CTI (Cyber Threat Intelligence) 🟢 Outil

La Cyber Threat Intelligence (CTI), or renseignement sur les cyber threats in French, is a systematic process of data collection, analysis and interpretation data on cyber threats.

Its aim is to provide organisations with actionable information to anticipate, prevent and respond to cyber attacks.

 

---

🔑 Key principles

 

1. Contextual knowledge :
   • CTI transforms raw data (e.g. logs, suspect IP addresses) into contextualised information: who the attacker is, his motives, his methods.
   • Example: knowing that a group APT (Advanced Persistent Threat) is targeting banks with ransomware makes it possible to reinforce access controls.
2. Proactive
   • It aims to predict attacks rather than reacting after a compromise.
   • Example: Using indicators of compromise (IoC) to block malware before they infect a network.
3. Adapting to your needs :
   • There are several levels of CTI:
     • Strategic for decision-makers (e.g. trends in cyber threats on a global scale).
     • Operational for teams SOC p (e.g. TTP - Hacker Tactics, Techniques and Procedures).
     • Tactics Technical indicators (e.g. malware signatures, malicious IP addresses).

---

🎯 What is Cyber Threat Intelligence used for?

 

1. Preventing attacks :
   • Identify vulnerabilities operated by cybercriminals (e.g. data leaks, vulnerabilities Zero-Day).
   • Example: In 2023, CTI teams warned of the exploitation of the vulnerability Log4Shellenabling companies to patch their systems on time.
2. Improved incident response :
   • Accelerate the detection and neutralisation of threats (e.g. use playbooks based on the TTPs of groups such as LAPSUS$ or LockBit).
3. Optimising security investments :
   • Target expenditure on the relevant tools (e.g.: purchase of a EDR if the attacks target endpoints).
4. Regulatory compliance :
   • Meeting requirements such as RGPD or the NIS 2, which require active monitoring of threats.

---

CTI life cycle

 

1. Planning Define requirements (e.g. protecting customer data).
2. Collection Open sources (OSINT), dark web, partnerships (ISAC), internal probes.
3. Analysis Cross-referencing data with tools such as MITRE ATT&CK or MISP.
4. Broadcast : Reports tailored to teams (e.g. dashboard for the CISOtechnical alerts for analysts).
5. Feedback : Evaluate the impact of the measures taken.

---

👉 Examples

 

• Threat to the health sector :
  • In 2024, hackers exploited vulnerabilities in medical software to exfiltrate patient files. CTI was used to identify the IoCs and block the attacks.
• Phishing financial :
  • Fraudulent e-mails imitating banks have been detected by analysing the sending patterns and usurped domains.
• SolarWinds Attack (2020) :Companies with robust CTI programs were able to quickly detect suspicious activity related to this sophisticated attack, limiting the damage and preventing attackers from propagating laterally into their networks.
• WannaCry attack (2017)

Organisations using CTI received early warnings of the vulnerability being exploited and were able to apply the necessary patches before the attack, avoiding significant financial and operational disruption4.

---

CTI tools and sources

 

Type	Examples	Use
Open sources	VirusTotal, AlienVault OTX	Collection of IoC (malicious files, IPs).
Pay platforms	Recorded Future, ThreatConnect	Predictive analysis and detailed reports.
Collaboration	MISP (Malware Information Sharing Platform)	Sharing information between organisations.

 

 

---

📊 Key figures

 

• According to IBMBy 2023, companies using CTI will have reduced their costs by 65 % average incident response time.
• The CTI market is expected to reach 25.4 billion $ by 2028 (Source : Grand View Research).

 

---

Challenges

 

• Information overload Sorting out the relevant data from millions of alerts.
• Real-time updates Threats evolve rapidly (e.g. ChatGPT used to generate malware).