What is threat intelligence?
Cyber threat intelligence is a general term that refers to specific, actionable information, or “intelligence”, about cyber threats. Depending on the comprehensiveness of the intelligence, this information can include each detail about a particular threat, such as where it originated, who coded it, who has modified it since, how it’s delivered, the kind of damage it does, what relationships it has with other internet objects and locations, and numerous other traits and signifiers.
In addition to indicators of specific malware, threat intelligence also covers the tools and tactics cyber-attackers use, as well as details on specific types of attacks, and dynamic information about potential risks and new risk sources.
What’s the difference between information and intelligence?
Information and alerts coming in from various sources, such as firewall logs, SIEM solutions, and other security tools, give security teams a lot of data to work with. But without context, this information is just raw data; it might as well be meaningless noise. There’s too much of it to easily determine what needs attention and what doesn’t, so it isn’t actionable.
As an example, you might have a list or feed of known phishing sites that gets refreshed on a daily or weekly schedule. That would be information. You could take this information and use it to automatically block known phishing sites before users can visit them. But phishing sites can appear and disappear in a matter of hours or minutes, so a list of this type could easily miss legitimate threats while blocking now-benign websites that have been cleared in the time since the list was published.
With the right context, you’d get a more complete picture. Instead of just a regularly updated feed of known threats, you’d also get historical data and relationships between data objects, so you can get a fuller sense of a threat based on the “internet neighborhood” in which it’s active. Context is what turns information into actionable threat intelligence.
Why is threat intelligence important?
The benefits of effective threat intelligence are numerous. Not only does it help detect existing, evolving, and emerging threats, threat intelligence can also help predict future threat sources and future attack types, and it empowers businesses to implement strong risk management policies.
Businesses of all sizes, whether involved in cybersecurity themselves or not, face a variety of security challenges. Cybercriminals continue to find new, innovative ways to breach networks and steal data. Additionally, to maintain a secure posture, it’s necessary to sift through mountains of data around the types of connections, communications and data that traverse a given network, and determine which details are meaningful and which are false alarms. To make matters worse, there continues to be a fairly sizeable skills gap; there just aren’t enough cybersecurity professionals to go around.
The right kind of cyber threat intelligence solution can address these issues. A threat intelligence solution that uses machine learning can automate the gathering and analysis of data, collate and correlate disparate data points, account for different contextual factors, and make logical choices about which details to prioritize. This process can effectively alleviate much of the burden on analysts, administrators and other cybersecurity personnel, increase the accuracy of threat detection and prevention, and greater cyber resilience overall.
What are the different threat intelligence types?
Threat intelligence is typically classified into three subcategories:
Strategic threat intelligence typically provides a high-level analysis ideal for a non-technical audience, such as stakeholders, board members, news and media, etc. The goal of strategic threat intelligence is to comprehend and consider broader trends among threats. Much of strategic threat intelligence data comes from open sources that can be accessed by anyone.
Tactical threat intelligence highlights indicators of compromise (IOCs), such as unusual traffic, increased or unusual file and download activity, unusual login activity, etc. It’s designed to outline the various techniques and procedures threat actors use to help security professionals understand how their organization is most likely to be targeted. This type is the most basic form of threat intelligence and is often automated because it can be easily generated, though it can become stale quickly.
Operational threat intelligence refers to more specific, detailed technical information about specific cyberattacks. Effectively, operational threat intelligence is similar to forensic analysis, aiming to understand the full picture of an attack by answering questions around intent, who launched the attack, exactly how and when, what the full timeline looked like, etc. By breaking down all the nuances of a pas or ongoing attack, security teams can gain valuable insight into attackers and their methods, as well as what the organization needs to do to handle these threats more effectively.
As described above, there’s a huge difference between raw data and actionable intelligence. Using one to produce the other takes a remarkable amount of processing power, but with the right technology, it doesn’t have to take much time at all.
Watch this video to get a sense of how quickly and accurately raw data can be converted into actionable intelligence.
You can also view our infographic on how the Webroot® Platform, our proprietary threat intelligence architecture, uses machine learning to analyze and classify a newly encountered, never-before-seen URL in under 5 minutes.
Who benefits from threat intelligence?
Though it may sound like threat intelligence is only something analysts and security experts can use, in actuality, it can benefit all consumers of technology products and has a variety of applications in an organization. Threat intelligence can be used in security operations, risk analysis, vulnerability management, fraud prevention, strategic planning, and much more.
Although there are many use cases for threat intelligence, most rely on the prioritization and efficiency benefits threat intelligence brings.
Because a high proportion of regular, daily alerts turn out to be false positives, threat intelligence is extremely useful for security analysts tasked with incident response. Threat intelligence can help identify false positives (and dismiss them to minimize distractions), make existing alerts more actionable by adding critical context or level of risk scoring, identify anomalous behavior earlier in the attack lifecycle, and more.
Security operations center (SOC) teams also deal with a high volume of daily alerts. Determining which alerts truly require attention and which can be ignored is difficult, as many alerts are often inconsequential. Threat intelligence can help filter out false positives and irrelevant alerts, surfacing only what truly requires attention, gather and provide stronger information more quickly, and streamline incident analysis, so analysts’ time is used as meaningfully as possible.
New vulnerabilities regularly come to light. The idea of patching all vulnerabilities all the time may be overwhelming, especially at larger organizations with more devices and data to manage. Again, threat intelligence drastically improves your ability to prioritize which vulnerabilities to patch right away, based on current threat activities and the real-world likelihood of a new vulnerability being targeted with an exploit.
Even though attacks on businesses continue to rise, not all attacks target all types of businesses of all sizes and in all industries. Many attacks are highly specialized and malware groups may choose to target specific organizations or verticals. In risk analysis, it’s important to determine the true nature of the risk, whether a threat is even relevant to your business or industry, how often the attack has occurred at similar organizations, how it affected them/what damage was done, whether a type of attack is gaining speed or phasing out, which mitigation measures have been most effective, etc. Threat intelligence can help answer each of these questions quickly and accurately.
Fraudulent uses of data, or even your business’ brand, can be just as dangerous as malware attacks. With timely, accurate intelligence on phishing campaigns and targets, cybercriminal communities, payment card leaks, user login credential leaks, and other compromised data available on the dark web and other underground sources, you can prevent fraud and damage to your reputation.
Faced with today’s attacks and the ongoing cybersecurity skills shortage, CISOs and other security leaders must find ways to efficiently calculate risk and balance resources as they work to maintain their organizations’ resilience against threats. With automated threat intelligence, accurately assess risk, identify the right strategies to mitigate that risk, effectively prioritize tasks, alleviate the burden on analysts, and successfully communicate the nature of risks to top management and justify future investments in security and defense.
Reducing Third-Party Risk
You might have a handle on the security of your own organization, but you can never guarantee the security of the third parties you work with. Given digital commerce and the way modern organizations do business, a wealth of information is exchanged between systems owned by different vendors, partners and customers. Threat intelligence can help provide insight and transparency into the threat environments of the third parties you work with, so you have the right context to make informed security decisions and evaluate business relationships as needed.
Threat Intelligence, Machine Learning, and AI
Advanced threat intelligence powered by machine learning can help process the enormous volume of data that is overwhelming traditional IT security infrastructure and human researchers. The right threat intelligence integrated into devices can reliably block a majority of threats automatically, freeing up humans to focus on the few (most dangerous) threats that get through. Artificial intelligence (AI) is about emulating human intelligence. Machine learning sorts through and analyzes large quantities of data at the speed and volume that is simply impossible for humans alone to process.
Machine learning can help organizations tackle the vast amounts of data collection, data analysis, remediation, and prevention needed to protect organizations from today’s evolving threat landscape. The right modeling can automate many of the manual tasks that typically bog down today’s information security teams. Working in tandem, machine learning and human researchers can keep the organization safe. It’s a symbiotic relationship that yields impressive results that can even predict threats and threat sources before they happen.
Watch this video to discover how machine learning in threat intelligence can work predictively.
Webroot BrightCloud® Threat Intelligence
The Webroot® platform backs every security product and service we offer for home users, businesses, and network and security vendors. It comprises over 10 years’ worth of historical threat intelligence, in addition to the massive processing power required to correlate billions of URLs, IP addresses, files, applications and more to discover new threats, create highly accurate web reputation scores, and predict future threat sources. This intelligence is delivered as BrightCloud® Threat Intelligence, available to security and technology vendors as well as built into all Webroot products.
Read about Webroot BrightCloud Threat Intelligence services here.