What is cyber threat intelligence? 

Cyber threat intelligence is evidence-based information about an existing or emerging threat to an organization.

Cyber threat intelligence is created from the collection and analysis of data pulled from multiple sources, including open source, deep and dark web and finished intelligence sources.

The insights delivered must be unbiased and reliable so decision-makers can make timely decisions, to reduce risk.

“Cyber threat intelligence is evidence-based knowledge (such as context, mechanisms, indicators, implications, and actionable advice) about an existing or emerging threat that can be used to inform an organization’s decisions and response to it.” Gartner

The intelligence cycle

The intelligence cycle is a process used by intelligence teams to prioritize and respond to the top risks to their organization.

It starts with identifying priority intelligence requirements (PIRs), automating the selection, collection, and aggregation of multiple sources of data, analyzing the data, and creating reports which can be disseminated across the organization.

This allows for the identification of intelligence gaps and the creation of new collection requirements based on continual feedback, restarting the cycle.

Types of cyber threat intelligence

There are typically four types of cyber threat intelligence.

  • Tactical intelligence: Tactical intelligence identifies the tactics, techniques, and procedures (TTPs) of malicious actors. It helps security teams understand the capabilities and goals of the attackers alongside the attack vectors. This enables organizations to detect and respond to cyberattacks to mitigate risks.
  • Operational intelligence: Operational intelligence focuses on current and near-term threats. By investigating threat actors’ techniques, behaviors, motivations, and timings of an attack, it helps inform security teams day-to-day operations, including incident response and threat hunting.
  • Technical intelligence: Exploring the evidence of an attack provides security teams with the ability to understand the specific technical details of a threat. This type of intelligence analyzes threats including malware, indicators of compromise (IOCs), IP addresses, phishing email content and malicious webpages.
  • Strategic intelligence: Strategic intelligence provides a long-term view of the threat landscape. It enables organizations to understand the financial and reputational impact of cyber threats to their business. It is used to inform strategic decision making, resource allocation and when organizations need to strengthen their security posture.

Types and sources of cyber threat intelligence

Types. Cyber threat intelligence data can be structured or unstructured. Structured data is organized and formatted. Examples include names, dates, addresses, credit card numbers or bank account numbers. It is easy to manipulate, search and sort.

Unstructured data includes written content on news sites and blogs, messaging platforms, social media posts or audiofiles, images and videos. It has no particular format and is not organized into a defined structure. It can’t be easily entered into a database and is difficult to process and analyze at scale.

Sources. The sources of cyber threat intelligence are both broad and varied.

The majority of cyber intelligence is gathered from open or publicly available sources that can be accessed and used by anyone. Open-source intelligence (OSINT) includes information available on the internet, in news, articles, blogs and social media posts, as well as data that is collected and shared by people or organizations.

Examples of open-source cyber intelligence include:

  • Malware mentions involving third-party vendors, as well as malware threat campaigns and their tactics, techniques and procedures
  • Lists of publicly disclosed Common Vulnerabilities and Exposures (CVEs)
  • Finished intelligence feeds, reports and bulletins and analyst research
  • Physical security developments like protests and conflicts that can impact cybersecurity
  • News, blogs and social media posts that expose zero-day threats and other breaking cybersecurity news

The deep web and dark web can also be sources of cyber threat intelligence.

Monitoring these communications can provide intelligence about new and emerging threats as well as potential vulnerabilities that organizations may need to address, the types of data that have been compromised, the tactics, techniques, and procedures (TTPs) being used by these groups and the organizations that have been targeted.

Why organisations need cyber threat intelligence

Cyber threats are rising in volume and complexity. Organizations need to be able to detect, understand and prioritize relevant cyber threats and vulnerabilities, accurately and in a timely manner.

Threat intelligence helps organizations identify ransomware, data breaches and phishing attacks that target executives, allows asset and ATP monitoring and minimizes supply chain risk.

Effective real-time threat intelligence provides the context of an attack so security teams can understand the background and relevance to their organization. It can then be used to prioritize risks and take the appropriate action to protect the organization, in advance.

How organisations monitor cyber threats using cyber threat intelligence

Manual analysis

Many organizations use manual processes to select, collect and aggregate cyber data intelligence.

This can include searching for information using search-engines, like Google, social media platforms like Twitter, LinkedIn, and Reddit. It also involves subscribing to threat intelligence feeds and newsletters.

This requires time-consuming, labor intensive validation, de-duping and standardizing of data, that can result in biased, inaccurate data that cannot be relied on for accurate decision-making.

Threat intelligence platforms

Threat intelligence teams often use cyber threat intelligence platforms.  These can select, collect and aggregate data from multiple sources, to deliver context and analysis. This helps organizations better understand the motivations, tactics, and capabilities of threat actors and make confident decisions to defend and respond to cyber threats quickly and effectively.

Silobreaker streamlines the intelligence cycle. Security teams can analyze and process complex data, create relevant reports and communicate to multiple stakeholders in a single workflow. This means security teams can track the development of incidents in real-time, seamlessly pivot between data sets, use cases, locations, and entity profiles. This approach delivers substantial efficiency gains when meeting priority intelligence requirements (PIRs), to reduce risk and response times, providing decision-makers with actionable intelligence faster.