Nearly everything in the world is connected to the Internet. Intellectual property, healthcare information, classified government programs, corporate data, and sensitive personal information are stored digitally. The advantages are boundless.  The ability to send cures for disease, complete transnational agreements, and even communicate sensitive signals across the planet has transformed our way of life. 


However, it has also opened up new opportunities for malicious actors. Highly sophisticated groups like Anonymous can perform malicious acts from anywhere, with impunity. Those with enough technical prowess and hostile intent can take advantage of technical vulnerabilities to access, disrupt, and/or destroy key company and personal data. 


Before the digital age, walls, locked doors, and other physical security measures were sufficient to protection. Now, it’s encryption, firewalls, antivirus softwares, and a laundry list of ever changing digital tactics. Adversaries in the digital world can work at much larger scales leveraging bots and malware that do not die and do not sleep.  It’s becoming increasingly difficult to ensure our digital security.  One solution to mitigate this risk is to employ Cyber Threat Intelligence (CTI). CTI provides the adversarial visibility necessary to keep on top of your company's Cyber Risk.  




  1. What is CTI?

  2. How serious is the Risk?

  3. Types of Cyber Threats.

  4. How CTI works

  5. How can AI assist in cyber threat intelligence?




Cyber Threat Intelligence (CTI) is analyzed (or finished) information about an adversary’s hostile intent, capability, and opportunity. More than just a data feed, its understanding the full capability of a particular malware, the vulnerabilities, and the extent of the damage posed. It is understanding the humans behind the attacks. Good CTI shops build extensive profiles of Bad Actors and Threat Group and monitor their actions for pattern variations and signs of activity. Each threat is assessed as to their intent, capability, and opportunity. CTI helps make sense of information to understand exactly what is a threat and how to prevent that threat from successfully performing a cyber attack.   




Cyber threats pose a multitude of risks to companies that fall into three partially interconnected categories: reputational, financial, and legal risk.


Cyber threats can undermine a company’s or organization’s reputation through a variety of potentially overlapping factors. For example, revelations of valuable or sensitive information quickly damage the reputation of companies, often resulting in scandals that outweigh the damage of the cyber attack itself.  Cyber attacks have the potential to shake customer confidence in the company’s ability to safeguard information.


The cost of cyber attacks is estimated to be more than $1 trillion per year. Those costs are incurred either through direct loss of capital, intellectual property or indirectly through reimbursement of customer data breaches, not to mention loss of future revenue. 


Finally, failing to anticipate or mitigate the damage done by cyber threats can lead to legal action being taken against the company. The most salient example is General Data Protection Regulation (GDPR) and other related data privacy laws, which formalize corporate responsibility, placing a focus on proactive “appropriate technical and organizational measures.” Non-compliance for failing to take appropriate action before and after a cyber attack results in incredibly high fines.




Cyber threats typically fall into at least one of seven categories: Cyber Terrorists, State-Sponsored Actors, Cybercriminals, Hacktivists, Insiders, Script Kiddies, and Internal Users.


Cyber Terrorists are ideologically driven. Whether DDoSing, vandalizing webpages, or disrupting critical services, victims are typically seen as enemies of their cause.


State-Sponsored Actors are funded, ordered or otherwise sponsored by a nation state to further the interests of that nation. This typically takes the form of espionage and intellectual property theft, but can also include illegally acquiring money to fund the nation and its goals. VictIms are both businesses and government associated organizations.


Cybercriminals seek financial gain and, therefore, typically target wealthy businesses and/or businesses with valuable data. However, they are also frequently opportunistic in their attacks and will also target smaller fish in the sea, if they are determined to be sufficiently vulnerable. They can work in isolation or can be part of Organized Crime groups.


Hacktivists focus raising awareness to their cause, by exposing secrets and/or disrupting services that they believe are evil or harmful. Their targets largely depend on their cause and can range from governments to businesses to individuals. 


Insiders originate from within a business or government entity and are often personally motivated to retaliate against their employer or see themselves as a whistleblower. There is no limit to the type of target for this kind of threat.


Script Kiddies are low level and relatively inexperienced hackers that largely rely on already developed tools to penetrate systems with identified vulnerabilities. Their goal is to gain skills and knowledge to bolster their reputation by inflicting as much damage as possible. Their targets are typically systems that are easy to penetrate with well known vulnerabilities since the penetration itself is the end goal.


Finally, the last threat type are Internal Users making non-malicious errors. The lack of a goal does not make their errors any less damaging, unfortunately, especially if the individual is one with high level permissions and access to the system. These can affect any organization.




Determining the cyber threats to a company relies on information from both external and internal sources. Without good knowledge of the company’s network and its assets, the business operations and goals, the cyber infrastructure, and active threat actors it is difficult to identify what is a threat. Therefore understanding threats depends on collaboration between both internal analysts and external intelligence professionals. Internal analyst teams should perform their own Intrusion Analysis and ingest external intelligence from threat data feeds. 


Intrusion Analysis is the primary collection source of CTI and is an analysis of the characteristics of either a successful or failed cyber intrusion. Every intrusion is an opportunity to gain understanding of the Tactics, Techniques, and Procedures (TTPs) used by an adversary. Understanding TTPs of threats is often the most effective way to defend against intrusions. There are many ways to perform intrusion analysis, however, the most common method utilizes the Diamond Model of Intrusion Analysis and the Cyber Kill Chain.


The Cyber Kill Chain is a deterministic process that describes seven successive stages of a typical cyber intrusion: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions-on-objectives. Not every intrusion perfectly follows this model, however, it creates a framework for understanding the foundations of an intrusion. 


The Diamond Model of Intrusion Analysis is an approach to characterize the events of a network intrusion into one of four elements: adversary, capability/TTP, victim, and infrastructure. As the model’s creators explain, “in its simplest form, the model describes that an adversary deploys a capability over some infrastructure against a victim.” In intrusion analysis, one Diamond Model can be applied to each stage of the Cyber Kill Chain, effectively having seven different Diamond Models throughout the entire intrusion. Each piece of data from each stage of the Cyber Kill Chain can be mapped to one of the vertices of the Diamond Model. When these two models are applied together in intrusion analysis, the characteristics of the threat behind the intrusion are more easily revealed; and future intrusions can better be mitigated. 

Threat Data Feeds provide tactical level information about potential threat opportunities, capabilities, or individuals with hostile intent. For example, at the opportunities level, this may include information about new vulnerabilities in the company’s network. Indicators-of-compromise (IOCs) may be provided for new malwares that can be used to understand the capabilities of rising threats. Social media or dark web hacker forum data may reveal a threat actor who has conversed about your brand with hostile intent. Each piece of information on its own is not full CTI, however, when combined together and analyzed it can greatly assist an analyst. 




In CTI, Artificial Intelligence (AI) helps to solve the question of “how do I make sense of all this information?” In an age of big data, we often are confronted with far too much data to make sense of what is really important. Hidden in a crowd of harmless data, salient information can easily walk right in front of our eyes without us even knowing it. AI, however, can quickly and carefully process all of the data, revealing salient information that was previously unrecognized. CTI analysts can then take the processed data and properly analyze and produce it into true intelligence. CTI will always be a human activity, but all CTI analysts need AI to help in the process. Without it they get lost in oceans of data that alone can never be properly processed in time to take action. 


There are four areas to highlight where AI can assist CTI: external threats, internal anomalies, attribution, and forensics.  




Many threat actors are very active in online communities. By integrating and organizing data from text-based sources like social media, deep web public records and peer-to-peer domains, a threat actor’s intent, capabilities, and opportunity may be revealed. With AI, it is now possible to understand sentiment and analyze patterns of behavior and intent by analyzing petabytes of unstructured data –including files, emails, video, and network logs – from a single platform. Use of artificial intelligence enables more valuable exploration and indexing of large unstructured text-based data sources like these, while enriching the analysis. With such analysis, CTI analysts can quickly recognize key indicators that an individual may be a threat. 




Similar to external threats, the ability to detect unusual patterns in large data sets can be applied to internal data. AI can integrate, organize, and analyze any structured or unstructured data within your enterprise data to find the real anomalies that pose actual risks. 




Attribution of a threat is important for considering legal options and provides a means to understand and ultimately deter the criminal from attacking again. AI can capture and corroborate personally identifiable information (PII) used to profile criminals and link associates across external and enterprise data sets to provide detailed target intelligence.




When multinationals are breached, the scene of the crime often consists of evidence that is scattered around the globe. Critical evidence is discovered among incongruent forms including emails, leaked files, IP logs, Internet browser history and other unstructured data sets where no clear pattern exists. Acquisition and organization is important for the integrity of the investigation. AI can help examiners integrate, tag, log, and analyze information in real-time, thus enhancing live acquisition and evaluation in accordance with relevant IOS/IEC standards.