Cybersecurity challenges, such as security breaches, data thefts, and malware attacks, are becoming increasingly more frequent all over the world. More and more organizations are realizing that reactively addressing these issues is not an effective security strategy. Instead, they are taking more proactive steps by investing in threat detection technologies and building robust Security Operations Centers (SOC). They are also instituting threat intelligence programs to identify and prevent cyberattacks before they happen, in greater efforts to minimize damage.
There are three critical questions that we must ask:
- What is cybersecurity threat intelligence?
- What are the main types of threat intelligence?
- What is the threat intelligence lifecycle?
This guide will address these.
Before we dive into the details, though, there are a few key things to keep in mind. One, the development of threat intelligence is not a linear, end-to-end process, but a circular and continuous process known as the Intelligence Cycle. Further, although the idea of threat intelligence can provide a sense of comfort and safety, intelligence alone is not enough. Organizations also need to implement the right defense technologies and threat intelligence tools to protect their operations, data, customers and workforce.
What is Threat Intelligence?
According to Gartner: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Threat intelligence is contextual information that enables organizations to take proactive actions that can prevent, or at least mitigate, cyber attacks.
Threat intelligence is about data: about potential attackers, their intents, motivations and capabilities, and about possible Indicators of Compromise (IoC). This information can help organizations make faster, more informed security decisions, and thus be better prepared for cyber threats.
Why is Threat Intelligence Important and Who Does It Benefit?
With threat intelligence, organizations can leverage key data about threat actors and threat vectors to understand them better, tailor their defense strategies, and prevent attacks . . . before they happen. They can also respond faster to security incidents that do happen. This is one reason why the threat intelligence market is expected to grow at 17.4% CAGR from 2017 to 2025 (Grand View Research), potentially earning revenues of a whopping $12.6 billion in 2025.
In addition to threats from devious cybercriminals, organizations also face other challenges that weaken their security postures, such as a shortage of skilled cybersecurity professionals and the availability of too much data. This is a dangerous combination because it creates a larger gap between what needs to be addressed and what can be addressed, often leading to situations where serious threats go unnoticed, and they waste time chasing after issues that should have been ignored. For instance, most SOC teams can only investigate 56% of alerts, while only 34% of them are deemed legitimate, and it’s estimated that security analysts spend around 25% of their time investigating and chasing false positives (Ponemon Institute). These factors all waste time and resources, and reduce the overall impact of cybersecurity programs.
A cyber threat intelligence solution can effectively address these issues and strengthen organizations’ security postures by:
- Revealing the vital “triad” of actors, intent and capability, as well as their tactics, motivations, techniques, and procedures (TTPs)
- Helping them understand the relevant actions that can be taken to neutralize them
- Revealing previously unknown threats, promoting proactive decision-making
- Integrating disparate bits of data to provide timely warnings and actionable information
Threat intelligence is timely, contextual and actionable, which are valuable benefits for both the decision-makers – who must often make vital decisions quickly – and for protecting the organization from threats.
Threat intelligence benefits everyone in security:
- Security Analysts: It boosts the organization’s cyber defense capabilities.
- Intelligence Analyst: It helps uncover threat actors, and helps make more accurate predictions to prevent the misuse or theft of information assets.
- Computer Security Incident Response Team (CSIRT): It speeds up incident investigations, analyses and remediations
- SOC: It provides a “single pane of glass” solution to strengthen internal alerts and enable better incident prioritization
- Vulnerability Management: It leverages key insights and context to prioritize vulnerabilities
On a broader level, threat intelligence is also crucial for executive leadership, empowering them to understand the enterprise’s cyber risks, and helping them to make data-driven decisions to mitigate the impact of those risks.
In short, threat intelligence benefits everyone!
The Threat Intelligence Lifecycle
As mentioned earlier, the process of gathering, analyzing, prioritizing and utilizing threat intel is not a linear (or one-time) process, but part of an ongoing lifecycle. Thus, an effective intelligence program, particularly one that uses Machine Learning (ML), is iterative – learning, adapting and refining over time to strengthen the organization’s security paradigm. It enables security teams to optimize their resources and maximize the value of the information they receive. The threat intelligence lifecycle includes the following six phases:
Requirements Gathering and Planning
This first stage is critical, because it is where the security teams set the program’s objectives, align these objectives with the organization’s core values, and forecast the potential impact of future decisions based on this intelligence. They try to uncover more information about possible threat actors, the size of the attack surface, and consider how they can shore up their defenses.
Based on the requirements and objectives identified in the first stage, the team collects relevant threat data. This may include IoCs (like malicious IP addresses, URLs and domain names, email addresses, registry keys, and file hashes) or vulnerable information (like PII data), or raw/shared code.
They may look in various places and at multiple sources to gather this data, including:
- Network event logs
- Traffic logs
- Records of past incident responses
- Technical sources
- Open web
- Dark web
- Social media
- Paste sites (e.g. Pastebin)
- Industry thought leaders
- Subject matter experts
Simply gathering data is not enough. It also needs to be sorted, organized and filtered to support further analysis. At this stage, metadata tags are added, while redundant, irrelevant and unreliable information is removed. Teams may also organize data into spreadsheets, decrypt encrypted files, and translate information from foreign sources.
Manually doing all these tasks for millions or even thousands of data points is time-consuming and error-prone, which is why automation is useful. Security Information And Event Management (SIEM) solutions provide correlation rules to simplify data structuring. However, they are limited in the number of data types they can take, so a robust threat intelligence tool is required. ML- and NLP-based threat intelligence platforms can structure data into entities, structure text from sources in different languages, classify events and alerts, and generate accurate predictive models. All these advantages augment the organization’s threat intelligence program. Software and programs such as OSSIM, Splunk and Kibana are useful for this.
Once data is processed, it needs to be analyzed. The primary goals here are to understand the data, check to see if it satisfies the requirements and objectives identified in the first phase, and search for potential security issues.
The security team converts the data into a format the audience (e.g. senior executives) can understand. This may be a simple threat list, a concise presentation deck, or a comprehensive report. The team also identifies the key action items and provides relevant recommendations to prevent or mitigate threats.
The results of the analysis are presented to the relevant stakeholders. To maintain continuity between one threat intelligence cycle and the next, every piece of intelligence must be tracked. A ticketing system that can be accessed by multiple people is very useful in this regard.
Feedback and Adjustments
Once the report is presented, stakeholder feedback is solicited to determine whether adjustments are required to objectives, requirements, report schedules, threat intelligence operations and procedures, and/or priorities.
The Three Key Types of Threat Intelligence
By itself, “threat intelligence” is a fairly vague term. That’s why it’s useful to break it down into its three main types. Each type serves a different purpose and is aimed at a specific audience (though with some possible overlaps).
Strategic Threat Intelligence
Key stakeholders/audience: Senior/C-Suite managers (CISO, CTO, etc.), Company Boards.
What it does: It provides a bird’s eye view of the organization’s threat landscape, including risks, trends and threat actor motives. Since the audience consists of senior executives and other key decision-makers, this intelligence is less technical. It usually requires massive amounts of research, so a solution that automates data collection and processing can be very helpful.
Operational (Technical) Threat Intelligence
Key stakeholders/audience: Threat hunters, CSIRT, SOC analysts, vulnerability management teams.
What it does: Operational threat intelligence focuses on understanding important operational aspects, including cyber attacks and threat actor capabilities, infrastructure and TTPs. It often includes technical information from threat intelligence feeds that enables security teams to optimize cybersecurity operations through more targeted and prioritized actions.
Machine Learning-based solutions that automate data collections can simplify operations and increase the efficacy of the threat intelligence program.
Tactical Threat Intelligence
Key stakeholders/audience: SOC analysts, system architects, SIEMs, firewalls, endpoints.
What it does: Tactical threat intelligence includes contextual information about TTPs and targeted vulnerabilities. It enables security teams to better understand threat vectors, and how the organization can prevent or mitigate potential attacks. Teams can also leverage this information to strengthen existing security controls and accelerate incident response.
Threat Intelligence Use Cases
Instead of focusing on only basic threat intelligence use cases (e.g., incident response and the integration of threat intelligence feeds with existing firewalls and SIEMs), organizations must ideally leverage it for other use cases as well. These include:
Since threat intelligence is contextual, it strengthens risk models so the organization can better define risk measurements, and understand their assumptions, variables, and outcomes. It also helps develop a better handle on threat actors, frequency of attacks, and exploitable vulnerabilities.
Security operations and triage
Due to large alert volumes, manually triaging alerts is a time-consuming and complex process, often leading to “alert fatigue”. Threat intel makes it easier for security teams to filter alarms, triage alerts, and analyze incidents.
By effectively leveraging threat intelligence tools, security teams can identify the vulnerabilities that pose the biggest risks to the organization. They can thus identify more real threats before they can cause significant damage.
It can help prevent data compromise (e.g. leaked credentials) and payment fraud. It also raises alerts on phishing and typosquatting domains that cybercriminals often use to illegally impersonate brands and defraud users.
Strengthen security posture
Threat Intel is more than short-term information. It also enables organizations to better understand the long-term threat landscape, assess business risks, identify mitigation strategies, and make better investment decisions to strengthen their security.
Evolve: An Automated, Relevant, Contextual Threat Intelligence Tool
Evolve’s automated threat intelligence platform enables organizations to implement proactive protection, take data-driven decisions, and get maximum value from their intelligence investment.
From spam and phishing intelligence, to intelligence about TOR, open proxy, ransomware, and more, Evolve is a cutting-edge threat intelligence tool for transparent and comprehensive investigations. Evolve seamlessly collects “global” threat sources and integrates threat intelligence feeds into its workflows and internal security solutions. This empowers organizations to stay on top of the latest attacks to proactively prevent them from damaging their systems, devices or data.
For more information about this powerful threat intelligence platform, click here.
A Final Word
In our globally expanding threat landscape, cyber threats can have serious repercussions. But with timely, targeted and contextual threat intelligence, enterprises can shore up their defenses, as well as mitigate the risks that could damage their reputation and financial health, keeping them a few steps ahead of clever cybercriminals. The time for reactive security is long gone. Proactive threat intelligence is here to stay.