Back to Glossary Home | Threat Intelligence
Threat Intelligence
What is Threat Intelligence?
Threat intelligence is information about cyber threats that has been collected and analyzed by cybersecurity experts to help organizations make better decisions about detecting, identifying, preventing, and responding to those threats.
Threat intelligence is generated by frontline security analysts around the world and frequently shared between organizations in a global collaborative approach to cybersecurity that limits the effectiveness of malicious actors engaged in cyber crime.
What is a Threat?
A common goal for hackers, scammers, fraudsters, and other malicious actors is gaining unauthorized access to enterprise networks. To achieve this goal, these malicious actors deploy threats that exploit vulnerabilities in the target’s IT and cloud infrastructure.
In this context, a threat is an incident or event that can harm an IT system, a vulnerability is a weakness in a system that could be exploited by a threat, and the potential for loss or damage when a threat successfully exploits a vulnerability is known as risk.
Common examples of threats in the modern cyber threat landscape include things like:
- Phishing and spear phishing attacks
- Impersonation attacks (including AI-assisted impersonation attacks)
- Malware and ransomware attacks
- Cryptojacking attacks
- DDoS attacks
- Data theft attacks
- Zero-day attacks
3 Levels of Threat Intelligence You Should Know
Strategic Intelligence
Strategic intelligence is the most high-level form of threat intelligence. Strategic intelligence focuses on understanding the cyber threat landscape, identifying the malicious actors targeting specific industries, determining the goals and motivation behind known threats, and assessing the risk of a successful cyber attack.
Strategic intelligence is used by IT security leaders to support informed decision-making about enterprise security and risk management.
Tactical Intelligence
Tactical intelligence is the middle tier of threat intelligence. Tactical intelligence focuses on understanding the tactics, techniques, and procedures (TTPs) used by malicious actors to deploy threats against targeted organizations. This includes intelligence about specific threats, attack patterns, and vulnerabilities.
Incident response teams, security operations center (SOC) analysts, and other IT security personnel use tactical intelligence to understand the organization’s vulnerabilities and make better decisions about defending the organization against threats.
Operational Intelligence
Operational intelligence is the most specific (low-level) form of threat intelligence. Operational threat intelligence focuses on immediately impactful details about current threats and ongoing incidents that threaten the organization’s security goals. Examples of operational threat intelligence might include information about a phishing campaign targeting the organization, or an alert about a malware infection on a specific system.
Operational intelligence is consumed by SOC and incident response teams to identify security threats against the organization and guide the incident response process.
Why is Threat Intelligence Important?
Minimizing Cyber Risk
Threat intelligence is a valuable source of information that helps organizations mitigate cyber risk and improve their overall security posture.
Enabling Proactive Cybersecurity
Threat intelligence gives organizations the ability to understand and anticipate known cyber threats before they are ever used to target the organization. This enables a proactive approach to cybersecurity where preventive measures can be deployed in a targeted way to reduce the likelihood of a successful attack.
Accelerating Incident Response
Accurate threat intelligence can help enterprise SecOps teams rapidly assess an unfolding security incident, understand the attack pattern, and respond decisively with the right actions to limit damage and resolve the incident.
Optimizing Resource Allocation
Threat intelligence helps IT security teams understand which threats or vulnerabilities are creating the greatest risk to the organization’s security posture. Armed with this information, security teams can allocate resources more efficiently to optimize the organization’s security posture.
Where Does Threat Intelligence Come From?
Threat intelligence is generated by expert threat analysts and security researchers who work on the front lines of the cybersecurity industry. Threat analysts are employed by enterprise IT security teams, government agencies, and cybersecurity software vendors.
Threat analysts collect and analyze threat information from network, cloud, and application event logs, security monitoring software tools, and many other sources. Security researchers analyze malware programs, along with security incident reports and case studies from a variety of sources to better understand cyber threats and the risks they pose.
Threat analysts and researchers are employed by several types of organizations that frequently share security information with each other:
- Enterprise security teams employ cyber threat analysts to analyze threats against their networks, data, and cloud infrastructure. Many enterprises are involved in Information Sharing and Analysis Centers (ISACs) where they share threat intelligence with friendly companies in a mutual defense approach to cybersecurity.
- Government agencies employ threat analysts and researchers to protect critical infrastructure and government services against cyber threats, as well as bolster national cybersecurity through information sharing. For example, the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce maintains a publicly available database of known software vulnerabilities.
- Cybersecurity vendors employ threat analysts and security researchers to develop threat intelligence that can be shared with customers or used to secure the customer’s cloud applications and infrastructure against cyber attacks.
- Computer emergency response teams (CERTs) are large cybersecurity organizations operating at the national or international level and tasked with responding to large-scale cyber incidents. CERTs employ both security analysts and researchers to better understand the cyber threat landscape and optimize their preparedness for dealing with cyber attacks.
What is the Threat Intelligence Life Cycle?
-
- The threat intelligence life cycle is an iterative process that illustrates how organizations develop, apply, and distribute threat intelligence. The seven stages of the threat intelligence life cycle are summarized below:
- Planning - Analysts define the scope of intelligence-gathering activity based on the organization’s unique circumstances and risk profile.
- Threat Data Collection - Analysts gather relevant threat data from both internal (e.g. network event logs, security tools, etc.) and external (e.g. public threat feeds and databases, intelligence sharing groups, etc.) sources.
- Threat Data Processing - Analysts clean, aggregate, organize, and normalize threat data to prepare it for analysis.
- Threat Data Analysis - Analysts carefully review the processed data alongside additional contextual information to identify potential security threats or indicators of compromise and attribute them to known threat actors when possible. Based on the nature of the threat, analysts may recommend strategies for preventing it or mitigating risk.
- Threat Data Integration - Analysts integrate findings from threat data analysis into existing security infrastructure and processes to remove vulnerabilities, neutralize to threat, or mitigate risk.
- Threat Intelligence Distribution - Analysts share threat intelligence with internal stakeholders, customers, and/or the global cybersecurity community.
- Customer and Community Feedback - Analysts assess the impact of their threat intelligence efforts on organizational security and receive feedback from internal and external stakeholders.
Threat analysts continuously work through the threat intelligence life cycle by choosing different IT systems and data sources to analyze, or by examining data in new ways to identify potential cyber threats. Once the cycle is complete, new targets for analysis are chosen and the process begins again.
- The threat intelligence life cycle is an iterative process that illustrates how organizations develop, apply, and distribute threat intelligence. The seven stages of the threat intelligence life cycle are summarized below:
5 Use Cases for Threat Intelligence
Proactive Threat Detection
Threat intelligence allows enterprise SOC teams to proactively identify potential threats before they can cause harm to the organization. With information about the TTPs used by malicious actors, SOC teams can take the right steps to address vulnerabilities, prevent threats, and mitigate risk.
Incident Response
Timely and accurate threat intelligence provides valuable insight and context that can help threat detection and response teams determine the nature of a cyber attack, understand the attacker’s motives, and find the fastest way to contain the attack and protect critical systems.
Vulnerability Management
Threat intelligence helps enterprise security teams organize their vulnerability management activities, prioritize which patches to install, and better allocate resources to protect against the most common threats.
Fraud Prevention
Threat intelligence helps enterprises become aware of new and emerging scams or social engineering techniques used by cyber criminals to commit fraud.
Threat Hunting
Threat hunting involves scanning IT infrastructure for signs of a cyber attack that might have evaded automated security tools. Threat intelligence provides information about new and existing IoCs that threat hunters can use to identify and detect elusive threats.
Implement Proactive IT Security with TierPoint’s Managed Security Services
The most advanced SOC teams leverage Extended Detection and Response (XDR) software solutions to operationalize threat intelligence and automate discovery and remediation of security threats against IT infrastructure. to networks, endpoints, applications, and cloud infrastructure.
TierPoint offers Managed XDR Services to protect your critical IT infrastructure against cyber attacks while reducing the financial and operational burden on your team. Our world-class SOC team operates 24/7, leveraging the latest threat intelligence to identify and remediate threats to your networks, endpoints, applications, and cloud infrastructure.
Ready to learn more?
Book an intro call and learn how you can safeguard your mission-critical cloud infrastructure with TierPoint Managed IT Security Services.
