Cyber threat intelligence is the term given to the collection, processing, and dilution of information. More specifically cybersecurity data that can help understand a threat, threat actor, or attack behaviours.
Threat Intelligence allows you or an organization to make changes to detection capabilities, and strengthen policies. This also helps improve defences to ensure that you are always ahead of attackers and vulnerabilities to your business.
What are the benefits of using Cyber Threat Intelligence?
There are several benefits of using cyber threat intelligence for your role, or in your business that will help you stay ahead of any attacks. Whilst cyber threat intelligence looks to other businesses or analysis teams – you can also create your own types of threat intelligence. Some typical benefits of this kind of intelligence can be;
- Spotlights the ‘Unknown’ in an ever-changing threat-filled world.
- Provides intel on TTPs (Tactics, Techniques, and Procedures).
- Allows for meaningful change of detection capabilities and policy strengthening.
- Keeps you in the know of what’s happening in the world around you, or in your industry.
Why is Threat Intelligence Important?
Threat intelligence in cybersecurity is crucial to the continuous improvement of the service or security posture of an organization. Whilst it might not seem like it, most cybersecurity experts read about a threat or attack before making any changes to their own organization.
This could be a new and upcoming malware or a breach within their industry. This will often cause spikes in rule development or detection capabilities – and maybe even policy strengthening.
Not only this, but if your organization is in the business of securing multiple other organizations, using sharing services such as the UK’s CISP (Cyber Security Information Sharing Partnership) means you can get intelligence from other organizations, whilst sharing your own to benefit others. Not to be confused with the CISSP exam, not CISP.
How Cyber Threat Intelligence works
Threat intelligence works in several ways, but typically all stem from initial research or discovery. Teams across the globe often look to discover new, or unseen threats (known as unknown unknowns, or unknown knows) that are brand new and have never been seen before.
These teams will either discover them by looking extremely carefully at data (such as in a SOC environment), or will have the unfortunate outcome of being victim to an attack revealing itself.
Regardless of the initial method, threat intelligence starts from the moment its discovered. IOCs (Indicators of Compromise) could be things like file names, file hashes, IPs, or even parts of code from a script that would all suggest you have been compromised.
Not all threat intelligence has IOCs, but may rather be a discovery of a new threat group or an increase in organizations within a specific industry. We’re going to look at some threat intelligence examples later on in this article.
These small snippets of information are often used to create reports, which are highly-analytical pieces of information that outline what each aspect of a threat does. Again, this isn’t always the case but is very common.
This information is then transferred to other people, called dissemination. In some cases, the founders may opt to share with a global audience through open-source methods such as AlienVault, or it may be commercialised (behind a paywall) for sites such as Intel471 or CrowdStrike.
In some cases, government organizations may be required to join what is known as an intelligence-sharing centre. These are collections of government organizations that share intelligence with one another to stay ahead of attacks.
Read More: What is Threat Hunting? (Beginners Guide)
What is the Intelligence Life Cycle? (5 Steps)
You may have heard of the ‘Intelligence Life Cycle’, and this doesn’t only apply to cybersecurity, however, is used within the cyber threat intelligence workflow. Whilst it doesn’t have to be adhered to perfectly, most organizations use it as a foundation for their threat intelligence.
Stage 1: Planning and Direction
Stage 1, often described as planning and direction is the art of defining what you and your organization want to get out of threat intelligence. Some questions that can be asked are;
- What do we want to know?
- What is the purpose of information gathering?
- Who will benefit from this when it’s finished?
- What is the attack’s success rate within our industry?
- Which employees are likely to be targeted by these attacks?
Whilst these questions are just a handful out of millions of questions that could be asked, typically laying the groundwork and the reasons why you’re developing a threat intelligence document will help in the later stages.
Stage 2: Information and Intelligence Gathering
Stage 2 is the first step to producing your intelligence report. This is also known as the ‘Collection’ phase where data is collected from all kinds of sources. This can include, but is not limited to;
- Connection Data from Firewalls, SIEM tools, AV Tools, IDS/IPS systems.
- Data from Systems such as Servers, Mobile Devices, and Desktops.
- Open-Source content from blogs, news sites, and forums.
- Content from premium sources – otherwise known as paid threat feeds.
- Content from the Dark Web – criminal forums, blogs etc. (Ensure you don’t participate in any illegal activity)
- Threat Intelligence Reports and Research from 3rd Parties
- IOCs (both Open-Source and Commercialised services such as AlienVault etc.)
Unfortunately, threat intelligence gathering can take a number of days if not weeks, and the data that you’re collecting will be enormous. This data, however, will give you a clear overview of everything that’s going on within your industry. As this is just the collection phase, you don’t need to do much else just yet.
Stage 3: Information Processing
Stage 3, or the processing stage is the most time-consuming phase as you’re taking your enormous data set and processing it into a format that works for you, to further analyse in stage 4. Most typically, you will want to format and make your data easier to navigate and deal with. This can include;
- Filtering out ‘noise’ (false positives and non-relevant information).
- Organize your data with tags, or metatags/descriptions if applicable.
- Translate or correlate your data – to ensure you’re reading everything in the same way, and you’re not reading the same data twice.
- Aggregate all of your data into set formats that are easy to use, and disseminate.
Typically, this will take quite a number of days to do, even if you’ve got a team behind you to help. Making the content both easy to use, read, and format will be useful for future reference as well as running through the intelligence cycle.
Stage 4: Information Analysis and Formatting
The information analysis and formatting stage allow you to create your reports by analysing the data you’ve processed. After all the work you’ve put into processing the data, this part is relatively simple but very crucial to the intelligence life cycle.
In short, you must put a vast amount of complex data into simple terms (with detailed outputs) in a report format that someone with little technical knowledge could understand.
Stage 5: Dissemination and Feedback
The easiest stage of the intelligence life cycle is the last, which is dissemination and feedback. This stage allows you to share your findings (in a report format most commonly) with members of your team and organization. This step is crucial and is the whole reason you started the intelligence search. This report should be easy to read for both technical and non-technical users by providing both detailed and simple versions of the report.
After the report is consumed by the intended recipients, feedback should be gathered to ensure that when you come to create another threat report, you can improve each and every time you do it. Whilst this might not be too drastic, making intelligence reports that are both helpful and time-efficient will make all the difference.
What are the Threat Intelligence Types? (4 Types)
Threat intelligence can often be divided into three sub-types, which can be used in reverse but most commonly individually. These are;
Strategic threat intelligence is typically a high-level form of information that requires context behind a threat. This is typically provided to non-technical members of an organization such as sales staff, but more commonly executive teams.
Example: An example of strategic threat intelligence may be an analysis of a change the business is making, that may leave the organization vulnerable to attack.
Tactical threat intelligence is a more detailed overview of how threats are being observed within an organization. This may include attack types, attack vectors, and the general tactics and techniques that an attacker is using. This information is usually used by people who can put controls in place for new intelligence, such as policy strengthening and other security controls.
Example: An example of tactical threat intelligence may be a “Exploit within a chip” of a mobile device that is used by the organization, which is being targeted. The team receiving this information may force an update on the mobile devices to mitigate the risk.
Operational threat intelligence is commonly referred to as active threat management. This means collecting the intent, information, and TTPs of an attacker or an attack. Good operational threat intelligence would give your organisation the time to implement security controls for possible attacks in the future.
Example: An example of operational threat intelligence could be a report warning your incident response team that a planned attack on a firewall or DDoS attack was likely to impact the business at a specific time. This allows the defending team to implement security controls.
Technical threat intelligence is the nitty-gritty of an attack or attacker. This type of intelligence commonly refers to IOCs (indicators of compromise) as well as content from email campaigns. IOCs such as IPs and domains of command and control servers, or malware samples can also be used too.
Example: An example of technical, maybe a report on a finding that shows a device communicating to a C2 server. This has uncovered a full attacker and their C2 infrastructure, leading to detection development and blocking of all C2 IPs.
Who benefits from Cyber Threat Intelligence?
Although everyone in a business could theoretically benefit from threat intelligence, the below users will benefit the most. These include people and teams such as;
- SOC Team (SOC Analysts, SOC Manager, SOC Engineers etc.)
- IT Team (IT Technicians, Support Technicians, Cloud Engineers etc.)
- CSIRT Team (Cyber Security Incident Response Teams, and Managers etc.)
- Senior Leadership Teams (SLT, Executives, CEO, CIO, CTO, CFO etc.)
- General Staff (finance, sales, customer service etc.)
Whilst some may be obvious, such as the SOC team or IT team, allowing teams such as sales, can potentially help drive sales.
Whilst a SOC or IT analyst can often make changes based on threat intel findings, staff such as executives may be able to grasp an understanding of threats and risks to the organization.
Overall, cybersecurity would be nothing without intelligence of the threats we face every single day. Threat intelligence is likely to become one of the biggest parts of cybersecurity. This is in part to knowledge sharing and communication across the globe becoming more available and open-source.