Why Cyber Threat Intelligence Needs to Include Custom Threat Analysis

5 minute read

Cyber Threat Intelligence Defined

Cyber threat intelligence, commonly referred to as CTI, is a term that is both ill-defined and often overused. Some consider CTI to consist of aggregator feeds of domains, IPs, and file hashes. Others see it as reports describing a series of observed malicious activity that took place online. And often, it serves as a catch-all for questions or tasks that other internal teams may have that they don’t have the time or inclination to answer. Depending on who you ask, cyber threat intelligence is one or more of these things. This however, does not accurately define what intelligence is and its value to the organization. 

The Core Layers of Threat Intelligence Services

At its core, intelligence must be of value to the end consumer. In order to achieve that goal, it must be actionable, timely, and relevant. Data feeds are often timely, but because they are predicated on volume, they are rarely actionable or relevant. Summary reports are rarely timely or particularly actionable, as they are focused on demonstrating derivative works from other types of investigations such as incident responses. A team answering random, ad hoc requests at the whim of other groups will almost always fail to be relevant as the inbound requests are often ill defined and lack proper context. 

Cyber Threat Intelligence is an Ecosystem

A true cyber threat intelligence solution is founded on a well defined ecosystem. There should be many capabilities that map to specific stakeholders and provide value from tactical blocking and remediating to strategic analysis informing the senior most decision makers in a company. A successful intelligence program consists of multiple solutions that layer on top of each other to create a complete collection and analysis stack.

Data, Data, Data

The foundation of the cyber threat intelligence ecosystem is, and always will be, data. No intelligence program can survive without data. 

No intelligence program can survive without data

However, what matters most here is the ability to task a collection apparatus to ensure that the data you are ingesting is timely and relevant. A good program will be able to stay abreast of the major changes in the threat landscape and have trusted and vetted data sources to provide valuable information to hunt and prevention teams. But at the end of the day, tactical cyber threat intelligence should be a machine-to-machine connection. If the program stops at the data layer, even if it is a well curated collection system, you don’t have an intelligence program, but rather a collection management system. 

Tactical Change Tracking

The next core layer of cyber threat intelligence is tactical change tracking. This layer answers the important question: what is new today that I didn’t see yesterday? What was here last month that seems to be gone this month? Understanding the evolution of the threat landscape, the capabilities, and industry risk profiles, allows a good intelligence team to start to create real insight. Unfortunately to do this, and do it well, requires not only a good collection system, but also strong tactical analysts who follow trends and have a natural inclination to be an inch wide and a mile deep. It is only with staffing focused on the tiny, tactical changes that reports around deltas can begin to be worked. 

The Importance of Custom Threat Analysis

Once you have a collection program in place, human analysis is critical. Having tactical analysts that obsess over every change to a piece of malware, an underground forum, or protocol implementation for command and control, can give you key insights that necessitate a great CTI program. This is where your custom intelligence analysts sit. Knowing that emotet just suffered a major disruption to its infrastructure and arrests of key personnel were carried out, or that Trickbot was the subject of USCC operations is not enough to understand how it will materially impact your company in the short, medium and long term. Nor will it provide your key decision makers with the context, insight, and wisdom to make decisions faster and better than your competitors. If your intelligence program does not include a cadre of top tier strategic analysts, you are missing the core of what an Intelligence program is. You are missing the Actionable part that differentiates information and intelligence.

How Custom Threat Analysis Improves Cyber Threat Intelligence

Custom threat analysis takes the changes that the industry notes, the deluge of data that comes in from your collection sources, and brings it all together to determine the “so what”. Threat analysts take the information that all decision makers are drowning in and turn it into a comprehensible brief that explains why the event is currently relevant to that stakeholder and what decisions it enables. The most important word here is custom. This analysis is specific, tailored to your organization and the threats it faces. Without this, your CTI program is underperforming.

Why Businesses Need Custom Threat Analysis

Custom threat analysis as part of a larger cyber threat intelligence strategy, if done right, is akin to your executives having their own version of the Presidential Daily Brief. With the right tasking, the strategic analysts will be able to provide superior insight into the problems of the day, the trends of the last few months, and most importantly accurate sign posts for decision makers to understand how a situation is developing. This empowers decision makers to make proactive decisions and chart a better course. 


Whether your organization has a robust internal team of threat analysts, is looking to source those capabilities externally, or is just tipping their toes in the world of cyber threat intelligence, it’s important to understand the core functions within a CTI program in order to be successful at any scale. Learn more about ZeroFox’s threat intelligence services, including custom threat analysis here

See ZeroFox in action