Back to Glossary Home | Threat Intelligence
Threat Intelligence
What is Threat Intelligence?
Threat intelligence is the act of data processing and analyzing to help organizations better understand threat actors and their behaviors. Businesses can become more proactive in protecting against incoming threats in a more efficient, data-driven way.
How Does Threat Intelligence Work?
Threat intelligence works by analyzing potential and existing threats through a threat intelligence process to prioritize, plan defense strategies, identify vulnerabilities, and respond to incidents. It works by first collecting data from open sources (OSINT), private sources (CSINT), and human sources (HUMINT). Once it’s processed and analyzed, organizations can use the patterns that emerge to create threat intelligence reports and take further action.
Why is Threat Intelligence Important?
Threat intelligence is an important step in helping businesses make well-informed security decisions. Instead of spreading efforts too thin, threat intelligence can help businesses narrow their focus on relevant threats and pay attention to key behavioral patterns that will allow them to respond to attacks more effectively.
Types of Threat Intelligence
There are three main types of threat intelligence: tactical, operational, and strategic.
Tactical threat intelligence offers real-time information about ongoing and incoming attacks. Data that might be collected includes the malware being used, the IP addresses of the intruders, and the command and control (C&C) servers being used - the system used by the attacker to send out further commands to steal data and infiltrate systems. The indicators of compromise (IOCs) is digital evidence of a breach and assists in understanding how the compromise occurred.
Operational threat intelligence is more concerned with the tactics, techniques, and procedures used by threat actors, also known as TTPs. While more automatic threat intelligence can tell us a lot about what bad actors are using, operational threat intelligence is also looking at the how behind the attacks by looking at the TTPs. By understanding the behaviors behind the attacks, threat intelligence professionals can go beyond the surface level and stand a better chance of anticipating future attacks and understanding the techniques and behavioral patterns that may only get picked up by human interpretation.
Strategic threat intelligence offers the highest level of analysis and is focused on the driving forces behind the behaviors of threat actors. Cybercrime trends vary based on industry, business size, and geographical location. Understanding these trends can help organizations anticipate and protect themselves from threats before they become a material problem.
Threat Intelligence Lifecycle
- Planning: The threat intelligence lifecycle starts with planning. In this phase, the organization determines its requirements for threat intelligence, the sources where it will get threat intelligence, and its protocol for how this data will be collected and processed.
- Collecting: In the collection stage, threat intelligence is gathered from a variety of sources - open source intelligence (OSINT), closed source intelligence (CSINT), and human intelligence (HUMINT).
- Data Processing: After the data has been collected, it needs to be processed - this may involve removing duplicates, normalizing the data so records have similarities across fields, and cleaning the data in other ways to fix formatting issues and incomplete data.
- Analyzing: Data collected and processed from all source types will then be analyzed to spot trends and patterns that can tell organizations more about the types of threats they're facing, how future attacks are likely to occur, and how to respond to incoming threats.
- Presenting: Different stakeholders, including security teams and high-level members of leadership, will need to be informed about the threats that have been identified, which is where the presentation, or dissemination, phase comes in. Analyzed data is organized and presented in a way that tells a pertinent story and outlines action steps to the appropriate audiences.
- Feedback: Finally, the team conducting threat intelligence will collect feedback post-presentation to take additional steps and work to improve the future threat intelligence process.
Threat Intelligence Tools
While some more sophisticated threat intelligence will depend on human expertise, data from privately and publicly available sources can be gathered by tools. Maltego is an OSINT tool that can help create visual relationships between threat intelligence data, such as actors and IOCs. FireEye Intelligence creates threat reports, provides vulnerability information, and pinpoints IOCs in CSINT. Some other popular tools include:
- Threat Hunter Group
- OSINT Framework
- ThreatConnect
- Cybereason Red Team
- Splunk
- QRadar
- Microsoft Sentinel
TierPoint and Threat Intelligence
Cybersecurity is no longer a reactive measure. Businesses need to be proactive to better protect their data, applications, and systems from incoming threats. TierPoint offers proactive security and data protection measures, as well as threat detection and incident response services, for organizations to stay vigilant in a growing cyber threat landscape.
Related Services
Discover our threat detection and incident response services!
