What Is Cyber Threat Intelligence?

There are four types of threat intelligence: strategic, tactical, operational and technical. It should be noted that while technical and operational threat intelligence are often treated synonymously, there are differences between the two. 

Strategic threat intelligence: Strategic threat intelligence is the assimilation of the broad, overall factors that affect an organization’s threat landscape and the use of that information to refine the organization’s cybersecurity strategy. The goal of strategic threat intelligence is to evaluate what vulnerabilities and risks an organization faces, and which threat actors might pose the biggest risk. It assists with determining high-level patterns, targets and events that could affect an organization’s threat landscape, also taking into account geopolitical factors and cyber trends.

Strategic threat intelligence involves massive amounts of data, often in multiple languages, that then have to be processed into useful information. It requires the knowledge of cybersecurity, the nuances of political situations and global diplomacy, and the business value of the organization. Because the process of collecting and processing threat intelligence can be incredibly time consuming and labor intensive, organizations can often benefit from using a threat intelligence solution capable of automating the collection and processing of data; it then can be used to create an intelligence report, allowing security professionals and analysts to focus more on the application of that strategic threat intelligence.

Tactical threat intelligence: Tactical threat intelligence is the formulation of tactics, techniques and procedures (TTPs) of cyber threat actors. It provides insight on potential attack vectors and allows security professionals to evolve defenses to better withstand those attacks. 

Tactical threat intelligence also takes into account any preferred vulnerabilities and common infrastructure a threat actor might use. The goal of tactical threat intelligence is to scout out what the enemy is planning and prepare for it with appropriate security controls and security solutions, especially if you can learn the threat actors’ modes for avoiding or delaying detection. You can then use that information to improve the existing security strategy and assist in making incident management and response more efficient.

Tactical threat intelligence is usually used by those directly involved with the decision making and implementation of the organization’s cybersecurity strategy, such as CISOs, systems administrators, system architects and the security team, as well as security intelligence reports, subject matter experts and various data feeds. However, the organization’s own network data is also crucial to this process, as tactical intelligence will cause organizations across various industries to take different actions best suited for their business. 

Operational threat intelligence: Operational threat intelligence is the process of gathering knowledge about specific cyberattacks, threat actors, campaigns and/or events into profiles of threat actors, focusing specifically on answering the five w’s: who, what, when, where and why? These profiles are a culmination of investigating all facets of their involvement, motives and past attack plans in order to predict how they may act in the future. 

Operational threat intelligence is very helpful for cybersecurity professionals who are responsible for daily operations. It assists threat monitoring and incident response because it provides a better understanding of what these professionals are looking for and what action to take when they find suspicious events. 

Technical Threat Intelligence: Technical threat intelligence is the process of gathering specific evidence of an attack and then using that information to build a defense against the threat. It looks for known indicators of compromise (IOCs), such as the content of phishing emails, malware samples, fraudulent URLs and reported IP addresses. 

Technical threat intelligence ties into operational threat intelligence because profiles of specific attacks can be added to profiles of specific groups, and likewise is most useful to the security team that is actively interacting with the system. This threat intelligence is shared via specific threat data feeds, which are often aligned to a single indicator type, such as fraudulent URLs or malware hashes.

The biggest issue with technical threat intelligence is that it has a very short shelf life. Many times, fraudulent URLs and malicious IPs are gone within days. In order for technical threat intelligence to be most useful, it must be shared quickly and efficiently.

Threat intelligence is important because it allows cybersecurity to stop being reactive and become proactive. But any organization can put threat intelligence to good use. Among other things, it helps security teams:

• Better understand their adversaries.
• Get ahead of threat actors before they cause an incident.
• Respond faster if the threat actor succeeds in breaching the network.

A good threat intelligence solution often incorporates automated data collection and processing, which allows more information to be processed into actionable intelligence in a timely manner. It also applies IOCs and TTPs of threat actors to any appropriate data, integrating that information with the organization’s data to provide a comprehensive threat profile. 

All organizations, large and small, have to contend with cyber threats, but the threats they face and the methods of security those organizations use will vary. Threat intelligence is designed to be flexible and meet the distinct needs of each organization. 

Vulnerability management: Vulnerability management in the legacy threat environment was built upon the ideal of patching everything as often as possible. Threat intelligence allows the security team to judge what vulnerabilities pose the most risk to the organization, and act accordingly.

The time between a vulnerability being disclosed and a cyber threat actor trying to exploit it has dropped significantly from roughly 45 days in 2010 to just 15 days by 2020. This means that security teams have roughly two weeks to patch a vulnerability or have an incident response plan in place to mitigate damage if the organization is targeted for exploitation.

SecOps: Security operations (SecOps) is enhanced by cyber threat intelligence in several ways. Many security operations centers (SOCs) find themselves inundated with alerts from firewalls and other threat intelligence feeds that have to be triaged and managed. The overload often results in genuine alerts getting lost in the shuffle. 

Threat intelligence informs the triaging of alerts and threats faster and filters out false alarms. It can also help analysts recognize patterns that show some actions as benign rather than malicious and move away from using alerts for attacks that are less likely to target their organizations. Threat intelligence can also be used to integrate threat data to flag known attack types such as ransomware and advanced persistent threats.

CSIRT/incident response: Incident response benefits from threat intelligence because it can be used to add real-time context to ongoing incidents. It also uses both internal and external sources of data to bring greater clarity to analysis and assist a computer security incident response team (CSIRT) in determining root causes.

As with security alerts, threat intelligence can also help weed out duplicate reporting and false positives. Teams can spend less time manually pulling data for analysis, speeding up the organization’s incident response time. Bringing together the threat intelligence benefits to both incident response and vulnerability management allows for a stronger security posture.

Risk management: Cyber threat intelligence provides the data necessary to determine the likelihood of an attack and the associated attack actors. Threat intelligence can also be used to inform business decisions regarding the risks and implications associated with threats.

Asking the right questions of your data and applying detailed information to security strategies will build a well-rounded risk profile for various attack types and cyber events. Knowing your risk profile and using threat intelligence to make informed risk management decisions will give your organization a comprehensive cybersecurity policy.

Fraud prevention: Threat intelligence and fraud prevention go hand in hand. Cyber threat actors may try to use your brand or your data to defraud other organizations, which damages your brand and your organization’s reputation.

Cyber analysts can use threat intelligence to build a larger picture of criminal communities and correlate their activities with payment fraud schemes, compromised data and website impersonations (e.g., typosquatting and phishing). This broad view helps cybersecurity professionals determine vulnerabilities and inform business stakeholders about recommended changes or enhancements.

Leadership visibility: Security leadership faces the challenge of keeping organizations safe from increasing threats, while also keeping resource utilization in check. Threat intelligence assists security leadership by narrowing the type of attacks that pose valid threats and the threat actors that present the largest concern. Preventing attacks helps mitigate the organization’s potential risk of lawsuits, fines and brand damage that are often the result of security breaches. In addition, threat intelligence also creates a picture of how industry, technology and geography all play a factor in managing vulnerabilities and risk.

The threat intelligence life cycle is a six-stage, iterative cycle that collects raw data and then processes, analyzes and transforms it into actionable intelligence to protect the organization from cyber threats.

1. Planning and prerequisites: The first step in the threat intelligence life cycle is the planning, or prerequisites, phase to define the objectives of the intelligence life cycle iteration. During this phase, the team should identify what goals they wish to achieve, use specific, focused questions to determine the iteration process and ensure that the intelligence objectives are timely and high priority. During this phase, also be sure to keep the intended use of the information and its audience in mind — too broad of a scope or extended iteration process could result in information that is out of date or otherwise unusable.

2. Collection: During the collection phase, raw data is pulled from a variety of sources, including traffic logs, past incident responses, security forums, digital publications or even the dark web. Security professionals should pursue any avenues of pertinent information, whether that is raw code data, lists of IOCs or previously discovered vulnerability data. 

3. Processing: Now that all the data has been collected and the intelligence goals are known, the data can be sorted and organized via metadata tags. Any changes that are needed to understand the data, such as decryption or language translation, should also happen at this point. Filter any redundant or skewed data at this time as well so that it doesn’t affect analysis negatively. 

Even the smallest organization could end up with millions of data points, making human analysis completely inefficient. For this reason, data collection and processing should be automated and normalized. Automation also ensures a consistency in how data is sorted and tagged. Normalization ensures that intelligence is standardized in the same way to reduce duplications and provide consistency for the tools and teams utilizing the intelligence. 

4. Analysis: In this phase, security professionals use processed information to find answers to the questions posed in the planning phase, deciphering the dataset into valuable intelligence and recommendations for the intended audience. Cybersecurity analytics or technical threat intelligence analysis may reveal new IOCs, which would recommend a shift in intrusion detection. Senior management may receive recommendations for prioritizing security investments if strategic threat intelligence analysis shows an increase in attacks in their organization’s specific industry. The form the intelligence takes is not as important as its digestibility and usefulness to the intended stakeholders, so consider a format that makes the data as useful as possible.

5. Dissemination: During this phase, the intended consumers receive the properly analyzed and formatted intelligence. The most important consideration in this step has to do with timing: Threat intelligence is only useful if it’s actionable. In order to be actionable, the threat intelligence must find its way to the right people at the right time.

6. Feedback: After dissemination, the team should elicit feedback from the requestors so that further life cycles can be refined as needed to improve the process. This piece of the life cycle should also be recorded for continuity purposes.

A cyber threat intelligence analyst is a specialized security professional who collects, monitors and analyzes cyber threat data in order to generate actionable intelligence used in threat hunting activities. These analysts triage security incidents and events and manage various threat intelligence sources. They also study various attacks — including the threat actors’ methodology, motive and intended targets — to provide key information to decision makers so they can make more efficient, high-quality security decisions and remediate threats.

Machine learning is essential for automating data collection, raw data processing and making each analysis more efficient. The sheer volume of data is overwhelming, and it would be nearly impossible for human analysts to create effective threat intelligence within a useful time period.

Most organizations can only comfortably research between 1 and 100 threat indicators weekly, a pace that fails to keep up with a rapidly changing threat landscape or handle terabytes of potential threat data.

To that end, analyzing raw threat data today requires advanced analytics — powered by machine learning — to help security teams efficiently and accurately evaluate and interpret the volume of threat data and turn it into operational cyber threat intelligence.

Cyber threat intelligence is a rapidly growing field. Cyberattacks are becoming more stealthy, destructive and abundant, and security personnel will have to evolve their tactics and techniques to keep organizations safe. In light of enormous volumes of data, which continues to grow exponentially, organizations will need to find a way to refine and manage this information with numerous threat intelligence tools, many of which are powered by security automation.

Intelligence management allows organizations to curate their rising number of internal and external threat sources and prioritize a host of threat intelligence tools, like security information and event management (SIEM), case management, and security orchestration automation and response (SOAR) to reduce mean time to detect (MTTD) and mean time to repair/respond (MTTR).

To combat rapidly evolving cyber threats well, organizations will need to change how they think about cybersecurity and how to build and configure protections. We need to move away from the idea that technology alone can protect us, and go instead toward applying cyber threat knowledge — learning both from attacks to our own environment and the attacks that have targeted others worldwide.

To build an effective cyber defense, an organization needs to know what threats already exist, and to stay effective, they need to know what new potential threats are on the radar. Knowing and understanding the adversary will be critical to survival. Cyber threat intelligence will be key in helping organizations learn the ways of bad actors and adversaries to combat increasingly sophisticated attack methods and keep their data and businesses safe.