What Is Cyber Threat Intelligence?
The exact definition of threat intelligence, or cyber threat intelligence varies a bit depending on who you ask. But in its most basic form, cyber threat intelligence is data an organization collects and uses to understand threats that have, will or are currently occurring.1 This information hones in on an event or trends, allowing the organization to make quicker and more informed decisions, providing a proactive decision advantage. Cybersecurity companies and experts have different definitions for cyber threat intelligence, but FireEye’s definition specifically emphasizes “adversaries”. While they acknowledge that an understanding of your adversaries’ capabilities, creations, techniques and environments are important, it’s equally important to remember that these are just tools that are being used by one human to compromise another human’s security. FireEye believes the focus on the human adversary is the element that makes their cyber threat intelligence both different and more effective than other companies’.2
Why Is It Important?
In our modern and connected world, advanced persistent threats (APTs) and cybersecurity professionals are in a constant dance, trying to stay one step ahead of each other. Intel on a threat actor's next move is critical in order to proactively build your defenses to fend off future attacks. When threat intelligence is implemented correctly it can and should achieve the following:3
- Keep you apprised of the volume and types of attacks
- Alert you to vulnerabilities, targets and malicious actors within your own systems
- Allow you to become proactive about future threats
- Keep leaders and key stakeholders informed about recent threats and the effects they may have on the organization
- Help cybersecurity professionals get a better understanding of threat actors’ decision-making process and movements
Threat Intelligence Lifecycle
The threat intelligence lifecycle is the process by which raw data is transformed into polished intelligence that can be used for decision making and action taking. The description of the threat intelligence lifecycle varies slightly depending on who you ask, but it generally has 5-6 steps.
- Planning and Requirements: This step is critical as it gives the direction for the whole threat intelligence operation. This is when the team will determine their high-level intelligence needs and decide on the goals and methodology of their program4
- Collection: Having defined the goals and requirements of the threat intelligence operation, the team will then begin to collect information required to meet those goals. Teams will scour traffic logs from internal networks, public data sources, closed sources on the dark web and all other relevant forums and sources1
- Processing: This step is when all the raw data that has been collected is transformed into a usable format for the organization. Both humans and machines can process the data, and this step usually involves creating spreadsheets to organize data points, translating information gathered from foreign sources and determining if the data is relevant and reliable1
- Analysis: Once the data is processed, it must be evaluated, analyzed and held up against the threat intelligence program’s requirements. This allows for fair and accurate judgement to determine the credence, relevance, likelihood and impact that the data has2
- Dissemination: In this step, the team further polishes their analysis into a user friendly format. What constitutes a user friendly format depends entirely on the audience. Generally speaking, the presentation of the data should be concise and avoid technical jargon1
- Feedback: This stage of the lifecycle allows stakeholders to give feedback about the presentation of data. They can tell the threat intelligence team if adjustments should be made for future threat intelligence operations, if they’d like to change their priorities or that the data should be disseminated and presented differently in the future4
Types of Threat Intelligence
There are three unique categories of threat intelligence: strategic, tactical and operational. Each category has a specific role in the threat intelligence lifecycle.
The most basic form of threat intelligence is tactical intelligence, but is usually intended for a tech savvy audience. This intelligence is usually automated since it can be generated easily. It’s primarily focused on the immediate future and assists teams in evaluating the security programs that are already in place, and whether or not they’ll be successful in identifying and managing risks. Tactical intelligence is meant to showcase indicators of risk (IOCs), enabling threat responders to identify and remove specific threats that exist within their network. IOCs provide overarching examples of the types of threats the team should look out for, like unusual network traffic behavior or log-in attempts that have been flagged.5
Strategic threat intelligence is focused on understanding high-level analysis and is generally presented to non-technical stakeholders, board members and c-suite members. The purpose of strategic intelligence is to gain a wide sweeping understanding of trends and motivations that are impacting the threat landscape. The bulk of the data for this form of intelligence comes from open sources that everyone in the world has access to. This includes but is not limited to online activity on social networks, local and national news and white papers. By covering data that could impact business decisions, the threat intelligence team can provide strategic intelligence that allows an organization to make more informed choices.5
The third type of threat intelligence is operational intelligence. This intelligence hones in on the “who?”, “why?” and “how?” by studying the details of past attacks. Much like a sports team studies their next opponent’s game tape, the threat intelligence team can study prior attacks and determine motivations, methods and the individuals behind the attacks. By examining this intelligence, teams can uncover potential risks, better understand malicious attack methods and proactively respond if they detect the beginnings of an issue.5
Increase Your Threat Intelligence
As the rate of cyber threats and malicious attacks increase, our workforce of cybersecurity experts needs to grow at an even faster pace. If you’d like to enter the cybersecurity field, or would like to improve your cybersecurity skills and knowledge, consider beginning with expert-driven skills-based education in the field. Register for an online cybersecurity course from EmergingEd now, and start developing your competitive edge.