Tech topics

What is Threat Intelligence?

Illustration of IT items with focus on a laptop

Overview

What is cyber threat intelligence? Also referred to as cyber security intelligence, threat intelligence is evidence-based information about criminal activity that targets an organization’s networks, devices, applications, and data. It gives businesses a better understanding of past, current, and future cyber dangers. It includes mechanisms, context, implications, indicators, and action-oriented advice about emerging or existing hazards to information assets.

Threat intelligence information can guide businesses in determining which of their cyber assets are at greatest risk of attack, and where attack impact would be most significant. It gives businesses the knowledge they need to know what information assets to protect, the best means of protecting them, and the most appropriate mitigating tools. Threat intelligence provides the context needed for accurate, relevant, actionable, timely, and informed decision making.

As a concept, threat intelligence is easy to understand. However, it’s considerably more challenging to collect the information needed and analyze it. The vast number of threats that could potentially compromise or cripple enterprise information technology can feel overwhelming.

Some of the context threat intelligence gathers include what your vulnerabilities are, who is attacking you, what is their motivation, what are their capabilities, what damage they could exact on your information assets, and what indicators of compromise you should look out for.

OpenText™ ArcSight™ Intelligence gives you information about the most potent threats to your infrastructure, finances, and reputation. With that, you can build defense mechanisms and set up risk mitigation that will work.

Threat Intelligence

Why threat intelligence is important

Threat intelligence tools read raw data on existing and emerging threats and threat actors from multiple sources. The data is analyzed and filtered to develop intelligence feeds and reports that can be used by automated security solutions. Why is this important?

  • Gaining information needed for the organization to protect itself against threats and attacks.
  • Staying current on the risks posed by bad actors, diverse vulnerabilities, attack methods, zero-day exploits, and advanced persistent threats.
  • Maintaining a structured way to deal with the vast internal and external threat data spanning numerous actors and unconnected systems.
  • Avoiding false alarms.
  • Minimizing data breaches and the financial, reputational, and compliance cost it comes with.
  • Acquiring the knowledge needed to identify the security tools most likely to work.
  • Cyber security teams and analysis can stay proactive about future threats while avoiding the burden of dealing with enormous, unprocessed, un-prioritized raw data.
  • Keep leaders, users, and stakeholders informed on latest threats and the repercussions the threats could have on the organization.
  • Provide timely context that can be understood by decision makers.

Threat intelligence is crucial for anyone whose network is connected to the worldwide web, which is virtually every organization today. Firewalls and other security systems are important, but they do not replace the need for the enterprise to stay current on threats endangering its information systems. The varied, complex, and scalable nature of cyberattacks today makes threat intelligence essential.


The threat intelligence lifecycle

Threat intelligence is not an end-to-end process that’s driven by a checklist. It’s continuous, cyclical, and iterative. There’ll never be a point in time when an organization will have identified and neutralized all potential threats.

The threat intelligence lifecycle is a recognition of the evolving nature of the threat environment. Averting one attack or crisis doesn’t mean the job is done. You must immediately think about, anticipate, and prepare for the next one. New gaps and questions will continue to come up that call for new intelligence requirements.

The threat intelligence lifecycle comprises the following steps.

  • Planning – Define the requirements for data collection. Ask specific questions that will lead you in the right direction and are aimed at generating actionable information. Determine who will be the end-consumer of the threat intelligence.
  • Collection – Collect raw threat data from credible sources. Credible sources here may include system audit trails, past incidents, internal risk reports, technical external sources, and the wider Internet.
  • Processing – Organize the raw data in readiness for analysis. Place metadata tags that make it easier to eliminate redundant information, false negatives, and false positives. A SIEM could facilitate this organization. They use correlation rules to structure the data for different use cases.
  • Analysis – The analysis phase is what sets threat intelligence apart from basic information gathering and dissemination, as it’s where you make sense of the data. Apply structured analytical techniques to the processed information and quantify the threat. This produces threat intelligence feeds that tools and analysts scan to determine indicators of compromise. Indicators of compromise include suspicious IP addresses, URLs, emails, email attachments, registry keys, and hashes.
  • Dissemination – Threat intelligence works when it’s relayed to the right people at the right time. Share the analysis with relevant stakeholders using predefined internal and external communication channels. Disseminate the information in a format the target audience can more easily understand. That could range from threat lists to peer-reviewed reports. In large organizations, threat detection and mitigation are collective efforts that involve multiple teams. Keep everyone in the loop to unearth new insights, solutions, and opportunities.
  • Integration - Integrate actionable threat intelligence into workflows, incident response programs, and ticketing systems.
  • Lessons - Analyze the intelligence for long-term lessons and broader implications. Make appropriate changes to your policies, procedures, processes, infrastructure, and configurations.
  • Feedback – Review actions and confirm whether the threat has been blocked or contained.

Types of cyber security threats and threat intelligence

Cyber security threats and threat intelligence can be categorized based on business requirements, intelligence sources, and intended audience. In this regard, there are three types of cyber security threats and threat intelligence.

Strategic threat intelligence

These are broad or long-term trends or issues. Review of strategic threats is often the preserve of high level, non-technical audiences such as C-suite executives. Strategic threat intelligence provides a bird’s eye view of the capabilities and intents of threats, which allows for informed decision-making and prompt warnings.

Sources of strategic threat intelligence include the news media, subject matter experts, nongovernmental organization policy documents, security white papers, and research reports.

Tactical threat intelligence

Tactical threat intelligence gives structure to the procedures, techniques, and tactics of threat actors by tackling the indicators of compromise through day-to-day intelligence events and operations. It’s intelligence that’s meant for a more technical audience, such as security professionals, system architects, and network administrators.

Tactical threat intelligence gives organizations a deeper understanding of how they could be attacked, and the best defenses against those attacks. Reports from security vendors and enterprise cyber security consultants are often the main source for tactical threat intelligence.

Operational threat intelligence

Operational threat intelligence is also referred to as technical threat intelligence. It’s very specialized and highly technical. It deals with specific attacks, malware, tools, or campaigns.

Operational threat intelligence could be in the form of forensic threat intelligence reports, threat data feeds, or intercepted threat group communications. It gives incident response teams insights into the timing, nature, and intent of specific attacks.


What is threat detection?

Threat detection is a term that’s sometimes used interchangeably with threat intelligence, but the two don’t mean the same thing. Threat detection is the passive monitoring of data to pick up potential security issues.

It’s focused on the discovery and identification of threats before, during, or after a security breach. The threat could be a string in a malware sample, network connections over unusual parts, an unexpected spike or drop in network traffic, or an executable file saved to a temporary directory.

Data breach detection tools analyze user, data, application, and network behavior for anomalous activity. An intrusion detection system is one example of a threat detection tool.


How threat intelligence and threat detection work together

Threat detection systems often inspect network traffic using threat intelligence sourced from a wide range of communities like H-ISAC. They deploy custom alerting and event notifications. Threat detection tools allow the monitoring of logs from varied sources and tailoring for different environments.

So when a threat is detected, an alert is sent out. Usually, a human would intervene, review the threat, determine what’s happening, and take appropriate action.


The right tools for the right threat intelligence

Today’s organizations are exposed to attackers who potentially have millions of ways to gain unauthorized access and wreak havoc. Additionally, threats are constantly growing in scale, complexity, and sophistication. This means that it’s best to assume that an attacker will break through, despite your and your organization’s best efforts. Establishing the appropriate physical and logical controls goes a long way in reducing the chances of successful attack.

Threat intelligence is indispensable for timely and effective threat detection and response, and is a necessary element in understanding and protecting against potential cyber security threats. The better your team and organization’s understanding of potential threats are, the better equipped you’ll be to develop and prioritize functional responses and detect threats quickly.

Threat intelligence is an arduous and time-consuming exercise even for small businesses. Fortunately, there are numerous threat intelligence tools available in the market that can help. Not all are created equal though. Recognized as a global leader in the cybersecurity space, OpenText provides the right tools your organization needs to quickly generate meaningful, actionable, and dynamic threat intelligence.

Related products

OpenText™ ArcSight™ Intelligence

Proactively detect insider risks, novel attacks, and advanced persistent threats

OpenText™ ArcSight™ Enterprise Security Manager (ESM)

Accelerate threat detection and response with real-time detection and native SOAR

OpenText™ Cybersecurity Cloud

Smarter, simpler protection

ArcSight Recon by OpenText™

Simplify log management and compliance while accelerating forensic investigation. Hunt and defeat threats with big-data search, visualization, and reporting

Footnotes