Posted by
Share this article
Threat intelligence gathers, combines and analyses data and information on existing, new, and emergent cyber threats to ICT environments from within systems and via the wider internet, including the dark web. Threats may be targeted at your organisation specifically or cast a wide net, approach valuable assets through a single-vector or multi-vector approach, and exist at a point-in-time or be persistent in their nature. By empowering your organisation with threat intelligence, this guides the way to effectively mitigate threat-based risks to business.
What does threat intelligence do?
Threat intelligence informs analysts and decision-makers of the current and emerging cyber threats to your organisation. By understanding threat actors, vectors, methods, background, indicators, and potential impacts, you can deploy mitigations, update risk registers, compose incident response playbooks, conduct threat hunts, and more. All this helps to manage cyber threat detection and response more effectively and boost your security posture.
Threat intelligence allows organisations to develop up-to-date cyber threat mitigation strategies, deploy effective defence mechanisms, and accurately perform cyber risk management within the business.
Types of Threat Intelligence
Tactical Threat Intelligence
Tactical threat intelligence identifies artefacts within and beyond the boundaries of internal systems that are current, simple indicators of compromise or known weaknesses. This includes technical artefacts such as IPs on blacklists and malware signatures, through to employee social media pages that are ripe for phishing scams and company-based information exposed on the dark web. Tactical threat intelligence allows organisations to remediate current weaknesses immediately, based on priority.
- Examples: Blocking emails received from a known malicious domain, reporting on customer information discovered for sale on the dark web
- Data: Simple, machine readable
- Timeframe: Immediate, or very short remediation
Operational Threat Intelligence
Operational cyber threat intelligence focuses on the Tactics, Techniques and Procedures (TTP) used by threat actors to conduct attacks. Painting a picture of each identified threat actor’s motivations, current and past strategies and campaigns, associations, tools used, etc., allows an organisation to determine the existing threat to business, and how to combat it.
Examples: Patching vulnerabilities across multiple products that a threat actor is known to exploit, triaging emails that follow a similar pattern to phishing attacks from a known threat actor
Data: Aggregated, machine and human readable
Timeframe: Medium-term, based on risk and priorities
Strategic Threat Intelligence
Strategic threat intelligence takes an even broader approach; looking at business and technology trends, proposed policies, alliances, political shifts, etc. to predict long-term security threats before they come to pass.
- Examples: Conducting third party risk assessments to reduce the risk of supply chain attacks, a multi-cloud security program to reduce cloud risk
- Data: Complex, machine and human readable, may require advanced analysis techniques
- Timeframe: Long term, with staggered mitigations
The Cyber Threat Intelligence Lifecycle
Scoping
Before cybersecurity threat intelligence activities begin, the organisation must define the scope of the threat intelligence program, including examining valuable assets and system boundaries, risks and risk tolerance, needs and goals, regulatory constraints, and even budgets and assigned owners.
Collection
The team collects relevant data through open source and proprietary tools, and detailed investigation techniques. Intelligence is gathered from existing internal-facing systems, at company boundaries and via external sources including the dark web.
Processing
The data is processed, its validity checked, formatted for machine readability where appropriate, and organised into the bigger picture of the specific threat.
Analysis
Threat intelligence teams run analysis on processed data to identify patterns, trends, and outliers, as well as evaluate qualitative data to determine next steps in addressing current, potential, and projected threats.
Reporting
Reports are collated and delivered to stakeholders to effectively communicate the nature, urgency, and span of cyber threats, including next steps or the mitigation applied.
Continuous improvement
Threat intelligence programs must be updated as new information, threats, and best practices come to light.
Benefits of Threat Intelligence
Reduce time to identify threats and compromised information
With a foundational threat intelligence program, your organisation can identify threats and compromised information online before they become a larger issue. Up-to-date feeds and automated fixes are key.
Examine existing and future threats before they impact the organisation
By gaining the full picture of cyber threats to the organisation, analysis and decision making occurs just in time.
Balance mitigation strategies with the organisation’s risk profile
Threats can be prioritised and mitigated with timelines and engineering that fits the organisation’s existing risk profile.
Comply with internal, industry, and legislative rules and requirements
A threat intelligence program allows organisations to comply with internal, industry, and legislative rules and requirements, including obligatory reporting to authorities.
Improve the organisation’s overall security posture
Threat intelligence helps boost the organisation’s security posture, alongside other programs such as compliance, secure architectural practices, team training, and critical product control.
How Tesserent Can Help
Tesserent offers various threat intelligence services:
Premium Cyber Threat Intelligence as a Service
Our premium cyber threat intelligence service provides the program, platforms, intelligence feeds and data, and experienced cyber threat intelligence analysts to deliver a complete CTI program. We define, collect, analyse, and produce actionable intelligence reports and insights that imrpove detection and prevention controls, integrate with existing SOC solutions, inform threat hunting, prioritise vulnerability remediation, inform and cybersecurity strategy and executive decision making and manage exposure and reputation of brand, personnel, customer risk, and business specific information such as intellectual property or customer data.
SOC
Tesserent has a cyber threat intelligence team within our dedicated 24x7 Cybersecurity Operations Centre (SOC) service. This team is equipped with the tools, experience, and continuous monitoring to deliver threat intelligence activities such as threat identification and triage, rapid incident response, and mitigation strategies. We can also help build out your threat intelligence program framework for best practices and compliance within your organisation.
Written by James Brine
Contact us
Speak with a Tesserent
Security Specialist
Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.