What is cyber threat intelligence?

August 20, 2024 • Resource
Posted by
James Brine
Share this article

Threat intelligence gathers, combines and analyses data and information on existing, new, and emergent cyber threats to ICT environments from within systems and via the wider internet, including the dark web. Threats may be targeted at your organisation specifically or cast a wide net, approach valuable assets through a single-vector or multi-vector approach, and exist at a point-in-time or be persistent in their nature. By empowering your organisation with intelligence monitoring services and threat intelligence, this guides the way to effectively mitigate threat-based risks to business.

What does threat intelligence do?

Threat intelligence informs analysts and decision-makers of the current and emerging cyber threats to your organisation. By understanding threat actors, vectors, methods, background, indicators, and potential impacts, you can deploy mitigations, update risk registers, compose incident response playbooks, conduct threat hunts, and more. All this helps to manage cyber threat detection and response more effectively and boost your security posture.

Intelligence monitoring services, combined with threat intelligence, allows organisations to develop up-to-date cyber threat mitigation strategies, deploy effective defence mechanisms, and accurately perform cyber risk management within the business.

Types of Threat Intelligence

Tactical Threat Intelligence

Tactical threat intelligence identifies artefacts within and beyond the boundaries of internal systems that are current, simple indicators of compromise or known weaknesses. This includes technical artefacts such as IPs on blacklists and malware signatures, through to employee social media pages that are ripe for phishing scams and company-based information exposed on the dark web. Tactical threat intelligence allows organisations to remediate current weaknesses immediately, based on priority.

  • Examples: Blocking emails received from a known malicious domain, reporting on customer information discovered for sale on the dark web
  • Data: Simple, machine readable
  • Timeframe: Immediate, or very short remediation

Operational Threat Intelligence

Operational cyber threat intelligence focuses on the Tactics, Techniques and Procedures (TTP) used by threat actors to conduct attacks. Painting a picture of each identified threat actor’s motivations, current and past strategies and campaigns, associations, tools used, etc., allows an organisation to determine the existing threat to business, and how to combat it.

  • Examples: Patching vulnerabilities across multiple products that a threat actor is known to exploit, triaging emails that follow a similar pattern to phishing attacks from a known threat actor

  • Data: Aggregated, machine and human readable

  • Timeframe: Medium-term, based on risk and priorities

    Strategic Threat Intelligence

    Strategic threat intelligence takes an even broader approach; looking at business and technology trends, proposed policies, alliances, political shifts, etc. to predict long-term security threats before they come to pass.

    • Examples: Conducting third party risk assessments to reduce the risk of supply chain attacks, a multi-cloud security program to reduce cloud risk
    • Data: Complex, machine and human readable, may require advanced analysis techniques
    • Timeframe: Long term, with staggered mitigations

    The Cyber Threat Intelligence Lifecycle

    Scoping

    Before cybersecurity threat intelligence activities begin, the organisation must define the scope of the threat intelligence program, including examining valuable assets and system boundaries, risks and risk tolerance, needs and goals, regulatory constraints, and even budgets and assigned owners.

    Collection

    The team collects relevant data through open source and proprietary tools, and detailed investigation techniques. Intelligence is gathered from existing internal-facing systems, at company boundaries and via external sources including the dark web.

    Processing

    The data is processed, its validity checked, formatted for machine readability where appropriate, and organised into the bigger picture of the specific threat.

    Analysis

    Threat intelligence teams run analysis on processed data to identify patterns, trends, and outliers, as well as evaluate qualitative data to determine next steps in addressing current, potential, and projected threats.

    Reporting

    Reports are collated and delivered to stakeholders to effectively communicate the nature, urgency, and span of cyber threats, including next steps or the mitigation applied.

    Continuous improvement

    Threat intelligence programs must be updated as new information, threats, and best practices come to light.

    Benefits of Threat Intelligence

    Reduce time to identify threats and compromised information

    With a foundational threat intelligence program, your organisation can identify threats and compromised information online before they become a larger issue. Up-to-date feeds and automated fixes are key.

    Examine existing and future threats before they impact the organisation

    By gaining the full picture of cyber threats to the organisation, analysis and decision making occurs just in time.

    Balance mitigation strategies with the organisation’s risk profile

    Threats can be prioritised and mitigated with timelines and engineering that fits the organisation’s existing risk profile.

    Comply with internal, industry, and legislative rules and requirements

    A threat intelligence program allows organisations to comply with internal, industry, and legislative rules and requirements, including obligatory reporting to authorities.

    Improve the organisation’s overall security posture

    Threat intelligence helps boost the organisation’s security posture, alongside other programs such as compliance, secure architectural practices, team training, and critical product control.

    How Tesserent Can Help

    Tesserent offers various threat intelligence services:

    Premium Cyber Threat Intelligence as a Service

    Our premium cyber threat intelligence service provides the program, platforms, intelligence feeds and data, and experienced cyber threat intelligence analysts to deliver a complete CTI program. We define, collect, analyse, and produce actionable intelligence reports and insights that imrpove detection and prevention controls, integrate with existing SOC solutions, inform threat hunting, prioritise vulnerability remediation, inform and cybersecurity strategy and executive decision making and manage exposure and reputation of brand, personnel, customer risk, and business specific information such as intellectual property or customer data.

    SOC

    Tesserent has a cyber threat intelligence team within our dedicated 24x7 Cybersecurity Operations Centre (SOC) service. This team is equipped with the tools, experience, and continuous monitoring to deliver threat intelligence activities such as threat identification and triage, rapid incident response, and mitigation strategies. We can also help build out your threat intelligence program framework for best practices and compliance within your organisation.

    Written by James Brine

    Contact us

    Speak with a Tesserent
    Security Specialist

    Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.

    Let's Talk
    Tess head 8 min

    Related Resources

    Resource
    What Are Insider Threats?
    What Are Insider Threats?
    Resource
    What Is Third-Party Risk Management? TPRM Explained
    Resource
    What is IEC 62443? IEC 62443 Standard Explained
    What is IEC 62443? IEC 62443 Standard Explained
    Resource
    What is Operational Technology Security? OT security explained
    What is Operational Technology Security? OT security explained