What is cyber threat intelligence?

What does threat intelligence do?

Threat intelligence informs analysts and decision-makers of the current and emerging threats to your organisation. By understanding threat actors, vectors, methods, background, indicators, and potential impacts, you can deploy mitigations, update risk registers, compose incident response playbooks, conduct threat hunts, and more. All this helps to manage threats detection and response more effectively and boost your security posture.

Threat intelligence allows organisations to develop up-to-date threat mitigation strategies, deploy effective defence mechanisms, and accurately perform cyber risk management within the business.

Types of Threat Intelligence

Tactical Threat Intelligence

Tactical threat intelligence identifies artefacts within and beyond the boundaries of internal systems that are current, simple indicators of compromise or known weaknesses. This includes technical artefacts such as IPs on blacklists and malware signatures, through to employee social media pages that are ripe for phishing scams and company-based information exposed on the dark web. Tactical threat intelligence allows organisations to remediate current weaknesses immediately, based on priority.

• Examples: Blocking emails received from a known malicious domain, reporting on customer information discovered for sale on the dark web
• Data: Simple, machine readable
• Timeframe: Immediate, or very short remediation

Operational Threat Intelligence

Operational threat intelligence focuses on the Tactics, Techniques and Procedures (TTP) used by threat actors to conduct attacks. Painting a picture of each identified threat actor’s motivations, current and past strategies and campaigns, associations, tools used, etc., allows an organisation to determine the existing threat to business, and how to combat it.

• Examples: Patching vulnerabilities across multiple products that a threat actor is known to exploit, triaging emails that follow a similar pattern to phishing attacks from a known threat actor

• Data: Aggregated, machine and human readable

• Timeframe: Medium-term, based on risk and priorities

Strategic Threat Intelligence

Strategic threat intelligence takes an even broader approach; looking at business and technology trends, proposed policies, alliances, political shifts, etc. to predict long-term security threats before they come to pass.

• Examples: Conducting third party risk assessments to reduce the risk of supply chain attacks, a multi-cloud security program to reduce cloud risk
• Data: Complex, machine and human readable, may require advanced analysis techniques
• Timeframe: Long term, with staggered mitigations

The Threat Intelligence Lifecycle

Scoping

Before threat intelligence activities begin, the organisation must define the scope of the threat intelligence program, including examining valuable assets and system boundaries, risks and risk tolerance, needs and goals, regulatory constraints, and even budgets and assigned owners.

Collection

The team collects relevant data through open source and proprietary tools, and detailed investigation techniques. Intelligence is gathered from existing internal-facing systems, at company boundaries and via external sources including the dark web.

Processing

The data is processed, its validity checked, formatted for machine readability where appropriate, and organised into the bigger picture of the specific threat.

Analysis

Threat intelligence teams run analysis on processed data to identify patterns, trends, and outliers, as well as evaluate qualitative data to determine next steps in addressing current, potential, and projected threats.

Reporting

Reports are collated and delivered to stakeholders to effectively communicate the nature, urgency, and span of threats, including next steps or the mitigation applied.

Continuous improvement

Threat intelligence programs must be updated as new information, threats, and best practices come to light.

Benefits of Threat Intelligence

Reduce time to identify threats and compromised information

With a foundational threat intelligence program, your organisation can identify threats and compromised information online before they become a larger issue. Up-to-date feeds and automated fixes are key.

Examine existing and future threats before they impact the organisation

By gaining the full picture of cyber threats to the organisation, analysis and decision making occurs just in time.

Balance mitigation strategies with the organisation’s risk profile

Threats can be prioritised and mitigated with timelines and engineering that fits the organisation’s existing risk profile.

Comply with internal, industry, and legislative rules and requirements

A threat intelligence program allows organisations to comply with internal, industry, and legislative rules and requirements, including obligatory reporting to authorities.

Improve the organisation’s overall security posture

Threat intelligence helps boost the organisation’s security posture, alongside other programs such as compliance, secure architectural practices, team training, and critical product control.