• United States




Cyber Threat Intelligence (CTI) – Part 1

Oct 25, 20175 mins
CyberattacksCybercrimeData and Information Security

Providing clarity to organizations’ cybersecurity programs.

alert hacking threat detected
Credit: Thinkstock

In today’s dynamic threat environment, CISO’s and their security programs often find themselves triaging a breach after the attack, analyzing digital artifacts as they try to piece together an event that happened in the past. Hopefully, the information they glean from the files, logs, and recovered data provides enough information to remediate any discovered security gaps and provide intelligence on possible future events. Unfortunately, as many CISO’s know, this can be a daunting effort. The adversary’s businesses face today are nimbler and more adept at making changes to side-step attempts in stopping them. It’s this untenable situation that drives organizations and CISO’s to use strategic services, as cyber threat intelligence (CTI), to provide context about the adversaries they face, and the techniques, tools and processes used against them.

To use it as a strategic asset, CISOs and their organizations must first understand CTI, and then know where it can be acquired and why it’s important. The answers to these questions provide insight into why CTI is a valuable service and how organizations can be efficient in using this tool to mature their security programs management of today’s threat.

What is cyber threat intelligence?

This question may seem basic, but I have found many businesses don’t truly understand CTI or its value. CTI is a collection or grouping of information that is gathered from sources both human, electronic, internal and external to the organization. This information is typically processed through some type of evaluation to verify its validity and is used to provide context about conditions necessary for a threat to exploit a vulnerability and if the threat is actively being used by threat actors. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets.” For those new to CTI, this means that for threat intelligence to apply to your organization, i.e. to have “context”, there needs to be deficiencies.

Examples of deficiencies are issues such as immature security controls, unpatched or misconfigured hardware/software assets, or undocumented business processes. These deficiencies are basically vulnerabilities, targeted for a unique exploitation. I am sure many of you know every organization and its networks have deficiencies. However, it is the CISO’s responsibility to understand these concerns, have visibility into the risk they place on the company, and prioritize what needs to be remediated first, using strategic services such as CTI.

Where can CTI be acquired?

For an organizations security program to use CTI, they first need to make some decisions on what sources to use for their threat information. As mentioned, the CISO has access to multiple sources of threat intelligence, these sources are categorized as follows:

Internal threat intelligence

Information that is already within the organization. It is information that an organization’s security and operations teams have from previous experiences with vulnerabilities, malware incidents and data breaches. This information, if properly documented, can provide the business with some meaningful content on how their enterprise networks were compromised and if there were any recurring methodologies that worked against the deployed security program. For most organizations, this information will probably be collected in some type of log management system or SIEM platform. If this information on incidents can be collected and used to properly document a history of attack paths, malware, vulnerabilities etc. it can provide invaluable insight into security gaps that can be remediated. Alternatively, it can help the company identify business processes or legacy issues that need to be addressed to prevent further compromises.

External threat intelligence

Besides internal sources, organizations will typically subscribe to multiple external CTI data sources. Some of these sources are digital data feeds incorporated as a module, or service directly into security endpoint solutions or deployed assets like firewalls and security gateways. Other sources will be in a report format, available through email or a CTI portal. This information provides the CISO with in-depth analysis on threat actors and their tactics, techniques and procedures (TTP) that are currently targeting business operations. Some of these external threat intelligence feeds may be ones that are industry specific to the organization. One example is the Financial Services Information Sharing and Analysis Center (FS-ISAC). It is an industry forum for collaboration on critical security threats that is used by the financial services sector. As a member of such a collaborative forum, a CISO could get alerts on current security issues, access to current threat white papers and peers that can speak about best practices to remediate identified concerns. Another external CTI source is provided by law enforcement or government organizations. Some businesses may operate in industry verticals that are designated as critical. With this designation, CISO’s can request access to threat intelligence feeds and security services not normally available to public companies. (See DHS Enhanced Cybersecurity Services (ECS) for more information).

Now that you know what CTI is and where it can be acquired, stay tuned for my next piece where I will outline use cases for why CTI is important.


As Chief Information Security Officer (CISO), Gary Hayslip guides Webroot’s information security program, providing enterprise risk management. He is responsible for the development and implementation of all information security strategies, including the company’s security standards, procedures, and internal controls. Gary also contributes to product strategy, helping to guide the efficacy of Webroot’s security solutions portfolio.

As CISO, his mission includes creating a “risk aware” culture that places high value on securing and protecting customer information entrusted to Webroot. Gary has a record of establishing enterprise information security programs and managing multiple cross-functional network and security teams. Gary is co-author of “CISO Desk Reference Guide: A Practical Guide for CISOs” focused on enabling CISOs to expand their expertise and scope of knowledge.

Gary’s previous information security roles include CISO, Deputy Director of IT and senior network architect roles for the City of San Diego, the U.S. Navy (Active Duty) and as a U.S. Federal Government employee. In these positions he built security programs from the ground up, audited large disparate networks and consolidated and legacy network infrastructure into converged virtualized data centers.

Gary is involved in the cybersecurity and technology start-up communities in San Diego where he is the co-chairman for Cybertech, the parent organization that houses the cyber incubator Cyberhive and the Internet of Things (IoT) incubator iHive. He also serves as a member of the EvoNexus Selection Committee where he is instrumental in reviewing and mentoring cybersecurity and IoT startups. Gary is an active member of the professional organizations ISSA, ISACA, OWASP, and is on the Board of Directors for InfraGuard. Gary holds numerous professional certifications including: CISSP, CISA and CRISC, and holds a Bachelor of Science in Information Systems Management and a Master’s degree in Business Administration. Gary has more than 28 years of experience in information security, enterprise risk management and data privacy.

The opinions expressed in this blog are those of Gary Hayslip and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author