How to Use Cyber Threat Intelligence (CTI)

How to Use Cyber Threat Intelligence

Cyber Threat Intelligence (CTI) is more than passive data orchestration. An organization must have the necessary infrastructure to continuously monitor its entire ecosystem and the capacity to analyze and contextualize threat data in real time. For most businesses, this means that threat intelligence requires some degree of automation—the volume of information generated by unfiltered threat intelligence feeds is too massive for even the best-equipped security teams.

Organizations must also integrate threat intelligence with other processes, such as incident response and risk management. Threat intelligence, after all, does not exist in a vacuum. It must be part of an overall approach to cybersecurity.


Threat intelligence is only as good as its data. Security teams need to gather information from a broad range of internal and external sources. These may include:

  • Event, application, firewall, network, and antivirus logs
  • Data about prior security incidents
  • Public threat intelligence feeds
  • Surface web monitoring
  • Deep web monitoring
  • News reports
  • Public security releases and reports
  • Cybersecurity vendors
  • Industry collaborators

Security teams must orchestrate and consolidate information from these sources into one location. You need a single source of truth from which you will draw insights about your threat landscape and security posture. Checking each source one by one isn’t a viable option—the sheer volume of labor this would involve makes this nearly impossible. 


Once a security team has aggregated its threat intelligence, the next step is to make sense of it. Security teams contextualize each piece of data, defining what it means to the organization and how it impacts the threat landscape. Without this context, security teams are working with a clump of potentially meaningless information—no one can make informed decisions, apply effective countermeasures, or understand a threat actor’s motivations without context.

Similar to aggregation, this process is far too massive an undertaking to be performed entirely manually.


Threat actors are not the only hazard with which security teams must contend. Traditional security stacks also generate an overwhelming amount of noise. This inevitably results in alert fatigue—overwhelmed security teams may start ignoring or overlooking critical alerts while distracted by less relevant incidents.

The solution is to stem the endless tide of data and automatically prioritize both alerts and intelligence based on the following parameters:

  • Asset
  • Impact
  • Risk level
  • Type of alert/threat
  • User or users involved
  • Geographic location


Having orchestrated, contextualized, and prioritized threat data, security teams next determine how to apply that data to their day-to-day. Tailored reports can help guide leadership decisions, while real-time monitoring provides security teams with direct insight into the organization’s ecosystem. Threat intelligence also plays a significant role in threat hunting, enabling teams to more effectively identify and trace attacks and incidents back to their origins.


Getting and using cyber threat intelligence is an ongoing process—it’s not a one-and-done task. Security teams must regularly update and enrich their threat data while assessing whether they are using it as effectively as possible. This also means evaluating the tools and systems through which they collect intelligence and remediate threats.

It’s an iterative process that requires both constant learning and continuous evolution.

With proven leadership in some of the world’s most security-conscious organizations, BlackBerry is uniquely positioned to assess your threat landscape and help design a complete cybersecurity strategy for your organization.

Whether you have an established cybersecurity approach and need to supplement, or you’re starting to define it, BlackBerry Cybersecurity Consulting can help.