What is cyber threat intelligence?
Cyber threat intelligence is evidence-based information about an existing or emerging threat to an organisation.
Cyber threat intelligence is created from the collection and analysis of data pulled from multiple sources, including open source, deep and dark web and finished intelligence sources.
The insights delivered must be unbiased and reliable so decision-makers can make timely decisions, to reduce risk.
“Cyber threat intelligence is evidence-based knowledge (such as context, mechanisms, indicators, implications, and actionable advice) about an existing or emerging threat that can be used to inform an organisation’s decisions and response to it.” Gartner
The intelligence cycle
The intelligence cycle is a process used by intelligence teams to prioritise and respond to the top risks to their organisation.
It starts with identifying priority intelligence requirements (PIRs), automating the selection, collection, and aggregation of multiple sources of data, analysing the data, and creating reports which can be disseminated across the organisation.
This allows for the identification of intelligence gaps and the creation of new collection requirements based on continual feedback, restarting the cycle.
Types of cyber threat intelligence
There are typically four types of cyber threat intelligence.
- Tactical intelligence: Tactical intelligence identifies the tactics, techniques, and procedures (TTPs) of malicious actors. It helps security teams understand the capabilities and goals of the attackers alongside the attack vectors. This enables organisations to detect and respond to cyberattacks to mitigate risks.
- Operational intelligence: Operational intelligence focuses on current and near-term threats. By investigating threat actors’ techniques, behaviours, motivations, and timings of an attack, it helps inform security teams day-to-day operations, including incident response and threat hunting.
- Technical intelligence: Exploring the evidence of an attack provides security teams with the ability to understand the specific technical details of a threat. This type of intelligence analyses threats including malware, indicators of compromise (IOCs), IP addresses, phishing email content and malicious webpages.
- Strategic intelligence: Strategic intelligence provides a long-term view of the threat landscape. It enables organisations to understand the financial and reputational impact of cyber threats to their business. It is used to inform strategic decision making, resource allocation and when organisations need to strengthen their security posture.
Types and sources of cyber threat intelligence
Types. Cyber threat intelligence data can be structured or unstructured. Structured data is organised and formatted. Examples include names, dates, addresses, credit card numbers or bank account numbers. It is easy to manipulate, search and sort.
Unstructured data includes written content on news sites and blogs, messaging platforms, social media posts or audiofiles, images and videos. It has no particular format and is not organised into a defined structure. It can’t be easily entered into a database and is difficult to process and analyse at scale.
Sources. The sources of cyber threat intelligence are both broad and varied.
The majority of cyber intelligence is gathered from open or publicly available sources that can be accessed and used by anyone. Open-source intelligence (OSINT) includes information available on the internet, in news, articles, blogs and social media posts, as well as data that is collected and shared by people or organisations.
Examples of open-source cyber intelligence include:
- Malware mentions involving third-party vendors, as well as malware threat campaigns and their tactics, techniques and procedures
- Lists of publicly disclosed Common Vulnerabilities and Exposures (CVEs)
- Finished intelligence feeds, reports and bulletins and analyst research
- Physical security developments like protests and conflicts that can impact cybersecurity
- News, blogs and social media posts that expose zero-day threats and other breaking cybersecurity news
The deep web and dark web can also be sources of cyber threat intelligence.
Monitoring these communications can provide intelligence about new and emerging threats as well as potential vulnerabilities that organisations may need to address, the types of data that have been compromised, the tactics, techniques, and procedures (TTPs) being used by these groups and the organisations that have been targeted.
Why organisations need cyber threat intelligence
Cyber threats are rising in volume and complexity. Organisations need to be able to detect, understand and prioritise relevant cyber threats and vulnerabilities, accurately and in a timely manner.
Threat intelligence helps organisations identify ransomware, data breaches and phishing attacks that target executives, allows asset and ATP monitoring and minimises supply chain risk.
Effective real-time threat intelligence provides the context of an attack so security teams can understand the background and relevance to their organisation. It can then be used to prioritise risks and take the appropriate action to protect the organisation, in advance.
How organisations monitor cyber threats using cyber threat intelligence
Many organisations use manual processes to select, collect and aggregate cyber data intelligence.
This can include searching for information using search-engines, like Google, social media platforms like Twitter, LinkedIn, and Reddit. It also involves subscribing to threat intelligence feeds and newsletters.
This requires time-consuming, labour intensive validation, de-duping and standardising of data, that can result in biased, inaccurate data that cannot be relied on for accurate decision-making.
Threat intelligence platforms
Threat intelligence teams often use cyber threat intelligence platforms. These can select, collect and aggregate data from multiple sources, to deliver context and analysis. This helps organisations better understand the motivations, tactics, and capabilities of threat actors and make confident decisions to defend and respond to cyber threats quickly and effectively.
Silobreaker streamlines the intelligence cycle. Security teams can analyse and process complex data, create relevant reports and communicate to multiple stakeholders in a single workflow. This means security teams can track the development of incidents in real-time, seamlessly pivot between data sets, use cases, locations, and entity profiles. This approach delivers substantial efficiency gains when meeting priority intelligence requirements (PIRs), to reduce risk and response times, providing decision-makers with actionable intelligence faster.