What is Threat Intelligence? Mechanisms & Implications
Threat intelligence involves gathering, processing, analyzing, and sharing data about hackers, hacking techniques, and other security threats. Use those insights to build a fast, accurate, data-driven plan to protect critical assets.
What is threat intelligence?
The average company faces a complex set of security challenges. You must know about issues happening right now. You must also know what's coming next. Threat intelligence solutions (typically packaged in software form) may help.
With a threat intelligence solution, you can:
- Understand your typical intruder. What does your attacker want? Where does this person come from?
- Parse common threats. What kinds of tools and techniques will your attackers use?
- Identify gaps. Is your current system equipped to handle the next set of threats? What should you keep? What should you change?
Most security teams gather data and make decisions based on their observations. Threat intelligence is different.
Think of threat intelligence solutions as a deep dive into your security landscape. The final product won't contain trivial or self-evident conclusions. Instead, you'll have a data-driven understanding of what's working, what's not, and what is coming next.
A successful cyberattack costs victims $200,000. With a threat intelligence program, you may save money on fees and payouts. Other benefits include:
- Fraud prevention. Understanding your threat landscape can mean spotting an issue before you're a victim.
- Threat detection. Some of the most significant security risks originate inside your company's walls. You may never find them without an intelligence program.
- Knowledge sharing. Well-distributed threat intelligence reports help everyone learn about security risks.
- Fast decision-making. A robust report, backed by data, leads to decisive action.
Anyone can benefit from a robust threat intelligence program, including both large and small companies. If you've ever faced a security risk in the past (and you probably have), the data you glean could be critical.
How Does Threat Intelligence Work?
As we mentioned, most cyber threat intelligence solutions are delivered in software format. Every program is unique and works differently. But most involve a few offline steps, and they all tend to follow a few basic steps.
Threat intelligence steps include:
- Planning/requirements. The team agrees on both goals and methods. They may focus on attacker profiles, attack surfaces, or current defenses. The tighter the criteria, the better.
- Collection. Threat intelligence software gathers data points closely related to stated requirements. The system may pull from event logs, incident response reports, relevant forums, social media posts, and subject matter experts.
- Processing. The software prepares threat intelligence feeds for analysis. The program may use spreadsheets, charts, or other formats to make data easier to parse.
- Analysis. The team refers to goals outlined in the planning stages and examines how data answers questions posed there. The team may also prepare recommendations and action plans.
- Sharing. The report is released to stakeholders, and the team discusses the next steps. Typically, this step happens in a meeting.
- Adjustment. After the threat intelligence meeting, the team adjusts the action plans accordingly.
Threat intelligence is cyclical. Teams repeat these steps and look over different security threats and solutions. No report is ever definitive, as the threat landscape is always changing.
The Role of Machine Learning
Security teams are drowning in data. Threat intelligence programs could, in theory, give you yet another piece of information to watch. Machine learning makes a difference.
Cyber threat intelligence solutions use machine learning to:
- Collect. Automated data gathering, integrated with your existing solutions, eases the process.
- Process. Advanced solutions can highlight techniques and tactics favored by your hackers.
- Model. Some solutions allow teams to walk through threat scenarios.
Machine learning is relatively new, and some programs don't include this capability. Some teams also don't know how to use it. Many groups that bought threat intelligence solutions struggle to maximize the program's effectiveness. Your vendor must provide appropriate training.
3 Types of Threat Intelligence
We've described how threat intelligence programs work and how they can benefit companies like yours. Let's dig deeper into the three types of reports you could generate with appropriate software.
1. Operational
Gain insights about the attacks you're likely to face. Your report includes technical information about:
- Actors. Who is most likely to attack you?
- Intent. What do your attackers want?
- Timing. When will this attack get launched?
- Tactics. What vulnerabilities are exploited? What attack vectors are common?
An operational report is detailed, specific, and technically focused. Use this model to examine campaigns, malware, tools, or past attacks.
2. Tactical
Learn what specific steps your attackers will take when they launch an initiative. Focus on the "how" of the attack with a report like this. Use the results to help strengthen your defenses and close loopholes.
A report like this typically includes a bit of context, but the ideal audience includes system architects and security experts. They expect and demand information they can put to use immediately. A report can guide daily operations.
3. Strategic
Take a step back from daily operations and assess the entire threat landscape with a strategic report. The results guide high-level decisions.
A strategic report isn't highly technical. But it contains deep insights about the risks you face now and the consequences ahead if key decisions are made. Your team will have a full view of what's happening locally, regionally, and globally that could change your organization's security priorities.
Who Is Involved in Threat Intelligence?
Programmers do the heavy threat intelligence lifting. They design the programs that guide the team. But many people within your organization should be part of your threat intelligence program.
Your threat intelligence team may include:
- Security analysts. Real-time data analysis is a core part of a security analyst's job. Threat intelligence enhances their work.
- Security operations. Security operations center teams (SOC) also handle data input and alerts. Threat intelligence reports guide their work and help them understand what signals to watch for.
- Incident response. Your computer security incident response team (CSIRT) springs into action when a problem appears. Threat intelligence may help them spot issues in the early stages.
- Leadership. Chief information security officers (CISOs) are responsible for understanding and preventing threats. Reports are critical in job efficacy. Your top leadership, including the CEO, may also need to see reports to guide strategic hires and infrastructure improvements.
Your vendor is important, too. At Okta, we take our role in threat intelligence very seriously. We'd love to tell you more about how we can help. Contact us for a demo.
Frequently Asked Questions
Q: Do I have to handle threat intelligence myself?
A: No. Most threat intelligence solutions involve software. You won't need to gather the information or analyze it yourself.
Q: How can I stay abreast of all the solutions that come from a report like this?
A: Threat intelligence feeds can be overwhelming. Data points come and go very quickly, and it can be hard to keep up. But machine learning can help teams manage the data coming in. That technology can help you build better solutions for your company.
Q: Is threat intelligence only for security professionals?
A: No. Security teams can glean many helpful pieces of data from threat intelligence reports. But your CEO and other leadership team members may also need the data you collect.
Q: Do threat intelligence solutions involve looking only at your data?
A: No. Most programs gather up data from various sources, including both internal and external sources.
Q: Are threat intelligence reports crammed only with facts and figures?
A: No. Most also contain graphs, action items, and analysis.
References
Threat Intelligence: What Is It, and How Can It Protect You From Today's Advanced Cyber Attacks? Gartner.
Cyberattacks Now Cost Companies $200,000 on Average, Putting Many Out of Business. (October 2019). CNBC.
What Is Cyber Threat Intelligence and How Is It Used? (2019). CREST.
Security Teams are Drowning in Data. (2019). Tech Radar.
The Value of Threat Intelligence: Annual Study of North American and United Kingdom Companies. (February 2019). Ponemon Institute.