What is Threat Intelligence?

Also known as cyber threat intelligence or simply threat intel, threat intelligence is the body of evidence-based knowledge that can be used to inform organizations of threat actors’ tactics and how to respond.

Cybersecurity professionals use threat intelligence to understand attack methods and to plan their defense and mitigation strategies accordingly. They are also encouraged to reach across geographic, industry, and even competitive boundaries in order to share threat intelligence with other organizations. In the fight against cybercrime, all non-criminal entities can benefit from the threat intelligence gleaned from fellow organizations.

Types of Threat Intelligence

Threat intelligence is divided into different categories based on its purpose. The three main types of threat intelligence include:

1. Operational Threat Intelligence: Operational threat intelligence, or technical threat intelligence, is designed to prevent future attacks. It comprises the Tactics, Techniques, and Procedures (TTPs) of high-risk attackers and identifies the ways in which they are likely to strike next, which vulnerabilities they will exploit, which vectors they will use (malware, social engineeringWhat is Social Engineering?  Social engineering is a manipulative tactic cybercriminals use to deceive individuals into divulging confidential information or performing actions that compromise security. Unlike technical attacks, which exploit… More, insider threats), and which assets they will target.
2. Tactical Threat Intelligence: Tactical threat intelligence is used in real-time to stop ongoing attacks. Information like file hashes of known ransomware attacks, phishing email subject lines, and other Indicators of Compromise (IoCs) are used by Security Operations Centers (SOCs) to stop attacks in progress and proactively hunt for hidden exploits within the network such as Advanced Persistent Threats (APTs).
3. Strategic Threat Intelligence: Strategic threat intelligence is information relating to the global threat landscape. This includes high-level trends such as geopolitical trends, popular ransomwareWhat is Ransomware? Ransomware is a type of cyberattack in which the attacker infects a computer with malicious software that encrypts the victim’s data. The computer usually becomes locked, presenting… More threats, or the likelihood of any specific industry or asset being the target of increased attacks. Strategic threat intelligence is used to align non-technical stakeholders like CEOs and Board members to the cybersecurity threats facing their organization.

Steps of the Threat Intelligence Lifecycle

Gathering, understanding, and effectively using threat intelligence requires a multi-step process, especially if the benefit is to be ongoing. However, that process cannot be approached haphazardly. There are five main components to the threat intelligence lifecycle:

1. Defining the Scope – Does your organization want to focus on tactical threat intelligence, operational threat intelligence, strategic threat intelligence, or a mix of all three? Once this is decided, allocate personnel, budget, and cycles from there. Experience shows that if there are no dedicated resources, any proactive plan (like a threat intelligence program) will inevitably be a low priority to in-the-moment, reactive measures.
2. Collection – There are various threat intelligence collection methods. Internally, logs and metadata can be pulled from networks and devices. Externally, there are public threat feeds from industry organizations and vendors, as well as sources like news feeds, blogs, and even forums on the dark web, that can serve as valuable resources.
3. Processing – Threat intelligence must be analyzed before it can be acted upon. It must also be processed so that it is in the proper form. Processing threat intelligence consists of eliminating irrelevant data, grouping like data sets together, and adding any additional metadata or context that might enrich the data.
4. Analysis – The analysis phase of threat intelligence is where human and machine techniques are leveraged to determine how to action the threat data that has been presented. At this phase, things like adversary profiling and threat correlation take place, and decisions are made, such as whether to pursue the threat, block an attack, or allocate more resources to a particular area.
5. Dissemination – This is an essential step. Without disseminating threat intelligence to other at-risk entities within the community, chances are high that the same tactics will be tried again on another organization—an organization that, if it were properly warned and informed, could have prevented it.

It is not enough to discover a few vectors of attack once, set your course by them, and assume they will never change. Cybercriminals constantly change Tactics, Techniques, and Procedures (TTPs). A security strategy that gathers and analyzes fresh threat intelligence on a regular basis is a reliable way for organizations to keep ahead of threats.

Want to brush up on more cybersecurity jargon? Here is a list of 21 Essential Cybersecurity Terms You Should Know.