Threat Intelligence: Types, Benefits and It’s Lifecycle

According to Gartner: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”

Threat intelligence is contextual information that enables organizations to take proactive actions that can prevent, or at least mitigate, cyber attacks. Threat intelligence is about data: about potential attackers, their intents, motivations and capabilities, and about possible Indicators of Compromise (IoC). This information can help organizations make faster, more informed security decisions, and thus be better prepared for cyber threats. 

With threat intelligence, organizations can leverage key data about threat actors and threat vectors to understand them better, tailor their defense strategies, and prevent attacks . . . before they happen. They can also respond faster to security incidents that do happen. This is one reason why the threat intelligence market is expected to grow at 17.4% CAGR from 2017 to 2025 (Grand View Research), potentially earning revenues of a whopping $12.6 billion in 2025.
In addition to threats from devious cybercriminals, organizations also face other challenges that weaken their security postures, such as a shortage of skilled cybersecurity professionals and the availability of too much data. This is a dangerous combination because it creates a larger gap between what needs to be addressed and what can be addressed, often leading to situations where serious threats go unnoticed, and they waste time chasing after issues that should have been ignored. For instance, most SOC teams can only investigate 56% of alerts, while only 34% of them are deemed legitimate, and it’s estimated that security analysts spend around 25% of their time investigating and chasing false positives (Ponemon Institute). These factors all waste time and resources, and reduce the overall impact of cybersecurity programs.

A cyber threat intelligence solution  can effectively address these issues and strengthen organizations’ security postures by:

• Revealing the vital “triad” of actors, intent and capability, as well as their tactics, motivations, techniques, and procedures (TTPs)
• Helping them understand the relevant actions that can be taken to neutralize them
• Revealing previously unknown threats, promoting proactive decision-making
• Integrating disparate bits of data to provide timely warnings and actionable information

Threat intelligence is timely, contextual and actionable, which are valuable benefits for both the decision-makers – who must often make vital decisions quickly – and for protecting the organization from threats.

Threat intelligence benefits everyone in security:

• Security Analysts: It boosts the organization’s cyber defense capabilities.
• Intelligence Analyst: It helps uncover threat actors, and helps make more accurate predictions to prevent the misuse or theft of information assets.
• Computer Security Incident Response Team (CSIRT): It speeds up incident investigations, analyses and remediations
• SOC: It provides a “single pane of glass” solution to strengthen internal alerts and enable better incident prioritization
• Vulnerability Management: It leverages key insights and context to prioritize vulnerabilities

On a broader level, threat intelligence is also crucial for executive leadership, empowering them to understand the enterprise’s cyber risks, and helping them to make data-driven decisions to mitigate the impact of those risks. In short, threat intelligence benefits everyone!

As mentioned earlier, the process of gathering, analyzing, prioritizing and utilizing threat intel is not a linear (or one-time) process, but part of an ongoing lifecycle. Thus, an effective intelligence program, particularly one that uses Machine Learning (ML), is iterative – learning, adapting and refining over time to strengthen the organization’s security paradigm. It enables security teams to optimize their resources and maximize the value of the information they receive. The threat intelligence lifecycle includes the following six phases:

Requirements Gathering and Planning

This first stage is critical, because it is where the security teams set the program’s objectives, align these objectives with the organization’s core values, and forecast the potential impact of future decisions based on this intelligence. They try to uncover more information about possible threat actors, the size of the attack surface, and consider how they can shore up their defenses.

Data Collection

Based on the requirements and objectives identified in the first stage, the team collects relevant threat data. This may include IoCs (like malicious IP addresses, URLs and domain names, email addresses, registry keys, and file hashes) or vulnerable information (like PII data), or raw/shared code.

They may look in various places and at multiple sources to gather this data, including:

• Network event logs
• Traffic logs
• Records of past incident responses
• Technical sources
• Open web
• Dark web
• Social media
• Paste sites (e.g. Pastebin)
• Industry thought leaders
• Subject matter experts

Data Processing

Simply gathering data is not enough. It also needs to be sorted, organized and filtered to support further analysis. At this stage, metadata tags are added, while redundant, irrelevant and unreliable information is removed. Teams may also organize data into spreadsheets, decrypt encrypted files, and translate information from foreign sources.

Manually doing all these tasks for millions or even thousands of data points is time-consuming and error-prone, which is why automation is useful. Security Information And Event Management (SIEM) solutions provide correlation rules to simplify data structuring. However, they are limited in the number of data types they can take, so a robust threat intelligence tool is required. ML- and NLP-based threat intelligence platforms can structure data into entities, structure text from sources in different languages, classify events and alerts, and generate accurate predictive models. All these advantages augment the organization’s threat intelligence program. Software and programs such as OSSIM, Splunk and Kibana are useful for this.

Data Analysis

Once data is processed, it needs to be analyzed. The primary goals here are to understand the data, check to see if it satisfies the requirements and objectives identified in the first phase, and search for potential security issues. The security team converts the data into a format the audience (e.g. senior executives) can understand. This may be a simple threat list, a concise presentation deck, or a comprehensive report. The team also identifies the key action items and provides relevant recommendations to prevent or mitigate threats.

Dissemination

The results of the analysis are presented to the relevant stakeholders. To maintain continuity between one threat intelligence cycle and the next, every piece of intelligence must be tracked. A ticketing system that can be accessed by multiple people is very useful in this regard.

Feedback and Adjustments

Once the report is presented, stakeholder feedback is solicited to determine whether adjustments are required to objectives, requirements, report schedules, threat intelligence operations and procedures, and/or priorities.