What is threat intelligence?

Why is threat intelligence important?

In a military, business or security context, intelligence is information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a part of a bigger security intelligence strategy. It includes information related to protecting an organization from external and inside threats, as well as the processes, policies and tools used to gather and analyze that information. It also identifies potential vulnerabilities that malware, ransomware and other types of cybercrime can exploit. It facilitates timely decision-making when an event is predicted or taking place.

Threat intelligence provides better insight into the threat landscape and threat actors, revealing their latest tactics, techniques and procedures. With this information, organizations can proactively configure security controls to detect and prevent advanced attacks and zero-day threats. Many of these adjustments can be automated so that security stays aligned with the latest intelligence in real time.

Good threat intel establishes a strong security posture, where security professionals can set and prioritize rules for specific events. It lets security tools perform their work with accurate threat data and accurately identify attack vectors.

Types of threat intelligence

There are four types of threat intelligence -- strategic, tactical, technical and operational. All four are essential to a proactive, comprehensive threat assessment capability:

1. Strategic threat intelligence summarizes potential cyberattacks and the possible consequences for nontechnical audiences, stakeholders and decision-makers. It is presented in the form of white papers, reports and presentations, and is based on detailed analysis of emerging risks and trends worldwide. It provides a high-level overview of an industry's or organization's threat landscape.
2. Tactical threat intelligence provides details about the tactics, techniques and procedures (TTPs) threat actors use. It's intended for those directly involved with protecting IT and data resources, providing detail on how an organization might be attacked and the best ways to defend against attacks.
3. Technical threat intelligence focuses on signs that indicate an attack is starting and where the attack surface is. These include reconnaissance, weaponization and delivery, such as spear phishing, baiting and social engineering. Technical intelligence plays an important role in blocking these types of attacks. It's often grouped with operational threat intelligence.
4. Operational threat intelligence collects information from various sources, including chat rooms, social media, antivirus logs and past events. It's used to anticipate the nature and timing of future attacks. Data mining and machine learning are often used to automate the processing of hundreds of thousands of data points across multiple languages. Security and incident response teams use operational intelligence to change the configuration of devices such as firewall rules, event detection rules and access controls. It can also improve response times as the information clarifies what to look for.

What is the threat intelligence lifecycle?

The following five steps enable effective threat intelligence gathering and prioritization of security initiatives:

1. Goals and objectives

To select the right threat intelligence sources and tools, an organization must decide what it hopes to achieve by adding threat intelligence to its security strategy. The goal most likely is to aid information security teams in stopping potential threats identified during a threat modeling exercise. This requires obtaining intelligence data and tools that can provide timely advice and alerts on high-risk and high-impact threats. Another important objective is to ensure the right strategic intelligence is collected and provided to C-level managers so that they're aware of changes to the organization's threat landscape.

2. Data collection

Logs from internal systems, security controls and cloud services form the foundation of an organization's threat intelligence program. However, to gain insights into the latest TTPs and industry-specific intelligence, it's necessary to collect data from third-party threat data feeds. These sources include information gathered from social media sites, hacker forums, malicious Internet Protocol addresses, antivirus telemetry and threat research reports.

3. Data processing

Gathering and organizing the raw data needed to create actionable threat intelligence requires automated processing. Manually filtering isn't sufficient. Automated systems add metadata, and correlate and aggregate various types of data. Threat intelligence platforms or applications use machine learning to automate data collection, processing and dissemination so that it can provide information continuously about threat actors' activities.

4. Analyze data

This step involves using processed data to find answers to questions such as when, why and how a suspicious event occurred. For example, this step answers questions about when a phishing incident happened, what the perpetrator was after, and how phishing emails and a malicious domain are linked and being used.

5. Report findings

Intelligence reports must be tailored to a specific intelligence team audience so that it's clear how the threats identified affect their areas of responsibility. Reports should be shared with the wider community when possible to improve overall security operations.

Threat intelligence use cases for security teams

Threat intelligence data is used in various says, including the following:

• Security operations. Security operations centers (SOCs) and cybersecurity experts use threat intelligence data to identify, analyze and mitigate cyberattacks.
• Incident response. Security information and event management teams use threat intelligence to identify, contain and neutralize attacks.
• Threat hunting. Security teams also use this data to pursue potential threat actors.
• Vulnerability identification. Threat intelligence helps SOC teams pinpoint vulnerabilities and weaknesses in security infrastructure.
• Intrusion detection. Data gathered by intrusion detection and intrusion prevention systems is important threat intelligence that can identify threat actors and threat vectors.
• User activity monitoring. Threat intelligence monitors endpoint activity for potential remote user and internal threat indicators.
• Risk analyses. Threat intelligence can contribute to ongoing risk analyses of business and financial operations.
• Malware analysis. Threat intelligence identifies cybersecurity threat actors and malicious malware sources before they attack.
• Security management. Armed with up-to-date threat intelligence, security team leaders can more easily identify and address threats.

Who benefits from threat intelligence?

Various IT and security professionals use threat intelligence data:

• Chief information security officers. CISOs get current, accurate intelligence on which to base decisions and communicate with other senior management about security issues.
• SOC teams. These frontline employees dealing with cyberthreats need threat intelligence to identify and plan responses to attacks.
• Incident responders. As part of SOC teams, computer security incident response teams and other incident responders need threat intelligence when responding to an attack.
• Security analysts. Threat data from various feeds and systems is necessary for analysts charged with providing accurate and actionable recommendations for a specific threat.
• Senior corporate leadership. Threat intelligence data is an essential resource to help C-level leaders understand security issues and incidents, and explain them to stakeholders, regulators and the media.

Threat intelligence tool features to look for

Numerous tools help organizations collect data and apply threat intelligence in their security operations. Cloud-based, standalone and open source systems are available. Threat intelligence services also provide organizations with information related to potential attack sources relevant to their businesses; some also offer consultation services. In evaluating available tools and services, the following cyber-risk management capabilities are worth looking for:

• Threat intelligence and data feeds. Tools should gather threat data from various sources and provide ways to distribute it to the right people; the more feeds the systems can access, the better.
• Automated data collection and analysis. Automation of data collection and analysis functions saves time and makes SOC teams more efficient.
• Data triage. As data is collected, it must be normalized and put into the proper context for subsequent analysis.
• Real-time monitoring. This is a primary function of most security management systems; data from these systems can be fed to a threat intelligence system for further analysis.
• Alerts and reports. Output from threat intelligence systems includes alerts of specific events, as well as templated and custom reports on what has occurred. Systems should generate printed reports, and dashboards should display real-time event data.
• SOC integration. The threat intelligence system should connect to other security systems for intelligence gathering, analysis and data sharing.
• Artificial intelligence, machine learning and predictive modeling. These technologies enhance threat intelligence capabilities, providing better predictive analysis and modeling, behavior analyses, and other important functions.

Threat intelligence vendors and tools

Examples of threat intelligence vendors and tools include Bitdefender, CrowdStrike, Recorded Future Fusion, SolarWinds and ThreatConnect, according to the EC-Council, an organization that provides IT security certification and training programs.

Does your organization's threat intelligence program need updating? Most do. Find out the best approach to automating and modernizing a threat intelligence strategy.