Threat Intelligence (TI)ย orย Cyber Threat Intelligence (CTI)ย is the information, or TTPs (Tactics,ย Techniques, andย Procedures), attributed to an adversary, commonly used by defenders to aid in detection measures. The red cell can leverage CTI from an offensive perspective to assist in adversary emulation.
CTI can be consumed (to taken action upon data) by collecting IOCs (Indicatorsย ofย Compromise) and TTPs commonly distributed and maintained by ISACs (Information and Sharing Analysis Centers). Intelligence platforms and frameworks also aid in the consumption of CTI, primarily focusing on an overarching timeline of all activities.
Note: The term ISAC is used loosely in the threat intelligence landscape and often refers to a threat intelligence platform.
Traditionally, defenders use threat intelligence to provide context to the ever-changing threat landscape and quantify findings.ย IOCs are quantified by traces left by adversaries such as domains, IPs, files, strings, etc. The blue team can utilize various IOCs to build detections and analyze behavior. From a red team perspective, you can think of threat intelligence as the red teamโs analysis of the blue teamโs ability to properly leverage CTI for detections.
