What Is Threat Intelligence Sharing?
What Is Threat Intelligence?
Threat intelligence, also referred to as cyber threat intelligence, is a combination of internal and third-party data about known attacks to help organizations take proactive steps to protect digital assets.
Threat intel also focuses on threats specific to an organization, such as threats targeting vulnerabilities in their attack surface and exposed digital assets.
Cyber threat intelligence is developed by security analysts who collect, aggregate, process, and analyze raw cyber intelligence and security-related data to provide organizations with actionable insights (e.g., patterns, relationships, and trends). Threat intelligence also gives security teams details about the attackers, including the tactics, techniques, and procedures (TTPs) those threat actors use and the indicators of compromise (IoCs) for their attack vectors. In addition, threat intelligence includes contextual information, such as attack vectors used to target industry verticals, device types, and geographic regions.
The raw data used to curate cyber threat intelligence comes from internal and external sources.
- Internal sources of threat intel:
- Data from threat intelligence tools (e.g., anti-virus systems, SIEMs (Security information and event management), endpoint and network detection, intrusion detection systems, intrusion prevention systems, and UEBA)
- Incident response reports, including artifacts collected after an event
- Log files (e.g., applications, DNS, firewalls, and networks)
- Security alerts (e.g., compromised credentials, exfiltration, lateral movement, and reconnaissance)
- External sources of threat intel also referred to as open-source intelligence (OSINT):
- Dark web
- News reports
- Organizations, such as:
- CISA Automated Indicator Sharing
- Computer Emergency Response Teams (CERTs)
- Cybersecurity and Infrastructure Security Agency (CISA)
- Information Sharing and Analysis Centers (ISACs)
- MITRE ATT&CK
- SANS Internet Storm Center
- The Federal Bureau of Investigation (FBI) InfraGuard
- Virus Total
- Private or commercial threat intelligence feeds
- Publicly available threat indicator block lists
- Security researchers
- Social media
- Vendor blogs
Why Is Threat Intelligence Important?
There are many reasons that threat intelligence, such as
- Allows leaders to make more efficient and informed decisions
- Details indicators of compromise (IOCs) and attackers’ behavioral patterns
- Directs investments in risk management and cybersecurity systems and programs
- Helps tailor security defenses to preempt future attacks
- Informs leaders, stakeholders, and users about the latest threats and impacts they could have
- Keeps organizations informed about the risks of and responses to advanced persistent threats, zero-day threats
- Optimizes cyber incident responses (e.g., containment, eradication, and recovery)
- Prioritizes risk and threat mitigation and remediation measures
- Provides contextual information about emerging or existing threat actors and threats from a number of sources
- Reveals attackers’ motives and their tactics, techniques, and procedures (TTPs)
- Collaborative threat intel ensures compliance and strengthens defense through shared insights
Who Can Benefit from Threat Intelligence?
Almost every organization uses threat intelligence in one form or the other. It is included in many widely used security solutions and services, such as anti-virus and anti-malware. Larger-scale cyber threat intelligence programs combine data sources to support systems run by in-house security teams. In most enterprise environments, the following are examples of who uses threat intel and how they benefit from it.
Tactical Users Security and IT analysts Vulnerability Management | Identify and remediate gaps Leverage IOCs, content, and context to prevent attacks proactively Manage and optimize threat prevention and detection Prioritize updates and patches Use to augment other security systems (e.g., block malicious IPs, messages, and URLs) |
Technical Users Security operations centers (SOCs) | Augment alerts Block suspicious activity at firewalls or other security devices Correlate alerts with incidents Create rules or signatures for indicators of compromise (IOCs) Feed threat intel into security systems, such as endpoint detection and response (EDR), firewall, and intrusion detection and intrusion prevention systems (IDS/IPS) Leverage cyber threat intelligence for security monitoring and alerting Optimize security controls Reduce false positives Triage incidents based on risk Triage of alerts that are generated from network monitoring |
Operational Users Computer incident response teams (CIRTs) Forensic analysts Host analysts Incident responders and teams Malware analysts Network security teams Threat intelligence analysts | Assess incidents to determine the full scope Consume cyber threat intelligence for technical context Determine the who, what, why, when, and how of an incident Enriching alerts with context Facilitate investigations, management, and prioritization of cyber incidents Focus on the IOCs and links in the environment Identify and monitor threat actors Identify the root cause Review threat intel to better understand threats Triage and prioritization of ongoing investigations Understand the context of threats |
Strategic Users Chief executive officers Chief financial officers Chief information officers Chief operations officers Chief risk officers Security executives Other high-level executives, leaders, and managers | Assess options for prevention and remediation Inform budgeting for security solutions and support Provide valuable insight into attack trends by geography, industry, software, and hardware Understand the overall cyber risks and their impact Utilize cyber threat intelligence to support their needs when making risk-based decisions Assists in meeting cybersecurity compliance standards and legal obligations. |
The Cyber Threat Intelligence Cycle
The cyber threat lifecycle provides a framework for the ongoing process of collecting raw data and turning it into actionable intelligence. The threat intelligence framework detailed below can be used as guidance for developing a customized process that fits an organization’s unique needs. Regardless of how the phases are implemented, it is important to note that this is not a one-and-done exercise. It is meant to be repeated continuously to stay on top of evolving threats and changing requirements.
Step one: Define threat intelligence requirements
During the planning phase, security analysts work with key cybersecurity stakeholders and decision-makers (e.g., C-suite, managers, and representatives from IT and security teams). Key objectives during the planning phase are to establish a roadmap for a targeted threat intelligence program and align stakeholders on the objectives, strategy, tactics, and KPIs.
Step two: Gather the threat intel
Based on the established objectives for cyber intelligence, the next step is to collect the raw data needed to meet them. A detailed list of raw data types is below, but a few examples are log files, SIEMs, publicly available data, and threat intelligence feeds.
Step three: Process raw threat intelligence data
Once raw data has been collected, security analysts aggregate, standardize, and enrich it to prepare it for analysis. This step includes organizing the information, decrypting as needed, translating information, and assessing information for accuracy and relevance so as not to skew the analysis or lead to false positives. This phase is often automated using machine learning, artificial intelligence, and natural language processing.
Step four: Create cyber threat intelligence through analysis
Raw threat intelligence data is inert information without analysis. Applying advanced analytics to the data is how valuable insights are derived. The analysis phase teases out the deliverables that were identified and defined in the requirements phase of the cyber intelligence cycle. Again, leveraging machine learning and artificial intelligence, trends, patterns, and other insights are turned into actionable recommendations. The output of this analysis can include the identification of specific threats or vulnerabilities along with solutions to eliminate or remediate the risks.
Step 5: Present the threat intelligence
Once raw data has been processed and analyzed, it needs to be formatted and packaged for presentation. The audience will dictate the form of the presentation. In some cases, it is in a report. In others, it is presented as a slide show. Whatever format is selected, it is important that the final information that has been developed is clear, concise, and ready to be operationalized.
Step 6: Reflect and refine the final threat intel
The final phase is to assess the threat intelligence based on the KPIs established during the planning phase. Then, adjustments should be made to optimize the plan.
Types of Threat Intelligence
Threat intelligence data is broken into four broad categories—operational, strategic, tactical, and technical. Within these categories, the data can be human or machine-readable.
Human-readable cyber threat intelligence examples
- Cyber intelligence alerts
- Malware alerts
- Situational awareness
- Threat intel sharing
- Threat research reports
- Vulnerability reports
Machine-readable cyber threat intelligence examples
- Exploit alerts
- Indicators of compromise (IoCs)
- Kill chain mapping
- MITRE ATT&CK mapping
- Tactics, techniques, and procedures (TTPs)
- Vulnerability mapping
Operational threat intelligence
Operational threat intel helps information security teams prevent cyber attacks by providing context and enabling an understanding of the attackers and threats. This includes their motivation, specific capabilities, infrastructure, TTPs, and the anticipated timing of an attack. This information is then operationalized to prioritize and execute targeted, proactive security responses to specific threats.
Operational cyber intelligence is developed using a combination of machine-readable and human-readable data. It is used across security groups, including security managers, malware analysts, network defense teams, host analysts, SOC analysts, threat hunters, and incident response teams to:
- Develop rules or signatures for detection alerts
- Prioritize the installation of security updates and patches
- Proactively respond to planned attacks
Strategic threat intelligence
Strategic cyber intelligence provides a non-technical context to cyber threats to help an organization’s leaders make informed decisions based on an understanding of the cyber risks and vulnerabilities. Areas that strategic threat intelligence focuses on include cyber threats that target a specific industry, vulnerabilities in critical systems, and geopolitical situations that could spawn nation-state attacks. Stakeholders use strategic threat intelligence to align broader organizational risk management strategies and investments with the cyber threat landscape.
Strategic threat intelligence data is gathered primarily from human-readable sources and requires a deep understanding of the threat landscape, which makes it difficult to create. Delivered in the form of reports, strategic threat intel is used by security and business leaders, such as CEOs, COOs, CISOs, CIOs, and CTOs, to inform:
- Cybersecurity budgeting with information about the organization’s security posture and gaps
- Decisions about how to address new security requirements driven by changes in the regulatory compliance landscape
- Risk assessments with information about the vulnerability landscape, including exposures to data breaches
Tactical threat intelligence
Tactical threat intelligence is used to understand the details of prospective threats and active attacks to implement responses to a threat that address the underlying cause and functions. The usual focus of tactical threat intel common IoCs includes:
- Artifact-based indicators, suspicious email attachments or URLs, network log files, and data in registries and file systems
- Behavioral indicators, such as emails with malicious links or attachments, privileged user logins at odd times or from suspicious locations, and multiple login failures
- File-based indicators, such as a hash or file name associated with known malware attacks or subject lines used in phishing attacks
- Network-based Indicators, such as suspicious port activity, data exfiltration, and unusual network traffic
Tactical cyber threat intelligence data is typically gathered by machines and includes open source intelligence (OSINT), such as attack group reports, the dark web, news reports, public block lists, social media, threat intelligence feeds, and vendor blogs. Behavior threat indicators are ingested into cybersecurity systems, such as endpoint detection systems (EDS), firewalls, intrusion detection and intrusion prevention systems (IDS/IPS), and SIEMs, and used by security operations center (SOC) analysts and others on security teams to:
- Test security systems and processes
- Optimize security system and processes
- Identify vulnerabilities in security controls
Technical threat intelligence
Technical threat intelligence is used to identify indicators of or evidence of an attack. This type of threat intel is used to support analysis in the wake of an incident. Examples of threat intel are domains used for command and control (C&C), Common Vulnerability and Exposure (CVE) data, details about attack vectors, malware samples, phishing email content, and reported URLs.
Machines usually gather technical threat intelligence data. Cybersecurity teams use technical threat intelligence to:
- Direct threat hunting
- Follow up on security alerts
- Gather forensic evidence
What to Look for in a Threat Intelligence Program
The top seven considerations for a threat intelligence program are:
1. Leverages solutions that integrate multiple forms of threat intelligence
2. Consolidates indicators from multiple sources, eliminates duplicates
3. Provides security operations teams with recommendations on responding to threat indicators
4. Automates identification and alerting about new threats
5. Integrates with security tools to automatically share threat intel data
6. Filters “noise” and helps prioritize threats and responses
7. Helps identify gaps across systems and processes
Find the Right Threat Intelligence Mix and Methods
Using threat intelligence, organizations gain an in-depth understanding of the specific attacks that they are exposed to, which allows them to assess risks, prioritize remediation, and implement response plans. Threat intel also enables faster, more effective responses to attacks in progress by providing details about the attack vector and its likely course. There are many sources of cyber threat intelligence that can be deployed in a number of ways. Understanding how threat intelligence works is critical to selecting the right mix of solutions and services to support security programs.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000+ customers with millions of users worldwide.
Last Updated: 18th April, 2024