Skip to content

Cyber threat intelligence

Note that the term cyber is arguably misused in the context of "Cyber Threat Intelligence" 1 and should be considered more as an equivalent for "Digital Threat Intelligence" or "Internet Threat Intelligence".

Terminology

Indicator

Cyber Threat Indicator: A set of cyber observables combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context. 2

TTP

TTP, in the context of cyber threat intelligence, is short for Tactics, Techniques and Procedures also sometimes referred to as Tools, Techniques, Procedures.

TTPs are representations of the behavior or modus operandi of cyber adversaries. It is a term taken from the traditional military sphere and is used to characterize what an adversary does and how they do it in increasing levels of detail. 3

Note that the abbreviation TTP is highly ambiguous, e.g. in another context it can mean Trusted Third Party.

Standards

  • CAPEC
  • IDMEF
  • IODEF
  • OpenIOC
  • Oval
  • Stix/Cybox/MAEC
  • Veris
  • Yara

OpenIOC

Cons:

  • Highly Mandiant product centric standard, though seems to have digressed a bit from this since version 1.1

Feeds (or equivalent)

CAPEC

IODEF

OpenIOC

Stix/Cybox/MAEC

Tools