Cyber threat intelligence

This article is about cyber threat intelligence. For computer telephony integration, see Computer telephony integration.

Cyber threat intelligence (CTI) is a part of cybersecurity that focuses on collecting, analyzing, and sharing information about potential or existing cyber threats.[1][2] It gives organizations the information needed to predict, prevent, and respond to cyberattacks, enabling them to understand attackers’ behavior, tactics, and the vulnerabilities they exploit.[3][4][5]

Sources of cyber threat intelligence include open-source data, social media, operational and technical intelligence, device log files, forensic analysis, internet traffic, as well as data from the dark web and deep web.

Modern CTI programs stand out from just using raw security data because they combine technical monitoring, outside intelligence sources, and analysis methods to prepare specific and useful assessments about cyber threats aimed at particular organizations or business sectors.[6][7]

Analytical interpretation gives context to attackers’ actions, capabilities, and intentions, helping organizations set priorities and allocate security resources effectively. When companies base decisions on intelligence and analysis, they can act proactively instead of just reacting to security incidents, stopping breaches before they happen.[8] This approach has become increasingly important in recent years, as IBM estimates that exploiting vulnerabilities is the most common way companies are breached, making up 47% of all attacks.[9]

The COVID-19 pandemic and the rise in remote work have also contributed to increased vulnerability to threats, making corporate data more exposed. Due to growing threats on the one hand, and increasing analytical demands on the other, many companies have decided in recent years to outsource their threat analytics tasks to a managed security provider (MSSP).[10]

Cyber threat analytics has also become an important component of modern Security Operations Centers (SOCs), where threat intelligence data is used to enrich alerts, identify malicious infrastructure, and support incident response and threat hunting activities[11].

Types

There are three categorical levels of cyber threat intelligence: tactical, operational, and strategic.[4][12][13][14][15] Each serves a distinct audience and purpose in building a comprehensive threat assessment.

  • Tactical: The most technical level, focused on immediate detection and response. Tactical intelligence consists of specific indicators of compromise (IOCs): IP addresses, domain names, file hashes, malware signatures, and similar artifacts. Security operations teams use these indicators to identify and block threats in real time through SIEM rules, firewall policies, and endpoint detection systems.[4][12][16][13][15]
  • Operational: Focused on understanding adversary behavior and campaigns. Operational intelligence analyzes who the threat actors are, their tactics, techniques, and procedures (TTPs), infrastructure patterns, motivations, and ongoing campaigns. This level helps security teams anticipate how attacks unfold, recognize adversary tradecraft, and understand the broader context behind specific incidents. Sources include incident response findings, malware analysis, threat actor profiling, security vendor reporting, and intelligence from industry sharing groups and government advisories.[4][12][13][15]
  • Strategic: Tailored for non-technical audiences, particularly executives and board members. Strategic intelligence addresses high-level business risk: which threat actors target the organization's sector, geopolitical factors affecting the threat landscape, long-term trends, and the potential business impact of cyber threats. Delivered through reports, briefings, and risk assessments, it helps leadership prioritize security investments and understand how cyber risk aligns with organizational objectives.[4][12][13][15]

Technical threat analysis focuses on machine-readable indicators of compromise (IoCs): malicious IP addresses, domain names, file hashes, and command-and-control (C2) servers or infrastructure. This enables automated detection and response. While the conventional distinction is between strategic, tactical, and operational analytics, some large organizations often define technical threat analytics as a separate (fourth) category essential for Security Operations Centers (SOCs).[17]

Some threat analytics platforms also distinguish between indicator-based analytics and behavior-based analytics. Indicator-based analytics focuses on specific technical artifacts: malicious IP addresses, file hashes, etc. Behavior-based analytics analyzes attackers’ tactics and techniques to detect threats that may change their infrastructure or indicators over time.[11][18]

Sources of cyber threat intelligence

Information about cybersecurity threats can be obtained from various sources: internal telemetry from security tools, network log data, endpoint system data, malware analysis, dedicated threat intelligence feeds from cybersecurity vendors, open-source intelligence (OSINT), dark web monitoring, and analytical reports from government agencies or private security firms. To obtain effective analytical insights, it is necessary to combine data from internal security tools with external technical and strategic reports to gain a more comprehensive view of the threat landscape.[19][20]

Process - intelligence cycle

The process of developing cyber threat intelligence is a circular and continuous process, known as the intelligence cycle, which is composed of five phases,[12][21][16][13] carried out by intelligence teams to provide to leadership relevant and convenient intelligence to reduce danger and uncertainty.[16]

The five phases are: 1) planning and direction; 2) collection; 3) processing; 4) analysis; 5) dissemination.[12][21][16][13]

In planning and directing, the customer of the intelligence product requests intelligence on a specific topic or objective. Then, once directed by the client, the second phase begins, collection, which involves accessing the raw information that will be required to produce the finished intelligence product. Since information is not intelligence, it must be transformed and therefore must go through the processing and analysis phases: in the processing (or pre-analytical phase) the raw information is filtered and prepared for analysis through a series of techniques (decryption, language translation, data reduction, etc.); In the analysis phase, organized information is transformed into intelligence. Finally, the dissemination phase, in which the newly selected threat intelligence is sent to the various users for their use.[21][13]

The intelligence cycle model in the field of cyber threat analysis is based on traditional intelligence methods used by military and government intelligence agencies, where structured analysis is employed to transform raw data into the insights needed for decision-making.[22]

Key requirements for threat intelligence

There are three key elements needed for information or data to qualify as threat intelligence:[13]

  • Evidence-based: To be useful, threat intelligence must be gathered through proper evidence-gathering methods.[23] For example, analyzing malware can help generate threat intelligence.
  • Utility: Threat intelligence should positively impact a security incident by providing useful information. It must offer clear context and data about specific behaviors and methods.[24]
  • Actionable: For information to be considered threat intelligence, it must lead to action. This is what distinguishes intelligence from mere data.[25]

Cybersecurity researchers also highlight other factors for good threat intelligence, such as accuracy, completeness, timeliness, compatibility, and relevance to the environment where it will be used.[26]

Benefits of cyber threat intelligence

Cyber threat intelligence provides a number of benefits, which include:

  • Gives organizations, agencies or other entities, the ability to develop a proactive and robust cybersecurity posture and to bolster overall risk management and cybersecurity policies and responses.[27]
  • Drives momentum toward a proactive cybersecurity posture that is predictive, not simply reactive after a cyber attack.[8]
  • It provides context and insights about active attacks and potential threats to aid decision making.[12]
  • It prevents data breaches from exposing sensitive information, thus preventing data loss.[15]
  • Reduces costs. Since data breaches are costly, reducing the risk of data breaches helps save money.[15]
  • It provides organizations with guidance on implementing security measures to prevent future attacks.[15]
  • Enables sharing of knowledge, skills and experiences among the cybersecurity community and system stakeholders.[15]
  • It helps to more easily and better identify risks and threats, as well as delivery mechanisms, indicators of compromise across the infrastructure, and potential specific actors and motivators.[28]
  • Helps in the detection of attacks during and before these stages.[28]
  • Provides indicators of actions taken during each stage of the attack.[28]
  • Communicates threat surfaces, attack vectors and malicious activities directed to both information technology and operational technology platforms.
  • Serves as a fact-based repository of data on successful and failed cyberattacks..
  • Provides indicators for computer emergency response teams and incident response groups.

Threat analytics helps improve threat detection mechanisms by identifying attackers’ methods and behavioral patterns that are not yet detected by automated security monitoring systems.[11]

Threat intelligence platforms

Organizations often deploy specialized software known as threat intelligence platforms (TIPs) to aggregate, analyze, and distribute threat intelligence data.

These platforms typically integrate multiple intelligence sources, correlate indicators, and distribute intelligence to security tools such as SIEM systems, EDR, and incident response platforms.[29][30]

Threat intelligence platforms gather data from both internal and external sources, including security system telemetry, open-source intelligence feeds, malware repositories, vulnerability databases, and reports from security vendors. By aggregating and correlating indicators of compromise (IoCs) like malicious IP addresses, domain names, file hashes, and command-and-control infrastructure, these platforms help security professionals better understand threat contexts and identify the most significant threats.[31][32]

Threat intelligence platforms are commonly integrated with other cybersecurity systems. Integrations with tools such as security information and event management (SIEM) systems, endpoint detection and response (EDR) solutions, and incident response platforms enable automated alert enrichment and faster investigation of security incidents.[18][33]

Threat intelligence platforms also support threat hunting and incident response by organizing indicators and intelligence reports within searchable repositories, allowing analysts to correlate events and identify patterns associated with specific campaigns or threat actors.[34]

Some threat intelligence platforms use automated data pipelines and machine learning techniques to process large volumes of threat data and generate analytical insights for proactive cybersecurity strategies.[35][36]

Structured threat intelligence

Modern programs for collecting and analyzing cyber threat intelligence rely on standardized formats that enable automated exchange between organizations and security tools, as well as the processing of analytical data.

STIX (Structured Threat Information Expression) is a standardized language for representing analytical information about cyber threats in a machine-readable format, allowing analysts to describe attackers, campaigns, vulnerabilities, and indicators within a structured data model.

Trusted Automated Exchange of Intelligence Information (TAXII) is a protocol for supporting the automated exchange of threat intelligence data, typically used to transmit intelligence in STIX format.[37]

The Traffic Light Protocol (TLP) is widely used in the exchange of threat intelligence to determine how sensitive information is shared among members of trusted communities.[38]

Analytical frameworks

Analysts use structured analytical models to understand the behavior of attackers and implement defensive measures.[39]

The Cyber Kill Chain model, developed by Lockheed Martin, describes the stages of a cyberattack as a linear progression: reconnaissance, weaponization (preparation of attack tools), delivery, exploitation of vulnerabilities, installation, command and control, and actions on objectives. This framework helps defenders identify at which stage an attack can be disrupted.[40]

The Diamond Model of Intrusion Analysis examines the relationships between four core features of any intrusion event: the adversary, their capabilities (tools and techniques), the infrastructure they use (domains, IP addresses, email addresses), and the victim. Using these relationships across multiple events, analysts can pivot between incidents, identify patterns, and attribute activity to specific threat actors or campaigns.[41]

The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations. It organizes attacker behavior into 14 tactics (the "why" of an action - initial access, persistence, privilege escalation, defense evasion, etc.), and hundreds of techniques (the "how" - specific methods used to achieve each tactic). Unlike the linear Cyber Kill Chain, ATT&CK provides a detailed matrix of adversary behaviors that can occur in any order or simultaneously. Security teams use ATT&CK to map threat intelligence to defensive controls, assess coverage gaps, conduct red team exercises, and build detections aligned with actual adversary tradecraft. It has become the de facto standard for describing and sharing operational threat intelligence.

Automation of threat intelligence analysis

The increasing volume and velocity of cyber threat data have led organizations to automate significant parts of the threat intelligence lifecycle, including data collection, processing, correlation, and distribution.[36] Automated threat intelligence systems typically ingest data from multiple sources, and then process and correlate this information to identify patterns of malicious activity.[31]

Machine-readable standards and transport protocols (STIX and TAXII) are an important component of automated CTI systems.[42]

Integration between threat intelligence platforms and security operations center (SOC) systems enables automated prioritization of alerts and enrichment of security events using intelligence indicators.[43]

The drawback of automated analytics systems is that they can generate false positives or rely on low-quality indicators, which means analysts have to verify the results and provide a contextual interpretation. For this reason, many organizations adopt a hybrid model in which automated systems perform large-scale data processing while human analysts focus on interpretation, attribution, and strategic assessment of cyber threats.

Attribution

Main article: Cyberattribution

Attribution is the process of identifying who conducted a cyber attack: the individual actors, organized groups, or nation-state sponsors behind an intrusion.[44] In threat intelligence, attribution helps organizations understand adversary intent, prioritize defenses, anticipate future targeting, and inform strategic decisions. It also supports law enforcement investigations and policy responses.

Attribution relies on multiple evidence types: technical indicators (infrastructure, malware code), behavioral analysis (tactics, techniques, and operational tradecraft), linguistic artifacts, targeting patterns (victim selection and geopolitical alignment), and intelligence from human sources or signals intelligence.[45][46]

However, attribution is inherently difficult and often remains probabilistic rather than definitive. Attackers routinely employ obfuscation techniques: using proxy infrastructure, VPNs, compromised intermediary systems, and stolen or leased tools. Advanced threat actors deliberately plant false flags by mimicking the TTPs, language, or infrastructure patterns of other groups to misdirect attribution efforts.[47]

As a result, different threat intelligence vendors take varying approaches to attribution. Some explicitly attribute threat groups to specific nation-states or sponsoring organizations based on their analysis and confidence thresholds. Others intentionally avoid geopolitical attribution, instead documenting only observable, undisputable facts, such as language artifacts in malware, shared infrastructure, or technical capabilities, and tracking adversary clusters by neutral designators. Attribution assessments are typically expressed with varying levels of confidence (low, medium, high) rather than certainty, and erroneous conclusions can have diplomatic, legal, or strategic consequences.[48][49][50][51]

CTI sharing

In 2015 U.S. government legislation in the form of the Cybersecurity Information Sharing Act encouraged the sharing of CTI indicators between government and private organizations. This act required the U.S. federal government to facilitate and promote four CTI objectives:[52]

  1. Sharing of "classified and declassified cyber threat indicators in possession of the federal government with private entities, nonfederal government agencies, or state, tribal, or local governments";
  2. Sharing of "unclassified indicators with the public";
  3. Sharing of "information with entities under cybersecurity threats to prevent or mitigate adverse effects";
  4. Sharing of "cybersecurity best practices with attention to the challenges faced by small businesses."

In 2016, the U.S. government agency National Institute of Standards and Technology (NIST) issued a publication (NIST SP 800–150) which further outlined the necessity for Cyber Threat Information Sharing as well as a framework for implementation.[53]

In addition to the United States, the exchange of real-time information on cyber threats is coordinated through international and industry organizations, such as Information Sharing and Analysis Centers (ISACs), which facilitate cooperation among companies in critical infrastructure sectors, including finance, energy, and transport.[54]

See also

References

  1. ^ Schlette, Daniel; Böhm, Fabian; Caselli, Marco; Pernul, Günther (2020). "Measuring and visualizing cyber threat intelligence quality". International Journal of Information Security. 20 (1): 21–38. doi:10.1007/s10207-020-00490-y. ISSN 1615-5262.
  2. ^ Kant, Neelima (2024). "Cyber Threat Intelligence (CTI): An Analysis on the Use of Artificial Intelligence and Machine Learning to Identify Cyber Hazards". Cyber Security and Digital Forensics. Lecture Notes in Networks and Systems. Vol. 36. pp. 449–462. doi:10.1007/978-981-99-9811-1_36. ISBN 978-981-99-9810-4.
  3. ^ Dalziel, Henry (2014). How to Define and Build an Effective Cyber Threat Intelligence Capability. Syngress. ISBN 9780128027301.
  4. ^ a b c d e Bank of England (2016). CBEST Intelligence-Led Testing: Understanding Cyber Threat Intelligence Operations (PDF) (Report). Bank of England.
  5. ^ Saeed, Saqib (2023). "A Systematic Literature Review on Cyber Threat Intelligence for Organizational Cybersecurity Resilience". Sensors. 23 (16): 7273. Bibcode:2023Senso..23.7273S. doi:10.3390/s23167273. PMC 10459806. PMID 37631808.
  6. ^ Johnson, Christopher; Badger, Mark; Waltermire, David; Snyder, Julie; Skorupka, Clem (October 2016). "Guide to Cyber Threat Information Sharing NIST SP 800-150".
  7. ^ "What Is Cyber Threat Intelligence and How Is It Used?" (PDF). CREST. 2024.
  8. ^ a b CyberProof Inc. (n.d.). Managed Threat Intelligence. CyberProof. Retrieved on April 03, 2023 from https://www.cyberproof.com/cyber-101/managed-threat-intelligence/
  9. ^ IBM (2022-02-23). "IBM Security X-Force Threat Intelligence Index". www.ibm.com. Retrieved 2022-05-29.
  10. ^ "MSSP - What is a Managed Security Service Provider?". Check Point Software. Retrieved 2022-05-29.
  11. ^ a b c "Get Started - Threat Intelligence". attack.mitre.org. Retrieved 2026-03-20.
  12. ^ a b c d e f g "What is Cyber Threat Intelligence used for and how is it used?". blog.softtek.com. 2 September 2021. Retrieved 2023-04-12.
  13. ^ a b c d e f g h Gerard, Johansen (2020). Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats (2nd ed.). Packt Publishing Ltd.
  14. ^ Trifonov, Roumen; Nakov, Ognyan; Mladenov, Valeri (2018). "Artificial Intelligence in Cyber Threats Intelligence". 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC). IEEE. pp. 1–4. doi:10.1109/ICONIC.2018.8601235. ISBN 978-1-5386-6477-3. S2CID 57755206.
  15. ^ a b c d e f g h Kaspersky. (n.d.). What is threat intelligence? Definition and explanation. Retrieved on April 03, 2023 from https://www.kaspersky.com/resource-center/definitions/threat-intelligence
  16. ^ a b c d Kime, Brian (March 29, 2016). "Threat Intelligence: Planning and Direction". SANS Institute.
  17. ^ Borges, Esteban (2018-03-10). "What is Technical Threat Intelligence?". Recorded Future.
  18. ^ a b "What a threat-intelligence platform is for". Kaspersky official blog. 2022-08-30. Retrieved 2026-03-21.
  19. ^ "What is Cyber Threat Intelligence?". CrowdStrike.com. Retrieved 2026-03-21.
  20. ^ Johnson, Christopher; Badger, Mark; Waltermire, David; Snyder, Julie; Skorupka, Clem (2016-10-04). Guide to Cyber Threat Information Sharing (Report). National Institute of Standards and Technology.
  21. ^ a b c Phythian, Mark (2013). Understanding the Intelligence Cycle (PDF) (1st ed.). Routledge. pp. 17–23.
  22. ^ Jeffery, Euan; Malsagov, Uwais; Tijssen, Niels; Zeisig, Andreas; Hoffmans, Charlotte C. A.; Treur, Jan; Roelofsma, Peter H. M. P. (2025). Silhavy, Radek; Silhavy, Petr (eds.). "Computational Analysis of the Effectiveness of the Intelligence Cycle for Organizational Cyber Risk Management". Artificial Intelligence and System Engineering. Cham: Springer Nature Switzerland: 180–201. doi:10.1007/978-3-031-96759-7_12. ISBN 978-3-031-96759-7.
  23. ^ Nguyen, Quoc Phong; Lim, Kar Wai; Divakaran, Dinil Mon; Low, Kian Hsiang; Chan, Mun Choon (June 2019). "GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection". 2019 IEEE Conference on Communications and Network Security (CNS). IEEE. pp. 91–99. arXiv:1903.06661. doi:10.1109/cns.2019.8802833. ISBN 978-1-5386-7117-7.
  24. ^ Marino, Daniel L.; Wickramasinghe, Chathurika S.; Manic, Milos (October 2018). "An Adversarial Approach for Explainable AI in Intrusion Detection Systems". IECON 2018 - 44th Annual Conference of the IEEE Industrial Electronics Society. IEEE. pp. 3237–3243. arXiv:1811.11705. doi:10.1109/iecon.2018.8591457. ISBN 978-1-5090-6684-1.
  25. ^ Leite, Cristoffer; den Hartog, Jerry; Ricardo dos Santos, Daniel; Costante, Elisa (2022), Reiser, Hans P.; Kyas, Marcel (eds.), "Actionable Cyber Threat Intelligence for Automated Incident Response", Secure IT Systems, vol. 13700, Cham: Springer International Publishing, pp. 368–385, doi:10.1007/978-3-031-22295-5_20, ISBN 978-3-031-22294-8, retrieved 2024-11-11{{citation}}: CS1 maint: work parameter with ISBN (link)
  26. ^ Zibak, Adam; Sauerwein, Clemens; Simpson, Andrew C. (2022-03-10). "Threat Intelligence Quality Dimensions for Research and Practice". Digital Threats. 3 (4): 44:1–44:22. doi:10.1145/3484202.
  27. ^ Berndt, Anzel; Ophoff, Jacques (2020). "Exploring the Value of a Cyber Threat Intelligence Function in an Organization". In Drevin, Lynette; Von Solms, Suné; Theocharidou, Marianthi (eds.). Information Security Education. Information Security in Action. IFIP Advances in Information and Communication Technology. Vol. 579. Cham: Springer International Publishing. pp. 96–109. doi:10.1007/978-3-030-59291-2_7. ISBN 978-3-030-59291-2. S2CID 221766741.
  28. ^ a b c Shackleford, D. (2015). Who's Using Cyberthreat Intelligence and How?. SANS Institute. https://cdn-cybersecurity.att.com/docs/SANS-Cyber-Threat-Intelligence-Survey-2015.pdf
  29. ^ "What is a threat intelligence platform (TIP)? | Microsoft Security". www.microsoft.com. Retrieved 2026-03-21.
  30. ^ "What is a Threat Intelligence Platform (TIP)? I Anomali". www.anomali.com. Retrieved 2026-03-21.
  31. ^ a b Balasubramanian, Prasasthy; Nazari, Sadaf; Kholgh, Danial Khosh; Mahmoodi, Alireza; Seby, Justin; Kostakos, Panos (2025-03-01). "A cognitive platform for collecting cyber threat intelligence and real-time detection using cloud computing". Decision Analytics Journal. 14: 100545. doi:10.1016/j.dajour.2025.100545. ISSN 2772-6622.{{cite journal}}: CS1 maint: article number as page number (link)
  32. ^ Chen, Sheng-Shan; Hwang, Ren-Hung; Ali, Asad; Lin, Ying-Dar; Wei, Yu-Chih; Pai, Tun-Wen (2024-09-01). "Improving quality of indicators of compromise using STIX graphs". Computers & Security. 144: 103972. doi:10.1016/j.cose.2024.103972. ISSN 0167-4048.{{cite journal}}: CS1 maint: article number as page number (link)
  33. ^ Mavroeidis, Vasileios; Jøsang, Audun (2021-03-28). "Data-Driven Threat Hunting Using Sysmon". arXiv.org. Retrieved 2026-03-21.
  34. ^ Shaw, Adrian (May 2024). "A NEXT-GENERATION CYBER THREAT INTELLIGENCE PLATFORM". doi:10.13140/RG.2.2.20223.68003.
  35. ^ Balasubramanian, Prasasthy; Nazari, Sadaf; Kholgh, Danial Khosh; Mahmoodi, Alireza; Seby, Justin; Kostakos, Panos (2024-02-15). "TSTEM: A Cognitive Platform for Collecting Cyber Threat Intelligence in the Wild". arXiv.org. Retrieved 2026-03-21.
  36. ^ a b Santos, Pedro; Abreu, Rafael; Reis, Manuel J. C. S.; Serôdio, Carlos; Branco, Frederico (9 July 2025). "A Systematic Review of Cyber Threat Intelligence: The Effectiveness of Technologies, Strategies, and Collaborations in Combating Modern Threats". Mdpi. doi:10.3390/s25144272.{{cite web}}: CS1 maint: unflagged free DOI (link)
  37. ^ "What is STIX/TAXII?". www.cloudflare.com. Retrieved 2026-03-21.
  38. ^ "Traffic Light Protocol (TLP)". FIRST — Forum of Incident Response and Security Teams. Retrieved 2026-03-21.
  39. ^ "MITRE ATT&CK®". attack.mitre.org. Retrieved 2026-03-21.
  40. ^ "Cyber Kill Chain®". Lockheed Martin. Retrieved 2026-03-21.
  41. ^ Caltagirone, Sergio; Pendergast, Andrew; Betz, Christopher. "The Diamond Model of Intrusion Analysis" (PDF). apps.dtic.mil. Archived from the original (PDF) on 2025-02-02. Retrieved 2026-03-21.
  42. ^ Qamar, Sara; Anwar, Zahid; Rahman, Mohammad Ashiqur; Al-Shaer, Ehab; Chu, Bei-Tseng (2017-06-01). "Data-driven analytics for cyber-threat intelligence and information sharing". Computers & Security. 67: 35–58. doi:10.1016/j.cose.2017.02.005. ISSN 0167-4048.
  43. ^ "Role of Automation in SOC Operations: Benefits & Limitations" (PDF). International Journal on Science and Technology. ISSN 2229-7677.
  44. ^ Leite, Cristoffer; Den Hartog, Jerry; dos Santos, Daniel Ricardo (2024-07-30). "Using DNS Patterns for Automated Cyber Threat Attribution". Proceedings of the 19th International Conference on Availability, Reliability and Security. ACM. pp. 1–11. doi:10.1145/3664476.3670870. ISBN 979-8-4007-1718-5.
  45. ^ "A Comprehensive Survey of Advanced Persistent Threat Attribution: Taxonomy, Methods, Challenges and Open Research Problems". arxiv.org. Retrieved 2026-03-20.
  46. ^ Joy, Anooja; Chandane, Madhav; Nagare, Yash; Kazi. "Threat Intelligence Extraction Framework (TIEF) for TTP Extraction". MDPI.
  47. ^ Skopik, Florian; Pahi, Timea (2020-03-20). "Under false flag: using technical artifacts for cyber attack attribution". Cybersecurity. 3 (1): 8. doi:10.1186/s42400-020-00048-4. ISSN 2523-3246.
  48. ^ Leite, Cristoffer; Den Hartog, Jerry; Dos Santos, Daniel R.; Costante, Elisa (2023-12-15). "Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents". 2023 IEEE International Conference on Big Data (BigData). IEEE. pp. 2999–3008. doi:10.1109/BigData59044.2023.10386324. ISBN 979-8-3503-2445-7.
  49. ^ Navarro, Julio; Legrand, Véronique; Lagraa, Sofiane; François, Jérôme; Lahmadi, Abdelkader; De Santis, Giulia; Festor, Olivier; Lammari, Nadira; Hamdi, Fayçal (2018), Imine, Abdessamad; Fernandez, José M.; Marion, Jean-Yves; Logrippo, Luigi (eds.), "HuMa: A Multi-layer Framework for Threat Analysis in a Heterogeneous Log Environment", Foundations and Practice of Security, vol. 10723, Cham: Springer International Publishing, pp. 144–159, doi:10.1007/978-3-319-75650-9_10, ISBN 978-3-319-75649-3, retrieved 2024-11-11{{citation}}: CS1 maint: work parameter with ISBN (link)
  50. ^ Landauer, Max; Wurzenberger, Markus; Skopik, Florian; Settanni, Giuseppe; Filzmoser, Peter (2018-11-01). "Dynamic log file analysis: An unsupervised cluster evolution approach for anomaly detection". Computers & Security. 79: 94–116. doi:10.1016/j.cose.2018.08.009. hdl:20.500.12708/6096. ISSN 0167-4048.
  51. ^ Levi Gundert, How to Identify Threat Actor TTPs
  52. ^ Burr, Richard (2015-10-28). "S.754 - 114th Congress (2015-2016): To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". www.congress.gov. Retrieved 2021-06-09.
  53. ^ Johnson, C.S.; Badger, M.L.; Waltermire, D.A.; Snyder, J.; Skorupka, C. (4 October 2016). "Guide to Cyber Threat Information Sharing". National Institute of Standards and Technology. doi:10.6028/nist.sp.800-150. Retrieved 3 December 2023.
  54. ^ "Information Sharing and Analysis Centers (ISACs) | ENISA". www.enisa.europa.eu. 2022-09-09. Retrieved 2026-03-20.

Further reading

This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.