Businesses today use technology to automate processes, stay connected and better serve their customers, no matter what kind of business they actually do. In a sense, every company is now a tech company.
While this acceleration in digital adoption has unlocked new capabilities for businesses, it has also introduced new risks. Cybercriminals are constantly looking for ways to exploit vulnerabilities in systems and applications. And, with the proliferation of connected devices and data, the attack surface has grown exponentially.
The risk that these actors present is large. A successful attack can result in data breaches, financial loss and reputational damage.
To combat these threats, organizations need to have threat intelligence programs in place.
What is cyber threat intelligence?
Threat intelligence is actionable information about current or future cyber threats that can help organizations mitigate or avoid those risks. In other words, it’s information about motives, targets and attack behaviors that security teams can use to proactively defend against attacks.
Threat intelligence can take many different forms, but it often includes data like:
- IP addresses linked to malicious activity
- Websites hosting malware
- Indicators of compromise (IOCs)
- Phishing campaigns targeting a specific organization
- Vulnerabilities being exploited in the wild
This information can be sourced from a variety of places, including threat intelligence platforms, threat feeds and even social media.
What are cyber threats?
A cyber threat is any type of threat (e.g., malware, phishing campaign, DDos attack, etc.) that uses some form of digital technology to target systems, networks or devices.
Cyber threats can come from a variety of threat actors, including:
- Organized crime groups
- Terrorist organizations
Cyber threats can have a variety of different objectives, including:
- Stealing data (e.g., customer records, intellectual property)
- Ransomware attacks (i.e., encrypting data and demanding a ransom to decrypt it)
- Disrupting operations (e.g., DDoS attacks)
Why is threat intelligence important?
Threat intelligence is important because it can help organizations detect, investigate and respond to cyber threats.
Organizations that have threat intelligence programs in place are better equipped to defend themselves against attacks. This is because threat intelligence provides organizations with visibility into the latest threats, vulnerabilities and attacks so that they can take steps to avoid or mitigate them.
In addition, threat intelligence can help organizations understand the motives and methods of specific threat actors. This information can be used to fine-tune security operations and better protect against future attacks from those groups.
Threat intelligence use cases
Threat intelligence can be used for a variety of different use cases, including:
- Vulnerability management – Identifying and prioritizing vulnerabilities that pose the greatest risk to an organization.
- Incident response – Investigating and responding to security incidents.
- Threat prevention – Blocking or stopping attacks before they happen.
- Threat detection – Detecting attacks that have already occurred.
- Threat hunting – Proactively searching for signs of an attack.
The types of cyber threat intelligence
There are three main types of threat intelligence:
Strategic threat intelligence
Strategic threat intelligence is a bird’s eye view of an organization’s threat landscape. It helps executives and other decision-makers at organizations understand the cyber threats that are most relevant to them. Because strategic intelligence is produced for a non-technical audience, it is typically presented through reports and briefings that discuss broad trends in threat actor behavior.
Common sources of strategic intelligence can include:
- Policy documents
- Whitepapers and reports from security organizations
- News reports
Tactical threat intelligence
Tactical threat intelligence outlines the tactics, techniques and procedures (TTPs) of threat actors. It helps organizations understand, in specific terms, how they might be attacked and the steps they should take to defend themselves.
Tactical intelligence details specific indicators of compromise (IOCs), such as known malicious domain names, bad IP addresses, URLs and file hashes. It is technical in nature and is used directly by architects, administrators and security staff to improve existing security controls.
Organizations can tap into this data by subscribing to free and open source data feeds.
Operational threat intelligence
Operational threat intelligence is knowledge about specific cyber attacks, events or campaigns. It provides the “who,” “why” and “how” of specific threats. It is used to help incident response teams prioritize their response and take immediate action to mitigate the threat.
Because operational intelligence typically includes technical information about specific threats — the attack vector, vulnerabilities being exploited and so on — it is sometimes referred to as technical threat intelligence.
While organizations can gather tactical intelligence by tapping into automated threat intelligence feeds, operational intelligence is produced by human analysts and is consumed by professionals in SOCs (security operations centers).
The threat intelligence lifecycle
The threat intelligence lifecycle is the process used to transform raw data into actionable threat intelligence for use by organizations. It typically follows six steps.
In the direction phase, organizations determine which threats to focus on. This involves assessing the risk that different threats pose to an organization and prioritizing the most serious ones.
The most actionable threat intelligence is highly focused on specific events or activities. It is best to avoid broad, open-ended threats.
Organizations can use a variety of different methods to determine which threats to focus on, including threat risk assessments, threat prioritization matrices and threat severity ratings.
Threat risk assessments involve assessing the likelihood and impact of a threat happening. This information can be used to create a risk profile for an organization and figure out which threats are most serious.
Threat prioritization matrices are used to compare different threats against each other in order to figure out which ones are most important, and threat severity ratings are used to measure how severe a threat is and determine how much attention it needs.
The collection phase of the threat intelligence lifecycle involves gathering information about threats. This can be done through a variety of different methods, including open-source intelligence (OSINT), network scanning and speaking with subject matter experts.
OSINT is the process of collecting information from publicly available sources. This can include social media, news reports, blogs and websites.
Network scanning is the process of using tools to identify hosts and services on a network. This information can be used to figure out which systems are vulnerable to attack.
The processing phase of the threat intelligence lifecycle is all about organizing and analyzing the information that has been collected. This involves sorting through data, identifying patterns and extracting meaning from it.
Organizations can use a variety of different methods to process threat intelligence, including data mining, data analysis and threat modeling.
Data mining is the process of extracting information from large data sets. This can be used to identify patterns and trends in threat data. Data analysis is the process of examining data to draw conclusions from it. This can be used to understand how threat actors operate and what their motivations are.
Threat modeling is the process of identifying potential threats and understanding how they could impact an organization. This information can then be used to create mitigation plans and make decisions about security controls.
In the analysis phase of the threat intelligence lifecycle, data is turned into intelligence. Professionals review the information that was collected and distill it into actionable information about the threat that was identified in the direction phase.
The dissemination phase is all about sharing intelligence with the people who need it. How the analysis is presented should depend on the audience and its level of technical expertise.
The feedback stage involves getting feedback on the provided report to determine whether adjustments should be made in future threat intelligence priorities. Priorities might change, or the disseminated report might raise new questions that need to be answered in the next report.
The threat intelligence lifecycle is an ongoing process that should be repeated on a regular basis. By following this process, organizations can make sure that they are always aware of the latest threats and have the information they need to protect themselves.
How to get started with threat intelligence
If your organization doesn’t have a threat intelligence program in place, there are a few steps involved to get started.
1. Define your goals
Cyber threat intelligence should support the overall objectives of your security program. Before you start collecting data, take some time to define what you hope to achieve with your threat intelligence program.
2. Identify your stakeholders
Threat intelligence is not just for the security team. It’s important to involve other stakeholders in the process, including IT, legal and even executives. This will help ensure that threat intelligence is used to make decisions across the organization.
3. Choose your tooling
There are a variety of threat intelligence tools and platforms available, so it’s important to choose one that meets your needs. Consider factors like ease of use, integration with other security tools and cost when making your decision.
4. Collect, analyze and share your intelligence
Once you have your tooling in place, you can start collecting, analyzing and disseminating data using the lifecycle detailed above.
Need help getting started?
If you’re not sure where to start with threat intelligence, consider working with a threat intelligence consultant. An experienced consultant can help you assess your needs and build a program that meets your goals.
Sanity Solutions understands that threat intelligence can be overwhelming for organizations without a lot of experience. That’s why we offer a variety of tools and services to help organizations get started. Our threat intelligence consulting service can help organizations assess their needs and build a program that meets their goals. Contact us today for more information.