The 7 Phases of Threat Intelligence

In this post we will discuss the 7 phases of threat intelligence. In this case the number of phases is not very important as sometimes I see them described as 4, 5 or 6 phases. The important thing is that this is approximately how the process of threat intelligence goes.


Threat intelligence phase 1: Hunting

In the first phase you gather pieces of information about the malware or the threat actor behind the malware using different sources. The goal of this phase is to do proactive research and get an idea of potential threats. VirusTotal is a useful tool in this phase because it can help with identifying viruses, trojans and other types of malware. It’s a reliable tool because it already exists for more than 10 years. More and more information was added to it over the years. VirusTotal also has a paid Threat Intelligence service with which you can do even more extensive searches and also download samples.

Hacking forums are another source of information. Here you can see what hackers are talking about at this moment and find information about modern and popular methods to hack. But it’s also quite risky to get too much involved in these forums or to download anything from them, so this is a source of information you need to be careful with.

A few other ways to gather information in this phase are Incident Response engagements (analysing malware etc.), honeypots and OSINT.

Features extraction

In this phase you use the information and samples you gathered in the first phase. You do more research on them and divide them into specific malware categories. You extract ‘static information’ from the malware. This is information you can retrieve without executing the malware. Examples of static information are the creation date of the malware and the criminal groups that are possibly connected to it.

You can also look at the digital certificate of malware, the date of the certificate and who signed the certificate. For example it’s possible that hackers have stolen valid certificates or use old ones.

Other information you can get from malware is metadata, like the author and the original language. If the language is Russian or Chinese for example, you can get an idea where the malware is from. Furthermore you can look at Import Table Hashes, Ssdeep, certain strings in the code like IP addresses or usernames, and errors. In this phase the malware itself is never executed.

Behavior extraction

Threat intelligence phase 3: Behaviour Extraction

This phase is similar to the Features Extraction phase but has to do with the behavior of the code. In the Features Extraction phase you only look at static elements of the malware but now you look at the dynamic elements as well to further analyze and categorize the malware. There are different ways to find out what the code will do once it is executed.

An important one is to execute the code in a sandbox, for example in a virtual machine that is not connected to a network and where no harm can be done. When you do that you can see which API’s the code is trying to connect to, the network requests it tries to send, if it creates new files, and so on.

A different way is to look at memory dumps. Malware is often active in the working memory. So by looking at what happens there you can better understand what the malware is trying to do.

Different categories of malware are: downloaders, keyloggers, Ransomlocks, File Infectors, Hash dumpers, malware with Anti-VM check and backdoors. Malware with Anti-VM checks doesn’t do anything when it’s executed in a virtual machine. Something that is often seen is that malware will add itself to services and scheduled tasks so that it will be executed regularly, whenever the service or task starts.

Clustering & correlation

Threat intelligence phase 4: Clustering & Correlation

In the Clustering & Correlation phase you use the information from the previous phases to get a complete picture of the malware you are researching. You make a cluster with the properties and behavior of the malware. Then you display this data in graphs to visualize and be able to see connections. This is useful when a case is particularly complicated and consists of multiple parts.

Threat Actor Attribution

The goal of this phase is to find the group behind an attack or series of attacks. Here you try to answer questions like: is the threat actor 1 person or a group? What is their location? Who is supporting them financially? Who gave them the order to attack? Are they attacking for merely financial gains or are they trying to attack a particular sector?

You also try to find out the infrastructure of the group and what kind of tactics, techniques and procedures they use (TTP). In many cases a group of hackers is sponsored by a nation state.

Sectors that are often attacked are the financial sector (banks), healthcare, essential infrastructure and nuclear energy.

This phase is important because the rest of the information would be almost useless if you didn’t even know who is behind the attack.


In the tracking phase you try to anticipate new attacks and actively find out the strategy of the hacker group and what they are doing now. For that you may do more research with OSINT, on hacker forums or by investigating IP addresses and e-mail addresses that you may have found in the previous phases.

When monitoring hacker forums it’s important not to go too far. It’s the task of other organizations like the FBI to take more active measures. They might disguise themselves on hacker forums and communicate directly with the hackers. If you try to do this yourself there is a chance you will be prosecuted as it may be hard to prove that you were allowed to do this.

Taking down

Threat intelligence phase 7: Taking down, arresting

This is the phase that’s not only handled by researchers but in cooperation with the local police or an intelligence agency. The goal of this phase is to stop the attacks and arrest the actors who are behind it, or to break up their organization. Here researchers work together with police, Europol, Interpol or the FBI because they do not have the permission to take certain actions or make certain decisions.

Different methods for taking down the threat actors:

  • Sinkhole: stopping criminal activity by intercepting the traffic between the victim and the threat actors or taking over the command & control center of the criminal organization.
  • Take down hacker forums.
  • Take the hackers offline through an ISP.
  • Arresting the hackers.

Leave a Comment

Your email address will not be published. Required fields are marked *