What is threat intelligence?
Threat intelligence (also referred to as cyber threat intelligence) collects data and information about threat actors, their techniques and tactics. Threat intelligence (TI) provides threat prediction, helps detect attacks, and supplies valuable data to teams and members working within the information security ecosystem.
Cyber threat intelligence is one of the most complex and, at the same time, important elements of information security. Like any other element of the information security system, TI uses its own tools and services. Competent usage of these tools helps to build an effective process for obtaining vital security information.
The term ‘threat intelligence’ directly indicates that the purpose of this area of information security is to collect knowledge about threats and analyze them. SANS Institute provides the following definition: "The analysis of an adversary's intent, opportunity, and capability to do harm is known as Cyber Threat Intelligence."
TI is understood as a combination of two elements:
- The process of obtaining and accumulating knowledge about threats from various sources.
- The availability of a platform that allows you to aggregate, analyze, and use the accumulated knowledge.
In this blog, I will provide a more detailed overview of threat intelligence and how to leverage it to effectively defend against attacks.
Who needs cyber threat intelligence and why?
Threat intelligence capabilities emerged within companies before the availability of third-party vendor TI platforms. Prior to the availability of platforms, companies collected information about existing threats and monitored traffic. In fact, the initial elements of TI are available in almost every company where information security is given due attention.
TI can be viewed as a set of specific knowledge and skills. TI knowledge and skills reflect the level of information security maturity achieved by the company.
The basic level of TI is formed by reading and analyzing vendor and industry reports. This information helps companies increase their expertise to start building the necessary processes. After that, the value of the collected TI information increases significantly. This knowledge is accumulated and then implemented in the information security infrastructure and helps protect against attacks.
Note that TI vendors and their customers take different threat intelligence approaches.
Vendors create TI solutions as part of their own development of protection tools. Vendors try to create the best detection methods and threat feeds to offer an integrated commercial product.
The customer’s view is slightly different. The customer attempts to embrace TI primarily at a strategic level, asking questions like: what threats does TI help protect against and what cyber risks can it cover? To answer these questions, the company must mature in terms of its security processes.
Threat Intelligence levels: strategic, operational, tactical
Cyber threat intelligence consists of three levels: strategic, operational, and tactical. Each level has its own "customer," uses certain tools, and uniquely affects the operation of the company's information security system.
- The strategic level refers to the collection and usage of information about current attack trends, risks, and hacker groups involved in attacks against related companies or industries. The collected information allows you to assess what is happening in the information security world as a whole, and learn about current threats circulating in specific regions. The strategic level enables you to assess, set priorities, and develop relevant information security competencies in the company.
- The operational level usually covers everything related to the tactics and techniques used by malefactors. MITRE ATT&CK matrix is a popular source of such information. It provides detailed information about how attackers infiltrate systems. Operational-level data allows you to properly allocate finances and human resources when building an enterprise protection system. The operational level allows you to understand how to protect against external threats in a given region or industry.
- The tactical level of TI reflects technical information about certain groups of cyber criminals. This information allows you to identify attack indicators and detect threats the company may face.
As already mentioned, the degree of IT implementation in the company strongly depends on the level of maturity of information security processes. Many organizations seek to buy feeds (sets of threat indicators) and build a cyber intelligence ecosystem based on these feeds. This is a purely technical implementation of TI.
There is a misconception that connecting feeds solves all TI tasks. When indicators are triggered, you always need to understand what exactly happened. It is necessary to understand what the detected malware actually does within the company's infrastructure. This requires additional information and analysis. This will help your information security team plan the next steps. This is already the operational level of threat intelligence.
Threat hunting vs threat intelligence
TI is an essential element of the proactive threat search, which is known as threat hunting. A threat hunting team is responsible for detecting traces of hacking or malware functioning. TI acts as an information donor for threat hunting at the operational level.
Threat hunting and threat intelligence are directly related. When a company has intelligence in the context of an incident (and even in the absence of one), it helps to find the right indicators and attack signs on breached devices. Threat hunting then establishes control through its indicators and list of controlled attacks.
Strategic-level threat Intelligence reports
Many providers of TI capabilities periodically issue threat reports quantifying recent attack trends over a given time period, while also giving a forecast for the following year. These reports are of a strategic nature for companies.
These reports provide value by informing customers how to regroup, what areas to focus on, and how to develop their competencies to confidently withstand the types of attacks expected in the future. If companies lack their own threat intelligence capabilities, then they have no other sources of information to navigate the trends in information security, except for such reports.
At the same time, these reports also carry marketing material. It is important to separate these components: live threat statistics and analytics vs. marketing
The practice of applying threat intelligence
Currently, there are several hundred free sources of TI information of a purely technical nature. If you take TTP (tactics, techniques, and procedures), then you can find up to one hundred additional sources in the public domain.
There are at least dozens of vendors that provide free strategic threat intelligence reports. Most customers are unable to effectively digest such a volume of information.
According to theSANS Institute survey, in 2021, more than 80% of respondents used several sources of TI information simultaneously. In reality, many companies use up to eight cyber threat intelligence sources.
The primary value of open-source threat data is in helping repel mass threats, so withstanding complex targeted attacks necessitates moving to the operational level. Data on complex targeted threats is not easy to find, analyze, and link together. Such attacks require painstaking research.
The presence of an incident response team is highly desirable when implementing TI. Success here largely depends on how quickly the company can understand which hacking group it has encountered, what the attacking party has already managed to do, and how deeply it penetrated the company. TI can provide this vital information.
The efficiency of using threat intelligence tools
The effectiveness of TI can be evaluated at different levels. If we evaluate TI at a strategic level, then only time can prove out the effectiveness of its implementation. Over time comes an understanding of the correctness of the chosen decision, risk assessment, and built-in protection.
At the strategic level, evaluate not only technical details, but also various geopolitical processes, such as hacktivism or wars. You can quickly become the next target, if you do not take these processes into account.
At the operational level, the effectiveness of TI is expressed in the quality of the built protection. At first glance, it might seem that if nothing happened, the efforts to implement TI were in vain. But that is not the case. It may also indicate that the choice of spheres of control has been narrowed. The TI system simply does not see what is happening nearby. Therefore, the assessment regarding the effectiveness of implementation will always be unique for a particular company.
Cyber threat Intelligence development forecasts
Based on current trends, cyber threat intelligence will clearly develop along the path of increasing the strategic and operational levels within the company. This will lead to the closer integration of customers and vendors of TI solutions. Customers will analyze data on their side, ask questions more actively, and help move the industry forward. Thanks to this interaction, TI maturity will grow on the side of providers and customers.
Interested in learning more about privileged threat intelligence? Check out the BeyondTrust platform, which helps identify APTs and other surreptitious attacks by analyzing privileged password, user, session, and account activity, along with factors such as applications, services, software, and ports. The platform also enables the operationalization of a just-in-time access model and context-based access decisions consistent with zero trust.
Alex Vakulov, Guest Blogger
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He writes for numerous security-related publications, sharing his security experience.