarantines). * Integrate with ticketing systems for incident tracking and analyst oversight. * Endpoint & Network Enforcement: * Push threat intelligence updates to firewalls, EDR, and email security tools. * Automate remediation actions such as isolating infected hosts. * Threat Hunting & Incident Validation: * Automate threat hunts based on newly ingested intelligence. * Use behavioral analytics to detect lateral movement and persistence. Implement automated incident response workflows, such as triggering playbooks for containment and integrating with ticketing systems for incident tracking. Here’s how you do it with Threat Intelligence “Add Screenshots” 5. Feedback & Intelligence Management * Threat Intelligence Sharing: Update ISACs, MSSPs, and partner organizations. * Adaptive Models: Leverage ML for anomaly detection and evolving threats. * Enhancing Detection Rules & Signatures: * Optimize detection mechanisms using insights from SOC and incident response teams to improve coverage. * Implement a feedback-driven rule refinement process to update detection logic continuously. Optimizing CTI and integrating it effectively into your cyber defense program is essential. The next step is validation—testing your EDR systems to assess whether your prevention controls effectively mitigate and obfuscate the defined threats. * Update threat profiles as TTPs evolve * Track new vulnerabilities (CVEs), techniques, and adversary behavior to adapt detection controls. * Regularly review and adjust intelligence requirements to align with the changing * business and threat landscape. We know the importance of feedback and optimization in the CTI lifecycle.Feedback should be an Agile model—- continuous, actionable, and operationally integrated, influencing detection rules, intelligence sources, and the overall intelligence strategy. Let's expand on specific methods for gathering feedback from stakeholders and using it to improve the CTI program: * Post-Incident Reviews – Conduct structured debriefing sessions after security incidents to analyze the effectiveness of threat intelligence in detection, response, and mitigation. * Cyber Intelligence simulations – Utilize breach-and-attack simulations, red team engagements, and tabletop exercises to validate intelligence effectiveness in real-world attack scenarios. * Automated Feedback Collection – Integrate ticketing systems and security platforms (e.g., SIEM, SOAR) to collect structured feedback on intelligence quality and operational impact. * Threat Hunting Correlation Analysis – Perform retrospective threat-hunting exercises to determine whether intelligence inputs have improved proactive detection capabilities. * Penetration Testing Reports – Analyze findings from CTI-informed penetration testing to identify gaps in intelligence coverage and detection effectiveness. * Dedicated Communication Channels—Use Slack channels, forums, or internal threat intelligence portals to facilitate real-time feedback sharing between CTI teams and intelligence consumers. Solution Brief https://www.youtube.com/watch?v=rO1Seh1uIYM\ Is the context and visibility that we’re able to offer to our clients COhesion between data, analyst, and integration development tp gain persistent coverage and retaliation against cyber threats s * Label: “Automated Collection & Human Intelligence” * Subcategories: * Automated Data Ingestion (API integrations, web crawlers, malware sandboxes) * Human Analysis Layer (CTI analysts verifying and contextualizing intelligence) * Unique Data Publication (Threat actor profiling, attribution insights) Enhance the “Analysis & Refinement” Branch: * Add: “Network Graph Analysis” * Visualizing relationships between threat actors, infrastructure, and campaigns * Correlating data to detect patterns and anomalies * Enhancing contextual intelligence Modify “Operationalization” to Include Visualization Tools: * Subcategories: * Threat Correlation & Mapping (Graph-based intelligence linking IOCs, TTPs) * Platform Integration (Integrating Group-IB Threat Intelligence with SOC tools) Real-time risk scoring and analyze severity of indicator Find hidden layers of connections between threat actor, and TTps Response prioritization and vulnerability management