April 30, 2019 • Zane Pokorny
Raw data and information is often mislabeled as intelligence, and the process and motives for producing threat intelligence are often misconstrued.
If you’re new to the field, or you think your organization could benefit from a carefully constructed threat intelligence program, here’s what you need to know first.
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like who is attacking you, what their motivations and capabilities are, and what indicators of compromise in your systems to look for.
Here’s how Gartner defines it:
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.
And here’s a definition provided by Maggie McDaniel, the senior director of Insikt Group at Recorded Future, Allan Liska, our senior solutions architect, and Levi Gundert, our vice president of intelligence and risk:
The best threat intelligence solutions use machine learning to automate data collection and processing, integrate with your existing solutions, take in unstructured data from disparate sources, and then connect the dots by providing context on indicators of compromise (IOCs) and the tactics, techniques, and procedures (TTPs) of threat actors.
Threat intelligence is often broken down into three subcategories:
To hear Liska and Gundert go into greater depth, check out our podcast episode defining threat intelligence:
At Recorded Future, all of our work is motivated by three core beliefs:
We’ll talk about each one in turn here.
1. Threat intelligence is only useful when it gives you the context you need to make informed decisions and take action.
Today, the cybersecurity industry faces numerous challenges — increasingly persistent and devious threat actors, floods of irrelevant data and false alarms across multiple, unconnected security solutions, and a major skills gap.
Some organizations try to incorporate threat data feeds into their network, but don’t know what to do with all of that extra data, adding to the burden of analysts who may not have the tools to decide what to prioritize and what to ignore.
Threat intelligence needs to be actionable — it needs to be timely and arrive in a format that can be understood by whoever’s consuming it. One way that threat intelligence becomes more actionable is when it easily integrates with all the security solutions already present in your environment. Recorded Future’s browser extension, for example, layers on top of all web-based security solutions to provide instant access to information like risk scores, CVEs, hashes, domains, and IP addresses, right on the webpage.
2. Threat intelligence is for everyone.
No matter what security role you work in, threat intelligence can augment your work. It’s not a separate domain of security only meant for elite analysts — it’s the context that adds value to all security functions, across organizations of all sizes. Security operations, incident response, vulnerability management, fraud prevention, risk management, and high-level security planning and decision-making all benefit from the context that threat intelligence provides.
To get those benefits without adding to your workload, however, threat intelligence needs to integrate with the solutions and workflows you already rely on and have low barriers to entry. When it’s treated as a separate function within a broader security paradigm rather than an essential component that augments every other function, the result is that many of the people who would benefit the most from threat intelligence don’t have access to it when they need it.
Security operations teams can rarely keep up with all of the alerts they receive — threat intelligence helps automatically prioritize and filter alerts and other threats. Vulnerability management teams can hone in on the most important vulnerabilities by using threat intelligence to determine what vulnerabilities represent the biggest risks based on the external threat landscape. And fraud prevention, risk analysis, and other high-level security processes are enriched by key insights on threat actors and their tactics, techniques, and procedures.
3. People and machines work better together.
Machines can process and categorize raw data at speeds orders of magnitude quicker than humans. Conversely, humans can perform intuitive, big-picture analysis far more effectively than any artificial intelligence — but only if they’re not bogged down with tedious research and the processing of huge volumes of data. When the two are paired together, each one works smarter, saving time and money, reducing burnout, and improving security overall.
This is only a cursory look at the topic of threat intelligence — if you want to dive deeper into any of the topics mentioned above, check out our book, “The Threat Intelligence Handbook.” It’s a practical guide for security teams of all sizes and experience levels, covering topics like the threat intelligence lifecycle, the ways each security function can benefit from threat intelligence, and how to develop your own threat intelligence team.
This content was originally published September 21, 2016 and updated April 30, 2019.