Skip to content

Overview

Overview

What is Threat Intelligence?

Threat intelligence, also known as cyber threat intelligence (CTI), is actionable information about current and emerging cyber threats that helps organizations understand and prepare for potential attacks. Unlike general security information, threat intelligence is carefully analyzed, contextualized, and prioritized data that enables security teams to make informed decisions about their defensive strategies.

At its core, threat intelligence answers four critical questions: * What threats exist that could impact the organization? * Who is behind these threats (threat actors)? * Why are they targeting the organization (motivations)? * How are they conducting their attacks (methods and techniques)?

The Value of Threat Intelligence

In today's cybersecurity landscape, organizations face an overwhelming volume of security alerts and potential threats. Threat intelligence transforms this flood of data into actionable insights by:

  • Proactive defense: Enabling organizations to anticipate and prepare for threats before they materialize, rather than simply reacting to incidents after they occur.
  • Risk prioritization: Helping security teams focus their efforts on the most relevant and high-impact threats to their specific environment.
  • Faster incident response: Providing contextual information that accelerates investigation and response times during security incidents.
  • Strategic decision making: Supporting executive-level decisions about security investments, risk management, and resource allocation.

Threat Intelligence Settings in CYBERQUEST

CYBERQUEST provides a comprehensive interface for managing threat intelligence sources, enabling security teams to tailor and oversee threat detection capabilities. This centralized management environment allows organizations to integrate multiple threat intelligence feeds and maintain detailed control over their security posture.

To access the Threat Intelligence settings, go to Settings in the main menu, select Application Settings, then click on Threat Intelligence in the sub-menu. This dedicated section provides a unified view of all configured threat intelligence sources, allowing administrators to monitor, configure, and maintain their organization's threat detection capabilities.

New threat intelligence sources can be added by clicking the button, which opens the configuration window for defining a new threat intelligence feed. This interface supports multiple threat intelligence formats to accommodate various sources and requirements.

CYBERQUEST supports several distinct types of threat intelligence sources, each serving specific security purposes:

  • Classic Threat Intelligence IP List - A simple yet effective format consisting of IP addresses listed one per line. This source type is ideal for organizations that maintain their own lists of known malicious IPs or want to integrate IP-based threat feeds from external sources. Common use cases include blocking traffic from known attacker IPs or monitoring connections to suspicious network endpoints.

  • CYBERQUEST Threat Intelligence (CQ TI) - CYBERQUEST's proprietary threat intelligence feed combines external threat data with contextual information gathered from your organization's IT infrastructure, providing highly relevant and actionable intelligence. This unique approach ensures that threat intelligence is not only comprehensive but also specifically tailored to your environment.

  • TOR Exit Nodes - A specialized list of exit nodes from the TOR (The Onion Router) network. While TOR provides legitimate privacy services, its anonymity features can be exploited by threat actors to conceal their activities. Monitoring traffic from TOR exit nodes helps organizations identify potentially suspicious connections that may warrant additional scrutiny. This source type is particularly valuable for organizations with strict compliance requirements or those in highly regulated industries.

  • IOC IP (Indicators of Compromise - IP) - A focused list of IP addresses specifically flagged as Indicators of Compromise. These IPs are associated with known malicious infrastructure, including botnet command and control servers, malware distribution points, and attacker infrastructure. This source type enables precise blocking and detection of traffic to and from known threat actors' infrastructure.

  • IOC Domain (Indicators of Compromise - Domain) - A collection of domain names associated with malicious activities or security threats. This includes domains used for phishing campaigns, malware distribution, and command-and-control (C2) communications. Monitoring and blocking access to these domains helps prevent users from inadvertently accessing malicious websites and protects against common attack vectors.

Managing Threat Intelligence Sources

Each threat intelligence source in the management interface provides several management options:

  • Edit : Modify the configuration parameters of an existing threat intelligence source, including updating the source data or changing processing settings.
  • Delete : Remove a threat intelligence source entirely from the system, ceasing its contribution to threat detection.
  • Activate/Deactivate : Enable or disable a threat intelligence source without removing it, allowing for temporary suspension during maintenance or troubleshooting.
  • Run Threat Intelligence : Manually execute the selected threat intelligence source. This step is required to trigger data ingestion and ensure the source becomes active and operational.

These management capabilities ensure that security teams can maintain their threat intelligence infrastructure with precision, enabling rapid response to changing threat landscapes while maintaining operational efficiency.