Simply put, threat intelligence is the knowledge of a threat’s capabilities, infrastructure, motives, goals, and resources. Threat intelligence enables you to identify and contextualize your adversaries. Once you understand your adversary, you can take decisive action to better protect your organization.
When you apply threat intelligence, you can better defend your network-based assets, both operationally and strategically. Following Gartner’s definition of threat intelligence, using this knowledge helps you and your team make informed decisions on how to respond and react to a particular threat.
Is threat data the same as threat intelligence? Not exactly.
Threat data is a list of malicious domains, websites, IP addresses, and other indicators of compromise (IOCs). This data alone is commonly mislabeled as “intelligence”. Without understanding context, relevance, accuracy, or known associations, however, you can’t see the broader picture surrounding that single indicator or data point, and incapable of knowing what the correct response or next action should be.
Threat intelligence comes from several sources, both internal and external. Fusing internal and external threat intelligence allows an organization to create the most relevant and accurate threat profile, and also to rate and rank the value of threat intelligence sources.
Your own network shows which intelligence is truly relevant to your organization. By leveraging threat data from your own network, (i.e. log files, alerts, and incident response reports) you can recognize and stop threats. If you use a SIEM, this is a great place to start. Several raw sources of internal network event data (such as event logs, DNS logs, firewall logs, etc.) are already in your SIEM. Also, maintaining historic knowledge of past incident responses is helpful in leveraging more mature threat awareness based on internal sources including: retaining accessible data on the systems affected during an incident; the vulnerabilities exploited; the related indicators and malware; and, if known, the attribution and motivation of adversaries. Also, retaining malware used, relevant packet capture, and netflow can be invaluable sources of intelligence.
External sources can be pretty varied, with many degrees of trustworthiness. “Open source” intelligence (i.e., security researcher, vendor blogs, and publicly available reputation and block lists) can provide indicators for detection and context. Private or commercial sources of threat intelligence can include threat intelligence feeds, structured data reports (such as STIX), unstructured reports (such as PDF and Word documents), emails from sharing groups, etc. Some of this data, particularly that from vendors, may be refined with context for your particular industry. Ultimately, it’s up to your security team or someone with specific knowledge of your organization’s threat landscape to determine it’s relevance.
Cyber threat actors are using more sophisticated tools, techniques, and procedures (TTP) which are outpacing stand-alone security solutions. It’s not surprising they are able to get past disparate and uncoordinated defenses. Adversaries can often be organized criminal or state-sponsored groups — known as Advanced Persistent Threats (APTs) — all of which have the tools, training, and resources to disrupt or breach most conventional network defense systems. And, these attempts are not usually isolated. Many times, they can be multi-year campaigns targeting valuable, sensitive data.
Clearly, you need to react to threats. But if you are only reacting, you are playing a never-ending game of catch-up. Having a threat intelligence-led security program gives your organization a fighting chance to defeat these ever-changing threats.
You need a holistic view of the threat landscape and a proactive posture to protect your business from the multitude of threats you face every day. To be proactive, you need to constantly harvest and process knowledge about the threat actors, not just the specific incidents. Knowing the who, what, where, how, and when of an adversary’s actions is the only way to decrease their chances of success. This is where threat intelligence comes in.
Helps responders determine where to look next to observe an ongoing intrusion.
Threat intelligence can also drive the prioritization of ongoing investigations based on knowledge of the adversaries involved.
An intelligence-driven platform is vital for putting threat intelligence to use. A platform enables you to take both internal and external threat data and turn it into actionable threat intelligence that will drive informed security decisions.
A platform provides a central place for security analysts to aggregate threat data, analyze and enrich this data to make sense of it, and create and memorialize your team’s threat intelligence processes to respond to threats, and better mitigate risk. A platform will optimize these operations by combining automation and orchestration to increase a security team’s speed and efficiency while also providing confidence and validation through human intervention.
The ThreatConnect Platform was specifically designed to help you understand adversaries, automate workflows, and mitigate threats faster using threat intelligence. Whether your focus is threat intelligence, security operations, incident response or security management, ThreatConnect was designed for teams of all sizes and maturity levels.
