Cyber Threat Intelligence: what it is and how does it work?

 Cyber Threat Intelligence – It is the information about the Cyber threats a company may be exposed to used to understand the threats that have hit, want to hit, or are about to target the corporate perimeter.

This information is used to prepare for, prevent and identify possible Cyber attacks that seek to breach and acquire sensitive corporate data (or alternatively, simply be disruptive).


Start your CTI Trial 


Cyber Threat Intelligence helps companies to gain valuable knowledge about the direct threats, to build effective defense mechanisms (Cyber Resillience) and to mitigate risks that could damage profits and reputation.

Targeted attacks require a targeted defense. Cyber Threat Intelligence has the ability to defend more proactively.


Cyber Threat Intelligence: in detail

Cyber Threat Intelligence represents how Intelligence has been deployed in Cyber Security. In order to outline possible cyber threats from a technical point of view, it includes the collection and analysis of information related to specific operational contexts.

Swascan’s Cyber Threat Intelligence service aims to identify any publicly available information in OSINT and CLOSINT, related to a specific target.

The term OSINT  stands for Open Source Intelligence. It refers to the process of gathering information by consulting public domain sources, also known as “open sources”.

Doing OSINT means describing information that is available and open to the public. This is done through a process of searching, selecting, sifting and reporting. Also, it refers to a specific target.

The most important step in the OSINT process is to “screen” relevant and reliable sources through different types of public domain sources.

Therefore, OSINT differs from the standard information research because it applies an information management process with the aim of gathering a specific knowledge in a given field/context.

Instead, the term CLOSINT refers to Close Source Intelligence, i.e. the process of gathering information through the consultation of “closed sources”, not accessible to the public or “restricted” areas.


Cyber Threat Intelligence: the scope of the analysis

The Cyber Threat Intelligence activity is performed through a process of searching, identifying, and selecting publicly available information in OSINT/CLOSINT in terms of:

  • Target
  • Digital Assets
  • IP
  • Email and information related to the employees of a company

The goal is to provide “actionable intelligence”, i.e., analyzed, contextualized, timely, accurate, relevant and predictive information. Moreover, the service determines any exposure to Cyber Security risks.

Actionable Intelligence

Actionable Intelligence


Start your CTI Trial 


Cyber Threat Intelligence: the Perimeter

Swascan’s Cyber Threat Intelligence perimeter relates to:

  • Advanced Intelligence: Includes eCrime Intelligence and Domain Monitoring;
  • Network Intelligence – Infected Host;
  • Network Intelligence – Vulnerable Host;
  • eCrime/Dark Web Intelligence: Aggregated Forum Communications and Threat Actor Library;
  • Malware Intelligence: Active Malware Sandbox and Library of Binaries;
  • Risk Intelligence
    • Compromised Credit Card Feed;
    • Anti-Money Laundering Feed
    • Account Take-over Defense.
    • ….
  • Compromised Credential;
  • Honeypot Intelligence;
  • Financial Fraud Intelligence.

The Cyber Threat Intelligence (CTI) service allows to search, monitor, and analyze subjects of interest (SOI) across multiple sources, including:

  • Dark Web communities e marketplaces (TOR-based);
  • Underground communities e marketplaces (Internet-based);
  • Social media networks as Facebook, Twitter, Linkedin, etc.;
  • Instant messaging as Viber, Telegram, QQ, WeChat, etc.;
  • Internet Relay Chat (IRC);
  • Integrated Intelligence Repositories (IOCs, TTPs, Security Incidents).


Start your CTI Trial 


Cyber Threat Intelligence: The analysis

The activity involves the collection and analysis of information relating to a number of critical macro areas.

Data Breach

The first pool of data taken into consideration comes from Data Breach.

The service analysis the raw data collected during the exfiltrations that hit the organization and third parties. Of course, compromised emails are also included.

Depending on the situation it is possible to provide:

  • Used Passwords
  • Password Hash
  • Record without password, but of which there is a trace in the Deep and Dark Web

Statistics show that between 60% and 80% of users use the same password – or similar ones – on the company’s system (Active Directory authentication, E-mail box, VPN access, Remote Web access, Intranet, etc).

The risk is that an external agent (Criminal Hacker) acquires the compromised credentials and attempts to gain unauthorized access to the company’s digital assets.

A second scenario is the one of Social Networks, i.e., the compromised credentials of company employees and contractors on platforms such as Linkedin, Facebook, Twitter, etc. In this context, Criminal Hackers can access the affected Social Network as an employee or contractor of the company.  Thus, they send malware to other colleagues, employees or collaborators of the target company.

The goal is to perpetrate targeted attacks on the digital assets and communications – email and/or social networks – of the company.

Network Hygiene

“Network Hygiene” refers to the presence of malicious or suspicious activities within the Client’s digital perimeter. Depending on the type of evidence found, the keyword is associated to the “IP Reputation“. This indicates the reputation of certain IP addresses known worldwide to the different cyber security communities and antivirus organizations. The consequence is carrying out illegal activities or indirectly facilitating the above mentioned activities (due to configuration and/or implementation errors) with all the legal consequences (civil and criminal) of the case.

Depending on the different gaps in Network Hygiene, there can be multiple consequences:

  • abuse of web forms for information requests, with consequent fraudulent use of the Client’s systems for sending spam emails
  • use of badly configured systems for DNS redirects and interception of all data traffic;
  • abuse of badly configured systems for “bridge attacks” (launchpad), with consequent civil and, above all, penal responsibilities;

Dark Web

Historically, the Dark Web was one of the most hidden places on the net, where there were only the pioneers of underground criminal hacking. Today, imitating the success of online retail, the Dark web has equipped itself with one of the keys to the success of its legal counterpart, warranties. These eCommerce businesses operate on platforms that allow you to review “products,” leave a rating, and obtain purchase warranties. Then, users can easily navigate on an intuitive and responsive interface.

Here, cryptocurrencies dominate thanks to their features that allow great anonymity and low traceability.

In terms of number of ads, among the top-ranked goods are countless hacking tools, but also illegally obtained packages of sensitive data.

This is why the analysis of instances on the Dark Web is crucial. The tool tracks cyber criminals on cyber crime forums, who have mentioned the company (domains, IP addresses, brands or Executives names).

Severity and impact should be assessed based on what the analysis and data grab on the Dark Web has revealed.

Botnet Activity

A botnet is a collection of devices connected to the network that have been compromised by a threat actor.

They help those (from the individual up to the organized group of criminal hackers) who intend to launch cyber attacks to violate systems or cause damages.

Their most frequent use is in DDoS (Distributed Denial of Service) attacks. Here, they exploit the overall computational power of infected machines. The goal is to send huge volumes of spam, to steal credentials on a large scale and to spy on people and organizations.

Criminal hackers build their botnets by infecting network-connected devices with malware. They control them using a C&C (Command and Control) server.

What makes this attack method even more dangerous is that, once a single device is compromised, all devices on the same Network are exposed to the risk of infection.

A well done botnet attack can certainly be devastating. An example is the botnet Mirai that, in 2016, hit and effectively “shut down” giants like CNN and Netflix. In that case, Mirai relied on numerous IoT devices, particularly security cameras, but it is not excluded that it could use far more common corporate assets.

Precisely, this last aspect is one of the biggest factors for why these techniques has increased. In fact, it allows the attacker to use the victim’s hardware and electricity to mine cryptocurrencies, such as Bitcoin or Ethereum.

As if that wasn’t enough, the “bot hardener” (the botnet operator) can use its botnet to instruct it. The purpose is to steal credentials (e-banking, corporate intranet, civil and criminal legal liabilities, information theft, industrial espionage, etc.).

Miscellaneuos Risks

Several subcategories fall into this category of digital risk: Ip Reputation (see below), Passive DNS, etc. The impacts vary depending on the type of information that is present outside the Client’s business perimeter.

IP Reputation

The “reputation” of a public IP address can be likened to its “network history”. This indicates the history of malicious actions that have been carried out, or have transited, or have had as final destination the IP address. Civil and criminal legal responsibilities, theft of information, industrial espionage, etc.

Passive DNS

It is a type of medium-high level attack, through which configuration changes are made to the Client’s DNS. It is an interception and/or redirection of Internet traffic.

Brand Names

It indicates the presence of the Client’s brand in the Dark Web. It can be an indicator of fraud in progress or already committed.


It indicates the presence of instances relating to the Executives names, communicated by the Client on the Dark Web or in other databases. Depending on the type of instance, it can represent different types of impact.

Threat Intelligence

Swascan’s Cyber Threat Intelligence and Domain Threat Intelligence services are the answer to preventative security.

Check your Cyber Risk exposure!


Start your CTI Trial 


Cyber Risk Indicators - Cyber Security in the Italian economic industries
Ransomware Double Extortion 2021: Victim profiling

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.