Data is the most valuable asset of most modern organizations. Organizations are rapidly deploying new technologies and devices that increase vulnerability points that malicious attackers may target. Organizations need to protect their data assets at a time when their attack surface is rapidly growing. Cyber threat intelligence helps businesses identify malicious activity before it happens and speeds up decision-making processes to respond to such threats.
What is Cyber Threat Intelligence?
Threat intelligence or cyber threat intelligence is the data collection and analysis to gain information about existing and emerging threats to a business. Cyber threat intelligence helps organizations avoid unexpected threats. Since cyber threat intelligence information makes unknown threats visible to organizations, businesses can improve their cybersecurity mechanism and mitigate the risk of cyberattacks.
Wikipedia defines the term as follows:
Cyber threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence or intelligence from the deep and dark web.
Why is it important now?
As the amount of data generated by businesses increases and as it becomes easier to act on data, the potential risk of a data breach increases. Hackers can easily monetize captured data by sale or ransomware. The number of data breaches is increasing each year (Compared to midyear of 2018, the number of reported breaches was up 54% in 2019) and average cost of a data breach is expected to surpass $150 million in 2020.
Besides these market researches, ESG’s survey highlights the fact that sustaining cybersecurity is more difficult than two years ago due to the following reasons:
- cyber threats are getting more sophisticated
- number of threats and types of threats are increasing
- organizations face a shortage of sufficient skilled professionals
With cyber threat intelligence, organizations gain a deeper understanding of threats and respond to the concerns of the business more effectively.
What are the intelligence sources?
These are some of the common sources that can be used in threat intelligence as identified by Bank of England:
- Human intelligence: Enterprises can work with cybersecurity companies to identify threats. Furthermore, companies with global scale and billions in revenues can afford to gather information from sources such as national intelligence agencies.
- Open source intelligence: Publicly available sources such as the media, internet, public government data, publications, financial and industrial assessments.
What are the types of Cyber Threat Intelligence?
Tactical threat intelligence
Tactical threat intelligence identifies how the organization might be attacked. It helps inform improvements to existing security processes while speeding up incident response. Security teams must identify:
- the potential attackers and their motivations,
- vulnerable points that attackers may target,
- potential actions that organizations may take depending on the threat intelligence
Though tactical threat intelligence is the easiest type of threat intelligence and is mostly automated by organizations, indicators of compromise (IOC) such as malicious IP addresses, URLs, file hashes and domain names get outdated quickly. The short lifespan of IOCs may cause false positive during the analysis that’s why it can not be a long term security plan of an organization.
Reports that are generated by tactical threat intelligence are geared towards technical audiences such as infrastructure architects, administrators and security staff. These personnel use the reports to make improvements in the security system.
Operational Threat Intelligence
Operational threat intelligence provides information about attackers. With operational intelligence, organizations can predict who is the attacker, what is the motivation of attackers and how adversaries plan to attack including their tools, techniques and procedures.
Though some of these capabilities overlap with tactical intelligence capabilities, tactical intelligence is more automated while human analysis is needed for effective operational intelligence.
Operational intelligence is mostly used in cybersecurity disciplines such as vulnerability management, incident response and threat monitoring.
Strategic Threat Intelligence
Strategic threat intelligence provides a wider outlook of the organization’s threat landscape. It identifies potential attackers by analyzing the organization in light of global dynamics. For example, major US companies are prepared against cyber attacks by countries that are in conflict with the US in various fields.
Strategic intelligence requires machines to process large volumes of data and analysis of a human who has expertise in both sociopolitical and business concepts. Output mostly comes in the form of reports to inform executives and other decision-makers in the enterprise. Therefore the context of reports contains less technical information compare to tactical and operational intelligence.
Sources used in strategic intelligence are generally open sources including:
- policy documents of nation-states,
- local and national media,
- industry- and subject-specific publications,
- whitepapers and research reports of security vendors.
How does AI affect cyber threat intelligence?
AI eases the job of the security team by fastening the task of data processing, image below shows how time-saving AI is for cyber threat intelligence processes.
AI has an active role in the threat intelligence process as well. Since threat intelligence depends on data analysis, NLP technology is heavily used in collecting unstructured data and data processing. Threat intelligence adopts NLP and machine learning to interpret text from various unstructured documents across different languages.
Cyber threat intelligence is an application of predictive analysis that focuses on security. We’ve already written how AI is shaping analytics, feel free to check it out if you want to learn AI capabilities in analytics.
What are the benefits of cyber threat intelligence?
Usage of cyber threat intelligence tools improve organizations’ security in different aspects:
- Organizations can understand potential threats more accurately and build a more proactive defense mechanism.
- Threat intelligence provides information about intruders. This leads to better decision making when reacting to intruders.
What are the potential pitfalls to avoid?
SANS Institute conducted a survey and asked executives the main barrier to implement an effective cyber threat intelligence. The results can be seen below. Lack of technical skills of employees/executives and the difficulty of using security tools are the common pitfalls that inhibit implementing cyber threat intelligence effectively.
What are the leading companies?
- Accenture iDefense
- AlienVault Unified Security Management (USM)
- Anomali ThreatStream
- CenturyLink Analytics and Threat Management
- Check Point ThreatCloud
- Cisco Threat Intelligence Director (TID)
- Crowdstrike Falcon
- Deceptive Bytes
- FireEye iSIGHT Threat Intelligence
- IBM X-Force Exchange
- Imperva Threat Intelligence
- LogRhythm Threat Lifecycle
- LookingGlass Cyber Solutions
- LookingGlass Strategic Intelligence
- McAfee Advanced Threat Defense
- Palo Alto Networks AutoFocus
- Proofpoint Emerging Threat (ET) Intelligence
- RSA NetWitness Suite
- SolarWinds Threat Monitor
- SonicWall Network Security
- Symantec DeepSight Intelligence
If you want to improve the security capabilities of your organization but don’t know where to start, we’ve written a few articles about information security solutions. Feel free to check them out:
If you still have questions about cyber threat intelligence, don’t hesitate to contact us.
How can we do better?
Your feedback is valuable. We will do our best to improve our work based on it.