Key Sources of Threat Intelligence Data

Effective Cyber Threat Intelligence (CTI) relies on gathering data from a diverse range of sources. The quality, timeliness, and relevance of this data directly impact the value of the intelligence produced. As we learned about the different types of CTI, each type may draw from different primary sources. Here, we explore some of the most crucial sources that feed into the CTI ecosystem.

Common Sources of Threat Intelligence

CTI analysts tap into a variety of internal and external data sources to build a comprehensive picture of the threat landscape:

• Open Source Intelligence (OSINT):

  Publicly available information from sources like news articles, security blogs, public vulnerability databases (e.g., CVE), academic research, social media, and government reports. OSINT is a foundational element of CTI due to its accessibility and broad coverage.

• Dark Web and Underground Forums:

  Monitoring the dark web, including hidden forums and marketplaces, can reveal information about new malware, zero-day exploits, compromised data for sale, and threat actor discussions. This requires specialized tools and techniques due to the nature of these platforms.

  
• Commercial Threat Feeds:

  Subscription-based services provided by cybersecurity vendors that offer curated lists of indicators of compromise (IoCs), threat actor profiles, vulnerability information, and malware analysis reports. These feeds are often integrated directly into security tools.

• Open Source Threat Feeds:

  Community-driven and publicly accessible feeds of IoCs (e.g., blocklists of malicious IPs or domains). While valuable, they may require more vetting than commercial feeds.

• Internal Security Data and Telemetry:

  Information gathered from an organization's own security infrastructure, such as logs from firewalls, intrusion detection/prevention systems (IDS/IPS), Security Information and Event Management (SIEM) systems, endpoint detection and response (EDR) tools, and antivirus software. This internal data is crucial for contextualizing external threats.

• Information Sharing and Analysis Centers (ISACs) and Communities:

  Industry-specific or regional groups that facilitate the sharing of threat information among member organizations. ISACs provide a trusted environment for collaboration and dissemination of relevant intelligence.

• Human Intelligence (HUMINT):

  Information gathered from human sources, such as industry contacts, law enforcement liaisons, or even undercover operations (though the latter is less common for corporate CTI). It can provide unique insights not available through technical means.

• Technical Intelligence (TECHINT):

  Derived from the analysis of malicious software, attack tools, and adversary infrastructure. This includes malware reverse engineering, sandbox analysis, and forensic examination of compromised systems.

The effective use of these diverse sources is a key component of the CTI lifecycle. Once data is collected, it needs to be processed and subjected to rigorous analysis and interpretation to become actionable intelligence.