What is
Threat Intelligence?

Simply put, threat intelligence is the knowledge of a threat’s capabilities, infrastructure, motives, goals, and resources. Threat intelligence enables you to identify and contextualize your adversaries. Once you understand your adversary, you can take decisive action to better protect your organization.

Where does Threat Intelligence come from?

Threat intelligence comes from several sources, both internal and external. Fusing internal and external threat intelligence allows an organization to create the most relevant and accurate threat profile, and also to rate and rank the value of threat intelligence sources.

Internal Sources

Your own network shows which intelligence is truly relevant to your organization. By leveraging threat data from your own network, (i.e. log files, alerts, and incident response reports) you can recognize and stop threats. If you use a SIEM, this is a great place to start. Several raw sources of internal network event data (such as event logs, DNS logs, firewall logs, etc.) are already in your SIEM. Also, maintaining historic knowledge of past incident responses is helpful in leveraging more mature threat awareness based on internal sources including: retaining accessible data on the systems affected during an incident; the vulnerabilities exploited; the related indicators and malware; and, if known, the attribution and motivation of adversaries. Also, retaining malware used, relevant packet capture, and netflow can be invaluable sources of intelligence.

External Sources

External sources can be pretty varied, with many degrees of trustworthiness. “Open source” intelligence (i.e., security researcher, vendor blogs, and publicly available reputation and block lists) can provide indicators for detection and context. Private or commercial sources of threat intelligence can include threat intelligence feeds, structured data reports (such as STIX), unstructured reports (such as PDF and Word documents), emails from sharing groups, etc. Some of this data, particularly that from vendors, may be refined with context for your  particular industry. Ultimately, it’s up to your security team or someone with specific knowledge of your organization’s threat landscape to determine it’s relevance.

Why is Threat Intelligence important?

Cyber threat actors are using more sophisticated tools, techniques, and procedures (TTP) which are outpacing stand-alone security solutions. It’s not surprising they are able to get past disparate and uncoordinated defenses. Adversaries can often be organized criminal or state-sponsored groups — known as Advanced Persistent Threats (APTs) — all of which have the tools, training, and resources to disrupt or breach most conventional network defense systems. And, these attempts are not usually isolated. Many times, they can be multi-year campaigns targeting valuable, sensitive data.

Clearly, you need to react to threats. But if you are only reacting, you are playing a never-ending game of catch-up. Having a threat intelligence-led security program gives your organization a fighting chance to defeat these ever-changing threats.

You need a holistic view of the threat landscape and a proactive posture to protect your business from the multitude of threats you face every day. To be proactive, you need to constantly harvest and process knowledge about the threat actors, not just the specific incidents. Knowing the who, what, where, how, and when of an adversary’s actions is the only way to decrease their chances of success. This is where threat intelligence comes in.

SECURITY PLANNING
  • The most strategic use of threat intelligence.
  • Use threat intelligence that is relevant to you, then security planning will drive architecture decisions and refine security processes to better defend against known threats.
INCIDENT RESPONSE
  • Threat intelligence directly supports incident-response processes by placing observed IOCs into context.
  • Helps responders determine where to look next to observe an ongoing intrusion.

  • Threat intelligence can also drive the prioritization of ongoing investigations based on knowledge of the adversaries involved.

ALERTING AND BLOCKING
  • This is the basic use case for leveraging threat intelligence.
  • Use tactical feeds of threat intelligence-derived indicators to block malicious activity at firewalls or other gateway security devices.
  • Deploy detection for indicators of compromise (IOC) as alerts in SIEMs, as signatures on IDS/IPS, or host-based signatures on configurable endpoint protection products.
FUSION ANALYSIS
  • Threat intelligence fusion is the process of assessing intelligence from multiple sources and source types to create a more complete threat and risk picture for an organization.
  • It is an underlying and critical function of any threat-intelligence analysis effort.
  • It allows for the creation of comprehensive threat assessments and provides specific threat relevance by overlaying external intelligence sources onto internal ones.
CONTEXTUAL ALERTING AND SIGNATURE MANAGEMENT (or TRIAGE)
  • Alerts with context provided by threat intelligence are useful in determining the severity and validity of alerts.
  • Both host- and network-based detection signatures are made more useful in context from threat intelligence by providing confidence, priority, and appropriate next steps based on an adversary’s known tactics, techniques, and procedures.
INTELLIGENCE-DRIVEN PLATFORM

Making Threat Intelligence Accessible and Usable

An intelligence-driven platform is vital for putting threat intelligence to use. A platform enables you to take both internal and external threat data and turn it into actionable threat intelligence that will drive informed security decisions.

A platform provides a central place for security analysts to aggregate threat data, analyze and enrich this data to make sense of it, and create and memorialize your team’s threat intelligence processes to respond to threats, and better mitigate risk. A platform will optimize these operations by combining automation and orchestration to increase a security team’s speed and efficiency while also providing confidence and validation through human intervention.

The ThreatConnect Platform was specifically designed to help you understand adversaries, automate workflows, and mitigate threats faster using threat intelligence. Whether your focus is threat intelligence, security operations, incident response or security management, ThreatConnect was designed for teams of all sizes and maturity levels.

Learn More

Blog Posts:
  • 7 Threat Intelligence Tools Your CybersecurityTeam Needs
  • What Feeds Me, Destroys Me (aka "What are the best, most important threat intelligence feeds that I should integrate within my security operations?"
  • Threat Intelligence Processes are a Journey;Not a Destination
  • How to Choose the Right Threat IntelligencePlatform for You