November 29, 2022
It is difficult to imagine a more disputed topic in cybersecurity than threat intelligence. Security professionals, from CISOs to SOC analysts, have diverse opinions on the issue: some roll their eyes in contempt, while others perceive threat intelligence as an integral part of their security roadmap. Rather than imposing a single opinion and jumping right into a step-by-step guide to building or rebuilding a threat intelligence program, we want to get security teams thinking about the value of threat intelligence. Therefore, this article aims to demystify intelligence by providing a clear definition and explaining its meaning and purpose for a modern enterprise.
Regardless of conflicting opinions, threat intelligence is becoming paramount in modern enterprises’ security architecture. With the abundance of visions and interpretations of what threat intelligence is and how it should be used, many security professionals are left with two fundamental questions: what is it after all, and what is its mission? Keep reading to find out the answers.
What Is Threat Intelligence?
There may be different opinions regarding the characteristics of threat intelligence, but industry professionals have reached a consensus regarding the general definition introduced by Gartner:
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
Therefore, threat intelligence refers to data that can be collected, analyzed, and correlated with additional information to improve an organization’s security posture. For instance, if a third-party vendor communicates to an organization that attacks have been launched against other companies in the same niche, and provides additional data about these attacks (e.g., IoC, APT, etc.) – that is threat intelligence. However, there are certain limits as to which data classifies as threat intelligence. Generally, it has to be:
• Relevant to the organization’s security context.
• Actionable, meaning it can be transformed into concrete steps that should be taken by the security team.
• Contextual, which refers to providing evidence that helps an intelligence analyst to effectively classify the threat.
There is a continuous flow of information about security breaches and threats in the media and other sources, yet, not all of them are relevant and should become a red flag to every organization. For instance, a severe Microsoft Teams vulnerability is not relevant to companies that are not using this channel of communication.
At the same time, simply being aware of the existence of a new vulnerability or attack type is not sufficient to define an action plan for prevention and mitigation. In order to protect an organization against an attack, basic information must be enriched with actionable data that can help security teams make informed decisions.
Lastly, what differentiates threat intelligence from other types of information in context. Whenever a piece of information is received, it is important to examine it through the prism of an organization’s network assets, which will help the security team determine whether a vulnerability poses a threat to the company infrastructure. However, context can also derive from the external environment, as unless an organization is a victim of an attack, it will struggle to identify specific indicators associated with it, such as an email address. This is where third-party sources add extreme value, as they collect and analyze data from a myriad of different networks. Instead of looking at an email address as a single variable, third parties link it to other indicators associated with an attack, such as domains, file hashes, and IP addresses. This helps narrow down the context and understand what types of organizations are being targeted.
What Threat Intelligence Is Not
Let’s take a step back and understand what doesn’t fall under the threat intelligence definition. A list of IP addresses or domain names without any context cannot be considered threat intelligence, just like a platform inside a security vendor’s tool, or data that exists in isolation from an organization’s network. All of these are puzzle pieces that can help generate holistic threat intelligence when combined but do not constitute intelligence in and of themselves.
For instance, a third party vendor might communicate to an organization that a specific IP address is malicious, but there is no context to it, which will prevent the security team from turning it into action items. Besides, it is important to know the rationale or how did the vendor come to that conclusion. In fact, such context-free data points can only complicate the security team’s job, making it quite a challenge to judge or classify a threat.
But this point is not only relevant for external intelligence. To avoid problems with context, it is essential that teams maintain consistent documentation and exchange it internally, with relevant stakeholders. Documentation always helps create a clear context for security rules or policies that get imposed and provides an understanding of why certain behavior is classified as a threat.
In a nutshell, in order to fall under the threat intelligence definition, information must be put into a specific context that can help determine the actions that must be taken to protect an organization from threats.
What Is The Mission Of Threat Intelligence?
“Why do we need threat intelligence and what problem are we trying to solve?”.
This is the question that many organizations overlook when launching a threat intelligence program. Yet, it is the response to this question that determines the success or failure of the system that is getting put in place. Needless to say, answers that lie on the surface such as “to protect the company”, “to understand what threats exist out there”, or “because the governance said we need one”, are not valid as they are incomplete. The perfect answer will define the particular threat intelligence needs of your company and specify the most valuable crown jewel that you are trying to protect (e.g., customer database, intellectual property, etc.). The threat intelligence mission and roadmap will derive from that information. At the end of the day, in order to measure the success of a threat intelligence program, it is important to understand the objectives and ensure they align with high-level company goals.
Cluster25 Advanced Threat Research team continually probes the Clear, Deep, and Dark web to capture new indicators of compromise, emerging threats, relevant adversaries, evolving tactics, and targeted campaigns. The gathered insights provide real-time alerts, proactive response, and tailored reports that help secure the infrastructure and assets of our customers, from IGOs to SMBs.
Schedule a demo today to see how it works.