What Is Threat Intelligence and How Does It Work?
In today's world, digital technologies are at the center of practically every industry. Automation and increased connectivity have altered the world's economic and cultural institutions, but they've also introduced risk in the form of cyberattacks. Threat intelligence is information that enables you to avoid or reduce threats. Threat intelligence is based on facts and gives context — such as who is attacking you, what their motive and skills are, and what indicators of system penetration to look for — to help you make informed security decisions.
"Threat intelligence is evidence-based knowledge about an existing or emerging threat or hazard to assets, including context, mechanisms, indications, implications, and actionable advice." This information can be utilized to help the subject make decisions about how to respond to the threat or hazard." Gartner, Inc.
Check out the sections of this overview under "The Threat Intelligence Lifecycle" and "The Types of Threat Intelligence" for further information.
Why Is Threat Intelligence Important?
Today's cyber security sector faces various obstacles, including increasingly persistent and sophisticated threat actors, a daily flow of data containing irrelevant data and false alarms from multiple, disconnected security systems, and a severe scarcity of experienced experts.
Some businesses try to incorporate threat data streams into their network but are unsure what to do with all of the extra data, adding to the workload of analysts who may lack the skills to select what to prioritize and what to disregard.
Each of these challenges can be addressed with a cyber threat intelligence system. Machine learning is used in the best solutions to automate data collection and processing, integrate with existing solutions, collect unstructured data from multiple sources, and then connect the dots by providing context on indicators of compromise (IoCs) and threat actors' tactics, techniques, and procedures (TTP).
Threat intelligence is actionable because it is timely, contextualized, and understandable by those in charge of making decisions.
Who Can Take Advantage of Threat Intelligence?
Everyone! The realm of elite analysts is commonly assumed to be cyber threat intelligence. In actuality, it offers value to security functions across the board for businesses of all sizes.
When threat intelligence is handled as a separate function within a larger security paradigm rather than an integral component that complements all other functions, many of the people who might benefit the most from it don't have access to it when they need it.
Security operations teams are frequently unable to process the signals they get – threat intelligence interacts with your existing security solutions, automatically prioritizing and filtering alerts and other risks. With access to threat intelligence's external insights and context, vulnerability management teams may more precisely identify the most critical vulnerabilities. Threat intelligence provides key insights on threat actors, their tactics, techniques, and procedures, as well as other high-level security processes, such as fraud prevention, risk analysis, and other high-level security processes, including key insights on threat actors, their tactics, techniques, and procedures, and more from data sources across the web.
For a more in-depth look at how threat intelligence can assist every security position, see our section on use cases below.
The Threat Intelligence Lifecycle is a diagram depicting the steps involved in gathering threat intelligence.
So, where does cyber threat intelligence come from? Cyber threat intelligence is the end product of a six-part cycle of data collecting, processing, and analysis; raw data is not the same as intelligence. This is a cycle because new problems and knowledge gaps emerge with the development of intelligence, necessitating the establishment of new collecting requirements. A good intelligence program is iterative, meaning it improves over time.
Before you do anything else, you must first establish your use cases and define your objectives in order to optimize the value of the threat intelligence you provide.
1. Planning and Guidance
The appropriate inquiry is the first step toward obtaining actionable threat intelligence.
The questions that best drive the generation of actionable threat intelligence are those that focus on a specific fact, event, or activity – broad, open-ended queries should be avoided in most cases.
Prioritize your intelligence objectives based on how closely they align with your organization's core values, the magnitude of the choice's impact, and the timeliness of the decision.
Understanding who will consume and benefit from the finished product is critical at this stage — will the intelligence go to a team of technical analysts who need a quick report on a new exploit, or to an executive who wants a broad overview of trends to inform their security investment decisions for the next quarter?
The second phase is to collect raw data that meets the first stage's requirements. It's best to gather data from a variety of sources, including internal sources such as network event logs and previous incident response records, as well as external sources such as the open web, the dark web, and technical sources.
Threat data is commonly regarded as a list of IoCs, such as malicious IP addresses, domains, and file hashes, but it can also include vulnerability information, such as customers' personally identifiable information, raw code from paste sites, and text from news sources or social networks.
After you've gathered all of the raw data, you'll need to sort it, categorizing it with metadata tags and filtering out any redundant data or false positives or negatives.
Every day, even modest businesses collect data in the millions of log events and hundreds of thousands of indicators. It's too much for human analysts to process in a timely manner; data gathering and processing must be automated before any sense can be made.
SIEMs are an excellent place to start since they make it very simple to structure data using correlation rules that can be set up for a variety of use cases, but they can only handle a limited number of data types.
You'll need a more robust solution if you're collecting unstructured data from a variety of internal and external sources. Machine learning and natural language processing are used by Recorded Future to parse text from millions of unstructured documents across seven languages and classify them using language-independent ontologies and events, allowing analysts to conduct powerful and intuitive searches that go beyond bare keywords and simple correlation rules.
The next stage is to make sense of the data that has been processed. The purpose of the analysis is to look for potential security vulnerabilities and alert the appropriate teams in a way that meets the intelligence requirements established during the planning and directing stage.
Depending on the initial aims and intended audience, threat intelligence can take numerous forms, but the goal is to get the data into a format that the audience can understand. Simple threat lists to peer-reviewed papers are examples.
After that, the finished product is distributed to the intended customers. To be useful, threat intelligence must reach the right people at the right time.
It also needs to be tracked to ensure that learning is not lost as one intelligence cycle transitions to the next. Use ticketing systems that link with your other security systems to track each step of the intelligence cycle – tickets may be submitted, written up, evaluated, and fulfilled by numerous people from different teams, all in one location, whenever a new intelligence requirement arises.
The intelligence cycle comes full circle in the last step, which is closely related to the original planning and directing phase. Following receipt of the completed intelligence product, the person who submitted the initial request reviews it to see if their queries were answered. This informs the following intelligence cycle's objectives and procedures, emphasizing the importance of documentation and consistency once more.
The Types of Threat Intelligence
The threat intelligence lifecycle demonstrates how the final result will differ depending on the initial intelligence requirements, information sources, and intended audience. Breaking down threat intelligence into a few categories based on these characteristics can be useful.
Threat intelligence is typically divided into three categories:
Strategic — Trends that are aimed towards a non-technical audience.
Tactical — For a more technical audience, outlines of threat actors' tactics, approaches, and procedures.
Technical information- regarding certain assaults and strategies.
Strategic Threat Intelligence
Strategic threat information gives a wide picture of a company's dangerous environment. Its purpose is to inform high-level decisions made by CEOs and other decision-makers at a company; as a result, the material is often less technical and delivered through reports or briefings. Strategic intelligence should reveal dangers associated with specific paths of action, broad patterns in threat actor tactics and targets, and geopolitical events and trends, among other things.
The following are some of the most common sources of information for strategic threat intelligence:
Documents from nation-states or non-governmental groups on policy issues
Local and national news, industry and subject-specific publications, and other subject-matter experts
Security organizations create white papers, research reports, and other information.
Asking targeted, detailed questions to determine the intelligence requirements is the first step in producing strong strategic threat intelligence. Analysts with experience outside of traditional cyber security abilities, such as a deep understanding of sociopolitical and corporate principles, are also required.
Despite the fact that the end outcome is non-technical, developing successful strategic intelligence necessitates extensive study into vast amounts of data, frequently in several languages. Even for those rare analysts with the necessary language skills, technological expertise, and tradecraft, this might make manual data collection and processing prohibitively onerous. A threat intelligence solution that automates data gathering and processing can help alleviate this burden and allow analysts with less experience to work more efficiently.
Tactical Threat Intelligence
Threat actors' tactics, methods, and procedures (TTP) are described in tactical threat intelligence. It should assist defenders in comprehending how their organization might be attacked in particular terms, as well as the best tactics to protect against or mitigate those attacks. It is typically used by employees directly involved in an organization's defense, such as system architects, administrators, and security workers, and it frequently incorporates technical context.
Security vendor reports are frequently the most convenient source of tactical threat intelligence. Look for details in reports regarding the attack pathways, tools, and infrastructure that attackers are employing, such as which vulnerabilities are being targeted and which exploits attackers are employing, as well as what methods and tools they are employing to evade or delay discovery.
Tactical threat intelligence should be used to strengthen existing security policies and processes while also accelerating incident response. Because many of the questions tactical intelligence answers are specific to your organization and must be answered quickly — for example, "Is this critical vulnerability being exploited by threat actors targeting my industry present in my systems?" — having a threat intelligence alternative that integrates data from within your own network is critical.
Operational Threat Intelligence
Information about cyberattacks, events, or campaigns is referred to as operational intelligence. It provides specialized information that aids incident response teams in determining the kind, intent, and timing of assaults.
This type of intelligence is often known as technical threat intelligence because it frequently includes technical information, such as what attack vector is being utilized, what vulnerabilities are being exploited, or what command and control domains are being used. Threat data feed, which usually focuses on a single sort of signal, such as malware hashes or suspicious URLs, is a common source of technical information.
If technical threat intelligence is strictly defined as information derived from technological sources such as threat data feeds, then technical and operational threat intelligence is more akin to a Venn diagram with a lot of overlap. Other closed sources of information on individual attacks include the interception of threat group communications, which can be done through infiltration or breaking into those channels.