This blog post will discuss the definition of threat intelligence and different stages of the threat intelligence cycle to help you better understand what happens behind the scenes.
Gartner defines it as “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
What is threat intelligence?
In the simplest terms, threat intelligence is a collection of data about any entities that pose some type of risk to your organisation such as malware and phishing emails. The main goal of threat intelligence is to help an organisation identify emerging threats before they cause damage by collecting information from internal and external sources like threat feeds, threat intelligence sharing communities, and honeypots.
What is cyber threat intelligence?
Cyber threat intelligence is a subcategory of organisational security that focuses on using collected data to help protect an organisation’s IT infrastructure. With cyber threat intelligence, organisations are able to identify the latest methods being used by hackers and adversaries so they can quickly implement strategies for protection. This includes collecting information about malware infections, vulnerabilities in software or hardware, tactics used by adversaries, and planned attacks.
Who is a cyber threat intelligence analyst?
A cyber threat intelligence analyst is a security professional whose main responsibility is to collect, analyse and report about any potential threats facing theirs or their customer organisation. Threat intelligence analysts use a variety of commercial, proprietary and open-source tools that allow them to search for specific data associated with different types of attacks, malware, vulnerabilities etc.
Importance of threat intelligence
Threat intelligence is not just a nice-to-have, but rather it is an essential part of any organisation’s security strategy. With the growing number of cyberattacks and malware infections around the world, cyber threat intelligence can help organisations protect their sensitive data by giving them access to real-time information about threat actors before they become active in their network.
Once threat intelligence is collected and analysed, it can be used to implement security strategies such as:
- Security Awareness Training for employees to assist them in knowing how to identify actions of threat actors and avoid phishing emails including fake online shopping order confirmations.
- Password enforcement policies that require complex passwords or the use of multi-factor authentication. Multi-factor authentication requires a second form of identification when logging in to a network, which makes it difficult for hackers to access personal information.
- Application whitelisting so that only trusted programs are allowed to run on the network. Hackers have been known to exploit vulnerabilities by tricking employees into running malicious software when accessing an infected file-sharing site or email attachment. By controlling what applications can and cannot run, organisations can ensure that their network and data is protected.
How does the threat intelligence lifecycle work?
As the name implies, there is a threat intelligence cycle to collecting threat data that includes five stages. In order for an organisation to be effective at collecting, analysing, and disseminating cyber threat intelligence, it is good to keep a plan in place for each of the stages which are also mentioned below.
Creation
this stage consists of generating data about malware outbreaks or phishing emails for example. This could include anything from creating your own honeypot networks to seeding threat feeds.
In this stage, most threat intelligence starts. A company could collect data about malware outbreaks by creating their own honeypot networks or seeding existing threat data with the information they have collected on their own depending on what type of information they are looking for. This stage could also include tracking down new sources of cyber threat intelligence like blogs or forums that may be discussing malware outbreaks in detail and adding their links to the company’s own internal wiki.
Storage
This stage consists of storing the data so that it can be analysed later to identify larger patterns and trends in malware outbreaks or phishing emails for example. This will help your organisation determine what types of attacks are prevalent at certain times, where they come from, etc.
Depending on what kind of data is being collected, there needs to be a way to store it so that it is accessible easily by the people who need it. For example, if an organisation is collecting data about malware outbreaks and sharing that with other companies through a threat intelligence sharing community like TIE, they will want to store this data in a way that all employees can access it from one central location instead of having everyone keep their own copies on their local computers.
Analysis
This is where the data is reviewed and analysed to identify larger patterns and trends.
After collecting and storing data about malware outbreaks or phishing emails for example, the next step is to review it in order to identify larger patterns and trends so that you can effectively communicate these findings with other companies who could be affected by them. An effective analysis will include things like identifying how many unique malware samples were involved during an attack, what types of malware were involved during an attack and which type was most prevalent.
Dissemination
This stage consists of sharing information about malware outbreaks or phishing emails with other organisations that could be affected. This could include anything from alerting third party threat intelligence companies like iSIGHT Partners, FireEye’s Threat Intelligence Exchange (TIE) Community or even sharing information with other teams within your organisation.
The goal here is to effectively communicate information about threats like malware outbreaks or phishing emails with other companies that could be affected by them before they occur. This means sharing your data in a way that makes it easy for others to understand and use.
Consumption
This stage consists of using the strategic cyber threat intelligence to either strengthen your company’s security or take steps towards mitigating a potential threat based on data from the analysis and dissemination stages above.
After sharing information about malware outbreaks or phishing emails with other companies, the next step is to implement intelligence within your company based on what you have learned from reviewing data in the analysis stage above. This could include taking steps toward mitigating a potential threat by putting countermeasures into place that will be effective against certain types of malware or phishing campaigns.
What are the benefits?
There are a number of ways threat intelligence can benefit an organisation as a whole including:
1. The ability to identify emerging threats before they become widespread.
2. Improved incident response time.
3. Better prioritisation of security efforts.
4. Better awareness of the emerging cyber threats targeting your organisation.
5. Improved threat detection and prevention capabilities.
6. Better collaboration between internal employees and external partners such as vendors, suppliers, or even law enforcement agencies.
7. Strengthening company security by being more proactive about threats that could affect them.
8. Communicating information about potential threats with other companies so they can take steps to protect themselves.
What should I consider before starting?
Before getting started with gathering or sharing your own threat intelligence, there are some things to consider in order to make sure it’s done effectively. Threat intelligence is a new yet critical dimension to knowing and helping business leaders about attack vectors, malicious attacks, modern ways to data breaches, threat types and indicators. These include:
1. Considering how you will store data before gathering intelligence so that the process is streamlined and not time-consuming.
2. Filtering out noise by determining what you need to look at before gathering data so that your time spent looking over intelligence is effective.
3. Knowing who the right people are and how much information is enough when it comes to sharing with others in order to avoid unnecessary risk.
4. Make sure your organisation understands what intelligence actually is in case they haven’t already heard of it. This helps reduce the risk of miscommunication about what you are trying to do,
5. Understanding how threat intelligence is going to be shared with your security operations teams and other teams in order for them to understand it better.
Discuss your concerns today
Who can benefit from Threat Intelligence?
Threat Intelligence is really beneficial for any organisation or company that understands the importance of cybersecurity and wants to make their security stronger. Threat intelligence can also be used by companies who are already in a collaborative relationship with other organisations, especially if there’s an agreement about sharing information between them.
Different types of threat intelligence
There are three types of threat intelligence including:
1. Operational threat intelligence
2. Strategic threat intelligence
3. Tactical threat intelligence
Operational Threat Intelligence
Operational intelligence is the kind that’s gathered on an ongoing basis by your security operations threat intelligence team. This information can be used to gather more specific, day-to-day threat intelligence which helps you respond faster and better identify threats before they become too widespread or cause damage. Threat visibility adds as an extra edge to blue teams working around the clock to improve and limit the attack probability and containment.
Operational intelligence is the data gathered to identify potential threats within an organisation like insider/employee behaviour or security incidents that are already happening. This could be used by different teams in your own company like legal or human resources.
Strategic Threat Intelligence
Strategic threat intelligence is the kind that’s gathered in order to assess potential threats from outside sources before they affect your company. It could include things like identifying a threat actor, threat groups or a nation-state being responsible for cyberattacks on other companies so you know what types of security measures may need to be taken in response.
Strategic intelligence is the data gathered about an organisation’s cyber threat landscape in order to track and monitor what others are doing in terms of cyber security solutions, approaches, and practices. Strategic intelligence could be beneficial for companies who want to improve their own security through learning from other organisations’ experiences with threats they have already faced. These inputs are further included in machine learning-based developments of security tools, vulnerability management and general threat intelligence use in security engineering and management around advanced threats.
Tactical Threat Intelligence
Tactical intelligence is the kind that’s gathered from specific events or incidents. It includes information about a particular threat, attack, or other cyber security event and can help to identify actions of a threat actor and what was done during those actions so it doesn’t happen again in the future.
Tactical intelligence is data related to a single piece of vulnerability intelligence such as a zero-day exploit, new variants of cyber attacks, new tactics techniques and procedures (TTPs) or a specific malware variant. Tactical cyber threat intelligence could be beneficial for companies who want to improve their security by knowing what has already happened in the past and how they can prevent it from happening again.
Threat Intelligence tools and platforms
Using threat intelligence tools and platforms is a great way to gather information, especially if you’re dealing with large amounts of data. There are different types of threat intelligence solutions that can collect as much or as little as possible from all over the internet in order to provide accurate threat intelligence for organisations looking to improve their cybersecurity practices even further. These tools are very important when looking holistically from malware analysis and known threat actor analysis view.
Open source threat intelligence feeds and databases
There are several open-source threat intelligence tools and threat data feeds that organisations can use in order to gather raw data from thousands of sources across the internet, including:
VirusTotal
An online service created by Google contains malware samples that are analysed by many different security vendors. Constantly evolving malware samples are often available here that are checked against anti-virus or endpoint software effectiveness.
PassiveTotal
A threat intelligence platform that specialises in gathering and analysing data from open sources such as DNS, IP addresses, email addresses, domains, hashes and more. It enables you to see what information is available about those specific pieces of data so you can use it for your own threat intelligence needs.
Commercial threat intelligence feeds
Although open-source threat intelligence is completely free, there are ways to purchase commercial information directly from various organisations who already gather this data for their cybersecurity solutions which can be beneficial if you want access to more detailed data or need it faster than what’s available through an open-source solution. Some examples include:
OTX
A threat intelligence platform that has more than 11 trillion events and is updated daily. It provides a deep analysis of the raw data so you can understand what’s going on in terms of cyber threats to your organisation, including things like malicious IPs, domains or files as well as potential indicators of future attacks. Alienvault OTX is available at https://otx.alienvault.com/ that also feeds into a lot of open sources OTX sources.
Discuss your concerns today
Flashpoint
A threat intelligence and strategic risk analysis firm which gathers information from open-source data points in order to provide detailed risk assessments based on their findings.
IntelSec
A cybersecurity company that specialises in cyber incident response and digital forensics, IntelSec provides real-time situational awareness for threats facing organisations today. It has more than 50 billion events in its database and is updated daily.
Conclusion
Whether your organisation believes in working on indicators of compromise or advanced analytics-based reactions such as user behaviour changes or removing false positives or to keep alert fatigue low, threat intelligence plays an active part in today’s security team objectives. Shedding light on the unknown helps reduce the probability and prepare better for futuristic adverse situations.
Get in touch to discuss your security concerns including any threat intel requirements.
