View More Educational Guides
What is Threat Intelligence?
What is Threat Intelligence?
Threat intelligence is evidence-based information or knowledge of the capabilities, techniques, infrastructure, motives, goals, and resources of an existing or emerging threat. This intelligence provides context to better understand and identify adversaries, and as Gartner’s definition of threat intelligence states, this information “can be used to inform decisions regarding the subject's response to that menace or hazard”. Simply put, threat intelligence is the knowledge that allows you to prevent, identify, and mitigate cyberattacks.
Where does Threat Intelligence come from?
Threat intelligence comes from both internal and external sources, meaning data from both inside and outside of your own network. Combining both the internal and external threat intelligence can allow you to better understand the threat landscape or individual profiles of threat actors.
Internal Threat Intelligence Sources
There is a wealth of threat data that you can leverage from the internal network of your organization including log files, alerts, and incident response reports just to name a few. Organizations that use SIEM tools will also have access to several raw sources of internal network event data, like event logs, DNS logs, and firewall logs that can be used to identify and stop threats. Incident response reports, which are commonly used to maintain historic knowledge of past incidents, can also be used to provide context and answer questions like who was attacking you, what were their motivation and capabilities, and what indicators of compromise (IOCs) should be monitored to prevent similar attacks in the future? Other valuable sources of internal intelligence are retained malware, packet capture, and netflow.
External Threat Intelligence Sources
External sources of threat intelligence, just as the name implies, come from outside of your network. There are a wide variety of these sources with different structures, intentions, and trustworthiness. Open-source intelligence, often referred to as OSINT, includes data from independent security researchers, vendor blogs, and publicly available threat indicator blocklists. Another common source of external threat intelligence is a private or commercial threat intelligence feed. These feeds are consistently updated sources of indicators or data derived from an outside organization and can include information on suspicious domains, malware hashes, IP addresses, and other IOCs. Unlike OSINT feeds, private or commercial feeds include more unique, higher-quality intelligence and can sometimes be focused on specific industry verticals. These feeds often include more detailed intelligence such as threat actor profiles or motivational insights along with more standard indicators.
Threat intelligence can also be collected from partners, peers, vendors, and clients in a sharing environment. This is usually seen in an information sharing community, such as an ISAC or ISAO, and includes intelligence that is shared amongst member organizations in a similar industry.
Why is Threat Intelligence Important?
Keeping a network and data secure is becoming increasingly more difficult as the tactics, techniques, and procedures (TTPs) used by cyber threat actors continue to get more sophisticated. To avoid a breach, a security team must be right 100 percent of the time with no exceptions. On the other hand, for a threat actor to be successful, they just have to get lucky once. With their singular focus on working their way into organizations, attackers always have the upper hand in this situation. Attackers can decide whether to target humans, unpatched vulnerabilities, purchase hacking tools on the dark web, and more. In order to level the playing field, security teams can tap into available threat intelligence to gain greater visibility into what potential threats to be prepared for and how to best prevent and mitigate as many of them as possible. By combining threat intelligence with internal telemetry, you can begin to get an understanding of not only what is happening within your network and if you are seeing any of these IOCs, but can also help you establish a proactive stance and be informed and better prepared for potential threats or blind spots in your defense.
Types of Threat Intelligence
Strategic Threat Intelligence
Strategic Intelligence includes identifying and inspecting risks that can affect an organization’s core assets -- such as, employees, customers, vendors, and the overall infrastructure. Development of strategic intelligence requires highly skilled human analysts to gather proprietary information, follow up on trends, identify threats, and design defensive architecture to combat those threats. At the strategic level, threat intelligence presents highly relevant information in a clear and concise form, while outlining mitigation strategies that can aid an organization in the decision-making process. This form of intelligence includes historical trends, motivations, or key attributions of an attack. It helps enterprises look at the bigger picture and set predominant goals to be more secure.
Tactical Threat Intelligence
Tactical Intelligence provides extensive and rich data on current or existing threats that could be of more use for an analyst. Unlike strategic, tactical intelligence is micro in its scope. This intelligence comes in the form of IOCs which includes information on malicious domains, malware files, malicious URLs, and virus signatures. Tactical intelligence is highly effective in analyzing a cyber kill chain and thereby containing the attack in progress. With tactical intelligence in hand, organizations can act quickly and minimize the impact.
Technical Threat Intelligence
Technical intelligence commonly refers to information that is derived from a threat data feed. It tends to involve information such as what attack vector is being used, what command and control domains are being employed, what vulnerabilities are being exploited, etc. Technical intelligence usually focuses on a single type of indicator, like malware hashes or suspicious domains.
Operational Threat Intelligence
Operational intelligence is knowledge about cyberattacks, events, or campaigns that provide more context and understanding around the nature, intent, and timing of specific attacks. This form of intelligence focuses mainly on how a threat actor is going to attack a company -- who is most active, what are the targets, capabilities, intentions, etc. -- at the operational level. It also examines other elements like how the attack would impact the organization and helps prioritize the operational assets from the security perspective.
Threat Intelligence Use Cases
Security Operations Center (SOC)
A Security Operations Centers, or SOC, can leverage threat intelligence for security monitoring, alerting, and blocking. SOC teams can create rules or signatures for indicators of compromise (IOCs) that create alerts in SIEMs, IDS/IPS, or endpoint protection products. A threat intelligence feed or set of IOCs can also be used to block suspicious activity at firewalls or other security devices. A more advanced threat intelligence use case for SOC teams is to help with the management and triage of alerts that are generated from network monitoring. When alerts are combined with context provided by threat intelligence a SOC analyst can more quickly determine the accuracy, relevance, and priority. This can help to reduce false positives, speed up triage, and drastically reduce the time spent on analysis and containment.
Similar to SOC analysts, incident responders are inundated with high volumes of alerts that make it difficult to know which to investigate first and how best to respond. Threat intelligence can assist incident response teams in assessing alerts by reducing false positives, enriching alerts with context, and help inform where to look next to observe an ongoing intrusion. Threat intelligence can also help with triage and prioritization of ongoing investigations based on what adversaries may be involved and which infrastructure is potentially at risk.
Vulnerability management is often a very time-consuming process that can seem like a never-ending battle. It is also common practice for vulnerability patching to be delayed in favor of business continuity. However, there are times when organizations need to be aware of real imminent risks that could be thwarted by a simple patch. Threat intelligence can help bridge this gap for organizations and provide a smarter lens of risk-based analysis of vulnerabilities. Threat intelligence can provide key insights into the weaponization of vulnerabilities through different malware or exploits. It can also show what a threat actor’s objectives might be and what they could possibly use to achieve it. By having knowledge of the attackers’ TTPs, security teams can evaluate the risk posed to specific internal systems and prioritize those vulnerabilities first.
Threat intelligence can be used by CISOs and other security leaders in planning for business and technical risk. This information can help inform decisions on the architecture and processes that best suit an organization or the budget and team size that need to be justified. Threat intelligence can provide valuable insight into attack trends by geography, industry, software, hardware, and more. Gaining a better understanding of the threat landscape that is most relevant to you is an invaluable asset for any security leader.
Threat Intelligence and Cyber Fusion
In many ways, cyber fusion is the combination of all or many of the other use cases listed here. Cyber fusion is an approach to cybersecurity that unifies all security functions such as threat intelligence, security automation, threat response, security orchestration, incident response, and others into a single connected unit. This level of visibility and collaboration across all units for detecting, managing, and responding to threats provides security teams with an advanced level of resilience and control. A key element to this is the continuous flow of analyzed and updated threat intelligence being automatically fed into all functional units of security operations including deployed security and IT tools and human-based analysis and response teams to foster visibility-driven security operations. Cyber fusion enhances an organization’s defense posture and accelerates response to cyber threats.
Threat Intelligence Platform
Threat intelligence platforms, or TIPs, are a software solution that enables security teams to collect, organize, and manage threat data and intelligence. More advanced threat intelligence platforms provide the ability to share and receive intelligence from multiple peers, TI providers, ISAC members, regulators, partner organizations, and subsidiary companies. An advanced TIP like this can also automate the normalization, enrichment, and analysis of threat intelligence to help security teams more quickly identify, manage, and take action on cyber threats. When leveraged properly a smart, bi-directional threat intelligence platform provides security teams with the ability to more accurately predict and prevent attacks as well as mitigate and respond to threats with faster, smarter actions.
Cyware Threat Intelligence Solutions
An innovative threat intelligence platform (TIP) to automatically aggregate, enrich, and analyze threat indicators in a collaborative ecosystem.
A mobile-enabled, automated, strategic threat intelligence, aggregation, processing, and sharing platform for real-time alert dissemination and enhanced collaboration between an organization’s security teams or an ISAC and its members.