Cyber Threat Intelligence and how is leveraged inside Cyberkit4SME – Part 1

18th May, 2023

Author Giampaolo Darelli

What is Cyber Threat Intelligence?

CTI is a knowledge base that includes mechanisms, indicators, contexts, and threats (both existing and emerging) that can be used to create preventive strategies, intervention tactics, and/or implement monitoring systems.

CTI can be considered any information that can be correlated with other additional information in a way that allows an organization to improve its security in a tangible way.

The data, in order to be considered CTI, must be:

  • Relevant
  • Operational
  • Contextualized
  • Shared

As stated above one of the characteristics of the CTI is that it can be shared and represented; over the years platforms and standards have been developed in terms of formats and protocols.

Threat Intelligence Platform and intelligence sources

The CTI data is usually found in so-called intelligence feeds, which are basically “sources” of intelligence.

Intelligence sources are organized into the following macro-categories:

  • Osint, sources open to everyone, like social networks such as Twitter where security researchers share the results of their analysis or more structured sites that collect CTI data (Alienvault, Phishtank,, etc.)
  • Closint, sources are accessible only with a fee or by authorized personnel.

To aggregate, correlate, analyze, consume, and share data coming from the feeds software solutions, called Threat Intelligence Platforms (TIP), are used.

In the Cyberkit4SME project, the Computer Emergency Response Team (CERT) is the main actor that shares Threat Intelligence and as CERT Sogei, we decided to use Open Cyber Threat Intelligence Platform (OpenCTI) as TIP to collect the intelligence data. In the next blog post, we will examine the formats and protocols used in CTI fields and we’ll show a high-level integration between Service Ledger and OpenCTI.