What is
Threat Intelligence?

Simply put, threat intelligence is the knowledge of a threat’s capabilities, infrastructure, motives, goals, and resources. Threat intelligence enables you to identify and contextualize your adversaries. Once you understand your adversary, you can take decisive action to better protect your organization.

When you apply threat intelligence, you can better defend your network-based assets, both operationally and strategically. Following Gartner’s definition of threat intelligence, using this knowledge helps you and your team make informed decisions on how to respond and react to a particular threat.

Is threat data the same as threat intelligence? Not exactly.

Threat data is a list of malicious domains, websites, IP addresses, and other indicators of compromise (IOCs). This data alone is commonly mislabeled as “intelligence”. Without understanding context, relevance, accuracy, or known associations, however, you can’t see the broader picture surrounding that single indicator or data point, and incapable of knowing what the correct response or next action should be.

Where does Threat Intelligence come from?

Threat intelligence comes from several sources, both internal and external. Fusing internal and external threat intelligence allows an organization to create the most relevant and accurate threat profile, and also to rate and rank the value of threat intelligence sources.

Internal Sources

Your own network shows which intelligence is truly relevant to your organization. By leveraging threat data from your own network, (i.e. log files, alerts, and incident response reports) you can recognize and stop threats. If you use a SIEM, this is a great place to start. Several raw sources of internal network event data (such as event logs, DNS logs, firewall logs, etc.) are already in your SIEM. Also, maintaining historic knowledge of past incident responses is helpful in leveraging more mature threat awareness based on internal sources including: retaining accessible data on the systems affected during an incident; the vulnerabilities exploited; the related indicators and malware; and, if known, the attribution and motivation of adversaries. Also, retaining malware used, relevant packet capture, and netflow can be invaluable sources of intelligence.

External Sources

External sources can be pretty varied, with many degrees of trustworthiness. “Open source” intelligence (i.e., security researcher, vendor blogs, and publicly available reputation and block lists) can provide indicators for detection and context. Private or commercial sources of threat intelligence can include threat intelligence feeds, structured data reports (such as STIX), unstructured reports (such as PDF and Word documents), emails from sharing groups, etc. Some of this data, particularly that from vendors, may be refined with context for your  particular industry. Ultimately, it’s up to your security team or someone with specific knowledge of your organization’s threat landscape to determine it’s relevance.

Why is Threat Intelligence important?

Cyber threat actors are using more sophisticated tools, techniques, and procedures (TTP) which are outpacing stand-alone security solutions. It’s not surprising they are able to get past disparate and uncoordinated defenses. Adversaries can often be organized criminal or state-sponsored groups — known as Advanced Persistent Threats (APTs) — all of which have the tools, training, and resources to disrupt or breach most conventional network defense systems. And, these attempts are not usually isolated. Many times, they can be multi-year campaigns targeting valuable, sensitive data.

Clearly, you need to react to threats. But if you are only reacting, you are playing a never-ending game of catch-up. Having a threat intelligence-led security program gives your organization a fighting chance to defeat these ever-changing threats.

You need a holistic view of the threat landscape and a proactive posture to protect your business from the multitude of threats you face every day. To be proactive, you need to constantly harvest and process knowledge about the threat actors, not just the specific incidents. Knowing the who, what, where, how, and when of an adversary’s actions is the only way to decrease their chances of success. This is where threat intelligence comes in.

SECURITY PLANNING
  • The most strategic use of threat intelligence.
  • Use threat intelligence that is relevant to you, then security planning will drive architecture decisions and refine security processes to better defend against known threats.
INCIDENT RESPONSE
  • Threat intelligence directly supports incident-response processes by placing observed IOCs into context.

  • Helps responders determine where to look next to observe an ongoing intrusion.

  • Threat intelligence can also drive the prioritization of ongoing investigations based on knowledge of the adversaries involved.

ALERTING AND BLOCKING
  • This is the basic use case for leveraging threat intelligence.
  • Use tactical feeds of threat intelligence-derived indicators to block malicious activity at firewalls or other gateway security devices.
  • Deploy detection for indicators of compromise (IOC) as alerts in SIEMs, as signatures on IDS/IPS, or host-based signatures on configurable endpoint protection products.
FUSION ANALYSIS
  • Threat intelligence fusion is the process of assessing intelligence from multiple sources and source types to create a more complete threat and risk picture for an organization.
  • It is an underlying and critical function of any threat-intelligence analysis effort.
  • It allows for the creation of comprehensive threat assessments and provides specific threat relevance by overlaying external intelligence sources onto internal ones.
CONTEXTUAL ALERTING AND SIGNATURE MANAGEMENT (or TRIAGE)
  • Alerts with context provided by threat intelligence are useful in determining the severity and validity of alerts.
  • Both host- and network-based detection signatures are made more useful in context from threat intelligence by providing confidence, priority, and appropriate next steps based on an adversary’s known tactics, techniques, and procedures.
INTELLIGENCE-DRIVEN PLATFORM

Making Threat Intelligence Accessible and Usable

An intelligence-driven platform is vital for putting threat intelligence to use. A platform enables you to take both internal and external threat data and turn it into actionable threat intelligence that will drive informed security decisions.

A platform provides a central place for security analysts to aggregate threat data, analyze and enrich this data to make sense of it, and create and memorialize your team’s threat intelligence processes to respond to threats, and better mitigate risk. A platform will optimize these operations by combining automation and orchestration to increase a security team’s speed and efficiency while also providing confidence and validation through human intervention.

The ThreatConnect Platform was specifically designed to help you understand adversaries, automate workflows, and mitigate threats faster using threat intelligence. Whether your focus is threat intelligence, security operations, incident response or security management, ThreatConnect was designed for teams of all sizes and maturity levels.

Learn More

Additional Resources:
Blog Posts:
  • 7 Threat Intelligence Tools Your CybersecurityTeam Needs
  • What Feeds Me, Destroys Me (aka "What are the best, most important threat intelligence feeds that I should integrate within my security operations?"
  • Threat Intelligence Processes are a Journey;Not a Destination
  • How to Choose the Right Threat IntelligencePlatform for You
Link to: Home
tc-logo
Request a Demo Login
USA HQ

3865 Wilson Blvd.
Suite 550
Arlington, VA 22203
Directions

Toll Free: 1.800.965.2708
Local: +1.703.229.4240
Fax: +1.703.229.4489

Solution

By Industry
By Role
By Need
How to Buy

Company

About
Leadership
Methodology
Research Team
Careers

Knowledge Base

Learn More
Getting Started
Collaboration
Customization
Github Repository

UK Office

107-111 Fleet Street
London, EC4A 2AB
United Kingdom

Tel: +44 20 7936 9101

Learn

Blog
Resources
News
Events

Contact

Sales
Support
PR
Careers

©2012- 2019 ThreatConnect, Inc. All Rights Reserved

Privacy Policy | Sitemap | Terms of Service

To give you the easiest possible experience, this site uses cookies. Find out more about our Privacy Policy and Cookie Policy. By continuing to use this site, you are giving us your consent to do this.

Close