Threat intelligence provides organizations with actionable cybersecurity insights. You can use threat intelligence to improve your overall security posture or determine specific threats that put your network and users at immediate risk. In this article, you will learn what is threat intelligence, what types of threat intelligence exist, and best practices for integrating threat intelligence.
What Is Threat Intelligence?
Threat intelligence is information related to security threats, including vulnerabilities, vulnerability exploits, malware, threat actors, attack methods, and indicators of compromise or attack (IoC / IoA). It is different than threat data in that it is actionable and requires analysis of data, it is not simply facts about threats. Threat intelligence is used to improve security tooling and inform security professionals about the methods, capabilities, motives, and infrastructures used by potential attackers.
As the number of cybercrimes has increased, threat intelligence has become a significant industry collected by many security professionals. Two major contributors to threat intelligence are commercial providers and government agencies. On a smaller scale, organizations can also collect and create threat intelligence.
Commercial providers, such as security vendors, often manage security research teams and may sell intelligence in the form of data feeds or as integration in products. Government agencies also host research teams and either make information publicly available or use information privately to increase National security.
Types of Threat Intelligence
There are four main types of threat intelligence that you can implement:
- Strategic—includes analyses of threat trends and risks. It is used to create a non-technical overview of existing threats. Strategic intelligence is often distributed in policy documents, whitepapers, and industry publications.
- Tactical—includes specific details of tactics, techniques, and procedures (TTP) used by attackers. This type of intelligence is more technical in nature and is often distributed via security research documents, feeds, or security forums.
- Technical—includes indicators of threats, such as malicious URLs or malware hashes. This type of intelligence is incorporated into many security tools but must be constantly updated to remain effective.
- Operational—includes details of specific attacks, including attack intent, timing, and responsible parties. Data for this type of threat intelligence is often directly collected during incident investigations by incident responders.
The Threat Intelligence Lifecycle
When threat intelligence is created, organizations and researchers use a structured process. This process is modeled after intelligence processes developed by military or governmental intelligence agencies. It involves six stages.
The direction stage is effectively the planning and reconnaissance stage of the intelligence creation cycle. In this stage, the intelligence creator must determine what assets need to be protected and what information is needed to accomplish that protection.
During the collection stage, threat data is collected from a wide variety of sources, both internal and external. Common sources include:
- Log data from previous attacks
- Vulnerability databases and datasets
- Public threat data feeds
- Interviews with cybercrime experts
- Publicly available news and security research
- Dark web forums and inside sources
The processing stage involves transforming collected data into a usable format that can be analyzed and correlated. For qualitative data, this could mean ranking and categorizing data. For quantitative data, this could mean cleaning and reformatting data.
The analysis stage involves taking the processed data and forming actionable conclusions. For example, creating files that can be ingested by security tooling to detect IoCs. Or, creating clear reports with risk evaluations that organizations can use to accurately budget for defensive security strategies.
In the dissemination stages, the created reports or files are delivered to security tooling or end-users. From there, intelligence can be applied to improving the security of systems, procedures, and solutions.
In the final stage, intelligence consumers provide feedback to the providers. This feedback might include how helpful intelligence is for detecting or preventing attacks, whether it can be implemented successfully via tooling, or how it does or doesn’t support response decisions. Intelligence providers can then use this feedback to improve future intelligence.
Best Practices for Integrating Threat Intelligence
Incorporating threat intelligence into your security strategies and processes can help you ensure that your system remains as secure as possible. Consider starting with the following best practices.
Integrate with security solutions
Threat intelligence is meant to be incorporated into existing security procedures and solutions. In particular, threat intelligence can help direct automated systems. These systems can correlate data with intelligence faster than humans can, making more efficient use of intelligence.
For example, solutions such as System Information and Event Management (SIEM) combine well with intelligence. SIEM solutions provide centralized collection and monitoring of system event data. With intelligence information, SIEMs can more accurately identify suspicious events and can alert security teams earlier.
Use to reduce “alert fatigue”
Security teams can quickly get overwhelmed with alerts from security solutions, resulting in “alert fatigue”. This can lead to alerts being overlooked or purposely ignored, both of which increase an organization’s risk. Incorporating threat intelligence can help you refine the thresholds for your alerts, ensuring that the most important are prioritized.
Implement threat hunting
Threat hunting involves proactively searching for threats and threat evidence. It is useful for detecting threats that have bypassed your protective measures as well as for internal threats. Threat hunting often requires in-depth threat intelligence to identify evidence that has otherwise been overlooked. It can also be a good source of data for future intelligence.
Focus on prevention
Intelligence is most helpful when you can use it to improve your security policies and patch your vulnerabilities before an attack. You can use intelligence as a guideline for how to restrict permissions, limit system access, or identify patchable vulnerabilities.
Even if an attacker breaches your systems, preventative steps can help you limit any damage caused. For example, you can use intelligence to help tools automatically classify threat priority levels or to perform automated responses. This can help you halt attackers early on.
Threat intelligence is incredibly useful for providing teams with actionable data, typically categorized into strategic, tactical, technical, and operational intelligence. The threat intelligence lifecycle is divided into six stages: direction, collection, processing, analysis, dissemination, and feedback. This working model is adjustable but recommended for use by many organizations and entities.
When introducing threat intelligence into your ecosystem, check for native solutions that fit your current SIEM or other cybersecurity solution. Once you are properly connected with viable data sources and controls, you will be able to reduce alert fatigue, implement threat hunting, and prioritize threats.