Lesson 42: Threat Intelligence — Building a Proactive Defense for Saudi Financial Institutions

What You Will Learn in This Lesson

• What Cyber Threat Intelligence (CTI) is and why reactive security is no longer enough
• The four levels of threat intelligence: strategic, tactical, operational, and technical
• How to build a threat intelligence program tailored to a SAMA-regulated institution
• Practical tools and feeds you can deploy today to start consuming actionable intelligence

Why "Detect and Respond" Alone Is Failing

Your SOC team sees an alert: a suspicious outbound connection to an IP in Eastern Europe. They investigate, contain the endpoint, run forensics, and close the ticket. Two weeks later, the same threat actor breaches a different segment using a slightly different technique. Sound familiar? This is what happens when your security posture is purely reactive. You are always one step behind the adversary, cleaning up damage instead of preventing it.

Cyber Threat Intelligence (CTI) flips this equation. Instead of waiting for alerts, CTI gives you advance knowledge of who is targeting your sector, what tools they use, and how they operate — before they reach your perimeter. For Saudi financial institutions operating under SAMA oversight, this shift from reactive to proactive defense is not optional; it is a regulatory expectation embedded in the SAMA Cyber Security Framework's threat management domain.

The Four Levels of Threat Intelligence

Not all intelligence is created equal. A hash value for a malicious file and a board-level briefing on geopolitical cyber risk serve very different audiences and drive very different decisions. Understanding the four levels helps you build an intelligence program that serves your entire organization — from the analyst in the SOC to the CISO presenting to the board.

Strategic Intelligence answers the question: "What is the big picture?" It covers geopolitical trends, threat actor motivations, and sector-wide targeting patterns. For a Saudi bank, this might include reporting on financially motivated threat groups targeting Gulf Cooperation Council (GCC) financial infrastructure, or analysis of how regional tensions translate into increased cyber espionage activity. Consumers: CISO, board of directors, risk committee.

Operational Intelligence focuses on specific campaigns and threat actor operations. It tells you that a particular group — say, a ransomware-as-a-service operation — is actively targeting payment processors in the MENA region using a specific initial access broker. This intelligence has a shelf life of weeks to months and drives decisions about where to focus defensive resources. Consumers: security managers, incident response leads.

Tactical Intelligence describes the Tactics, Techniques, and Procedures (TTPs) adversaries use. Mapped to the MITRE ATT&CK framework, this intelligence tells your detection engineers exactly what behaviors to hunt for. For example: "This group uses spear-phishing with password-protected ZIP attachments containing ISO files to bypass email gateway scanning, then leverages DLL side-loading for execution." Consumers: detection engineers, threat hunters.

Technical Intelligence is the most granular — Indicators of Compromise (IoCs) such as IP addresses, domain names, file hashes, and YARA rules. This is what most people think of when they hear "threat intelligence," but it is actually the least durable. An IP address might be relevant for hours or days before the attacker rotates infrastructure. Consumers: SOC analysts, SIEM/EDR platforms.

Practical Example: A Saudi investment firm receives a strategic intelligence report indicating that a specific APT group has shifted its targeting from government entities to financial regulators and investment firms in the GCC. The operational team then discovers that this group has been observed purchasing credentials for VPN appliances commonly used in the Saudi market from initial access brokers on dark web forums. Tactical intelligence reveals they favor exploiting Fortinet and Pulse Secure vulnerabilities for initial access, then use Cobalt Strike with specific malleable C2 profiles. Technical intelligence provides the exact C2 domains, certificate hashes, and Cobalt Strike beacon configurations. Each level triggers a different action — from a board briefing and emergency patching directive down to immediate IoC blocking at the firewall.

Building Your Threat Intelligence Program — A Practical Roadmap

You do not need a team of 20 analysts and a million-riyal budget to start. A practical CTI program for a mid-sized Saudi financial institution can be built incrementally in three phases.

Phase 1: Foundation (Months 1-3)

Start with intelligence consumption, not production. Subscribe to free and commercial threat feeds relevant to the financial sector. Configure your SIEM to ingest IoCs automatically. Key actions:

# Example: Integrating MISP threat feeds with your SIEM
# Install MISP (Malware Information Sharing Platform)
sudo apt-get install misp

# Configure feed synchronization in MISP
# Navigate to Sync Actions > List Feeds > Enable:
# - CIRCL OSINT Feed (free, curated IoCs)
# - Abuse.ch URLhaus (malicious URLs)
# - AlienVault OTX (community threat data)

# Export IoCs to your SIEM via MISP API
curl -H "Authorization: YOUR_API_KEY" \
     -H "Accept: application/json" \
     https://your-misp-instance/attributes/restSearch \
     -d '{"type": ["ip-dst", "domain", "md5"], "published": true, "last": "1d"}' \
     > daily_iocs.json

# Automate ingestion into Splunk/QRadar/Sentinel
# using your SIEM's threat intelligence module

Phase 2: Contextualization (Months 3-6)

Raw feeds without context generate noise. In this phase, you build processes to enrich, prioritize, and contextualize intelligence. Map incoming intelligence to your specific environment. If a threat report mentions exploitation of Apache Struts but your organization does not run Struts, that intelligence is low priority for you. Adopt the MITRE ATT&CK framework as your common language. Create a heat map showing which ATT&CK techniques are most relevant to threats targeting Saudi financial institutions, then compare it against your detection coverage to find gaps.

Phase 3: Production and Sharing (Months 6-12)

Now you begin producing your own intelligence. Your incident response cases, threat hunting findings, and red team exercises generate unique intelligence about threats specific to your environment. Document this using structured formats like STIX 2.1 (Structured Threat Information Expression) and share selectively with sector peers. Saudi Arabia's financial sector benefits from information sharing through Saudi CERT and sector-specific ISACs (Information Sharing and Analysis Centers). Contributing intelligence is as valuable as consuming it — your observation of a new phishing campaign targeting Saudi banking customers could protect the entire sector.

Essential Tools and Platforms

A functional CTI program relies on a combination of platforms. Here is a practical stack suitable for Saudi financial institutions:

Threat Intelligence Platform (TIP): MISP (open source) or commercial options like Anomali ThreatStream or Recorded Future. The TIP is your central hub for collecting, correlating, and distributing intelligence. MISP is particularly popular because it supports community sharing and is used by many national CERTs including Saudi CERT.

MITRE ATT&CK Navigator: Free, browser-based tool for mapping adversary techniques against your detection capabilities. Export your coverage heat map and present it to management as a visual gap analysis.

# Using ATT&CK Navigator via command line
# Clone the repository
git clone https://github.com/mitre-attack/attack-navigator.git
cd attack-navigator/nav-app
npm install
ng serve

# Access at http://localhost:4200
# Create layers for:
# 1. "Known threats to Saudi financial sector" (red)
# 2. "Our current detection coverage" (blue)
# Overlay to identify gaps (techniques in red but not blue)

Dark Web Monitoring: Tools like Flare, Searchlight Cyber, or ZeroFox monitor dark web forums, paste sites, and Telegram channels for mentions of your organization, leaked credentials, or discussions about targeting Saudi financial entities. This is operational intelligence that provides early warning of impending attacks.

Threat Hunting Platform: Use your EDR (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne) combined with a SIEM to conduct hypothesis-driven hunts based on tactical intelligence. Example hypothesis: "Given intelligence that APT group X uses DLL side-loading via legitimate signed binaries, hunt for unusual child processes spawned by known LOLBins across our endpoint fleet."

Connecting to the Saudi Regulatory Landscape

SAMA's Cyber Security Framework explicitly requires institutions to maintain threat intelligence capabilities. Domain 3 (Cyber Security Operations and Technology) includes controls for threat monitoring, intelligence gathering, and information sharing. The NCA's Essential Cybersecurity Controls (ECC) reinforce this through controls requiring organizations to identify and assess cyber threats relevant to their operations. Building a CTI program is not just a security best practice — it is a compliance requirement. Furthermore, SAMA expects regulated entities to participate in sector-wide threat sharing initiatives, meaning your program must include both consumption and contribution components. During SAMA audits, demonstrating a mature CTI capability — with documented processes, defined intelligence requirements, and evidence of actionable output — significantly strengthens your compliance posture.

Common Mistakes to Avoid

• Drowning in feeds without context: Subscribing to dozens of threat feeds and dumping millions of IoCs into your SIEM creates alert fatigue, not intelligence. Start with 3-5 high-quality feeds relevant to your sector and geography. Quality over quantity — always.
• Ignoring the "So What?" question: Intelligence without action is just information. Every piece of intelligence you consume should answer: "What do we do differently because of this?" If you cannot tie it to a defensive action — a detection rule, a configuration change, a hunting hypothesis — it is noise, not intelligence.
• Treating CTI as a technology problem: Buying a threat intelligence platform does not give you a threat intelligence program. CTI is a discipline that requires defined intelligence requirements, trained analysts, and processes for dissemination and feedback. The technology is an enabler, not the program itself.

Lesson Summary

• Threat intelligence operates at four levels (strategic, operational, tactical, technical), each serving different audiences and driving different security decisions — a mature program needs all four.
• Build incrementally: start by consuming curated feeds, then add context and prioritization, and finally begin producing and sharing your own intelligence with the sector.
• CTI is a SAMA and NCA compliance requirement, not an optional enhancement — your program must demonstrate both consumption and contribution to sector-wide threat sharing.

Next Lesson

In the next lesson we will cover: Purple Teaming — Bridging the Gap Between Red and Blue Teams — how to run collaborative exercises that simultaneously test your defenses and improve your detection capabilities, with a framework tailored to SAMA-regulated institutions.

Ready to apply these concepts in your organization? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a tailored threat intelligence program roadmap.