Setting the Record Straight on Threat Intelligence
November 21, 2019 • The Recorded Future Team
Editor’s Note: Over the next few weeks, we’ll be sharing excerpts from the newly released second edition of our popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.” Here, we’re looking at the first chapter, “What Is Threat Intelligence?” To read the full chapter, download your free copy of the handbook.
You may have heard threat intelligence discussed at a conference or trade show. Perhaps you were informed by a consultant that threat intelligence provides external context for security decisions. Maybe you read a report about state-sponsored attacks and want to know how to protect your business. You have probably noticed that in many organizations, from multinational enterprises to midmarket companies, information security teams are racing to add threat intelligence to their security programs.
However, you may also have heard some misconceptions: that threat intelligence is just data feeds and PDF reports, is simply a research service for the incident response team, or requires a dedicated team of high-priced, elite analysts.
We wrote and recently released the second edition of “The Threat Intelligence Handbook” to set the record straight. This new edition also introduces our security intelligence philosophy: an approach that leads with intelligence across threat prevention, third-party risk management, and brand protection strategies. Over the next few weeks, we’ll delve into various new chapters of this book to illustrate how security intelligence can amplify the effectiveness of security teams and tools, inform better decisions, and ultimately accelerate risk reduction across the organization. But first, let’s start by defining what threat intelligence really is — and we’ll clear up some misconceptions along the way.
The following chapter has been edited and condensed for clarity.
4 Threat Intelligence Truths
- Includes information and analysis from a rich array of sources, presented in ways that make it easy to understand and use
- Is immensely valuable to all major teams in the cybersecurity organization
- Can help every security function save time
- Can be handled mostly by existing security staff (with the right tools and support)
Why Is Threat Intelligence Important?
Today, the cybersecurity industry faces numerous challenges — increasingly persistent and devious threat actors; a daily flood of data full of extraneous information and false alarms across multiple, unconnected security systems; and a serious shortage of skilled professionals.
Although around $124 billion will be spent worldwide on cybersecurity products and services in 2019, throwing money at these problems won’t be enough. Right now:
- Three-quarters of security organizations are experiencing skills shortages.
- 44% of security alerts go uninvestigated.
- 66% of companies are breached at least once.
Digital technologies lie at the heart of nearly every industry today. The automation and greater connectedness they afford are revolutionizing the world, but they’re also bringing increased vulnerability to cyberattacks.
Threat intelligence is knowledge that allows you to prevent and mitigate attacks on digital systems. Rooted in data, threat intelligence provides context like who’s attacking you, what their motivation and capabilities are, and what indicators of compromise (IOCs) in your systems to look for. It helps you make informed decisions about your security.
Who Can Benefit From Threat Intelligence?
Threat intelligence is widely imagined to be the domain of elite analysts. In reality, it adds value across security functions for organizations of all sizes. For example:
- Security operations teams are routinely unable to process the overwhelming flow of alerts they receive. Threat intelligence can be integrated with the security solutions they already use, helping them automatically prioritize and filter alerts and other threats.
- Vulnerability management teams need to accurately prioritize the most important vulnerabilities. Threat intelligence provides access to external insights and context that helps them differentiate immediate threats to their specific enterprise from merely potential threats.
- Fraud prevention, risk analysis, and other high-level security staff are challenged to understand the current threat landscape. Threat intelligence provides key insights on threat actors, their intentions and targets, and their tactics, techniques, and procedures (TTPs).
Data and Information Are Not Intelligence
Before we go any further, let’s clear up any confusion about data, information, and intelligence.
These three terms are sometimes used without much care. For example, some threat feeds are advertised as intelligence when they are actually just packages of data. Frequently, organizations incorporate threat data feeds into their network only to find that they can’t process all the extra data, which only adds to the burden on analysts trying to triage threats. In contrast, threat intelligence lightens that burden by helping the analysts decide what to prioritize and what to ignore.
- Data consists of discrete facts and statistics gathered as the basis for further analysis. In cybersecurity, data is usually just indicators such as IP addresses, URLs, or hashes. Data doesn’t tell us much without analysis.
- Information is multiple data points combined to answer specific questions. In cybersecurity, information answers questions like, “How many times has my organization been mentioned on social media this month?” Although this is a far more useful output than the raw data, it still doesn’t directly inform a specific action.
- Intelligence analyzes data and information to uncover patterns and stories that inform decision-making. In cybersecurity, intelligence is the product of a cycle of identifying questions and goals, collecting relevant data, processing and analyzing that data, producing actionable intelligence, and distributing that intelligence.
2 Types of Threat Intelligence
Threat intelligence is a broad concept, one that is really made up of two kinds of intelligence — operational and strategic. These two types of intelligence vary in their sources, the audiences they serve, and the formats they appear in.
The purpose in making this distinction is in recognizing that the various security functions have different goals and degrees of technical knowledge. Like we said above, intelligence needs to be actionable — but because the responsibilities of a vulnerability management team differ significantly from those of a CISO, “actionability” has distinct implications for each, and the form and content of the intelligence they’ll benefit the most from will vary.
Operational Threat Intelligence
Operational threat intelligence is knowledge about ongoing cyberattacks, events, and campaigns. It gives incident response teams specialized insights that help them understand the nature, intent, and timing of specific attacks as they are occurring. It’s generally sourced from machines.
Operational intelligence is sometimes referred to as technical threat intelligence, because it usually includes technical information about attacks, such as which attack vectors are being used, what vulnerabilities are being exploited, and what command and control (C2) domains are being employed by attackers. This kind of intelligence is often most useful to personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff.
A common source of technical information is threat data feeds. These usually focus on a single type of threat indicator, such as malware hashes or suspicious domains. As we discuss below, threat data feeds supply input for threat intelligence, but by themselves are not threat intelligence.
Strategic Threat Intelligence
Strategic threat intelligence provides a wide overview of an organization’s threat landscape. It’s most helpful for informing high-level decisions by executives, and the content is generally business oriented and is presented through reports or briefings — materials that really can’t be generated by machines, but only by humans with expertise.
This kind of intelligence requires the human element because it takes time and thought to evaluate and test new adversary TTPs against existing security controls. Pieces of this process can be automated, but a human brain is largely required to complete the exercise.
Good strategic intelligence should provide insight into the risks associated with certain actions, broad patterns in threat actor tactics and targets, geopolitical events and trends, and similar topics.
Common sources of information for strategic threat intelligence include:
- Policy documents from nation-states or nongovernmental organizations
- News from local and national media, articles in industry- and subject-specific publications, and input from subject matter experts
- White papers, research reports, and other content produced by security organizations
Organizations must set strategic threat intelligence requirements by asking focused, specific questions. Analysts with expertise outside of typical cybersecurity skills — in particular, a strong understanding of sociopolitical and business concepts — are needed to gather and interpret strategic threat intelligence.
The Role of Threat Data Feeds
We mentioned earlier that data is not intelligence, and that threat data feeds can overwhelm analysts already burdened with countless daily alerts and notifications. But when used correctly, threat data feeds can provide valuable raw material for threat intelligence.
Threat data feeds are real-time streams of data that provide information on potential cyber threats and risks. They’re usually lists of simple indicators or artifacts focused on a single area of interest, like suspicious domains, hashes, bad IPs, or malicious code. They can provide an easy way to get quick, real-time looks at the threat landscape.
But many feeds, especially the free ones, are filled with errors, redundancies, and false positives. That’s why it’s important to select high-quality data feeds.
The Role of Private Channels and the Dark Web
Threat data feeds and publicly available information are not the only external sources of data for threat
intelligence. Vital operational and strategic intelligence on specific attacks, attacker TTPs, political goals of hacktivists and state actors, and other key topics can be gathered by infiltrating or breaking into private channels of communication used by threat groups. These include encrypted messaging apps and exclusive forums on the dark web.
However, there are barriers to gathering this kind of intelligence:
- Access: Threat groups may communicate over private and encrypted channels, or require some proof of identification.
- Language: Activity on many forums is carried out in languages like Russian, Chinese, Indonesian, or Arabic, using local slang and specialized jargon.
- Noise: It can be difficult or impossible to manually gather good intelligence from high-volume sources like chat rooms and social media.
- Obfuscation: To avoid detection, many threat groups employ obfuscation tactics like using codenames.
Overcoming these barriers requires a large investment in tools and expertise for monitoring private channels — or the use of threat intelligence service providers that have already made that investment.
Get the Threat Intelligence Handbook
The full chapter one of our newly released handbook has much more content, including findings from an IDC research study that illustrates how threat intelligence can drive significant security and operational efficiency improvements across an organization. You’ll also find helpful diagrams and figures, including a checklist for evaluating threat data feeds.
Read the entire chapter today by downloading your complimentary copy of “The Threat Intelligence Handbook, Moving Toward a Security Intelligence Program.”