What is threat intelligence? Definition and explanation
Threat intelligence is the process of identifying and analysing cyber threats. The term ‘threat intelligence’ can refer to the data collected on a potential threat or the process of gathering, processing and analysing that data to better understand threats. Threat intelligence involves sifting through data, examining it contextually to spot problems and deploying solutions specific to the problem found.
Thanks to digital technology, today’s world is more interconnected than ever. But that increased connectedness has also brought an increased risk of cyberattacks, such as security breaches, data theft, and malware. A key aspect of cybersecurity is threat intelligence. Read on to find out what threat intelligence is, why it's essential, and how to apply it.
What is threat intelligence?
The definition of threat intelligence is sometimes confused with other cybersecurity terms. Most commonly, people confuse ‘threat data’ with ‘threat intelligence’ – but the two are not the same:
- Threat data is a list of possible threats.
- Threat intelligence looks at the bigger picture – by interrogating the data and the broader context to construct a narrative that can inform decision-making.
In essence, threat intelligence enables organisations to make faster and more informed security decisions. It encourages proactive, rather than reactive, behaviours in the fight against cyber attacks.
Why is threat intelligence important?
Threat intelligence is a crucial part of any cybersecurity ecosystem. A cyber threat intelligence program, sometimes called CTI, can:
- Prevent data loss: With a well-structured CTI program, organisations can spot cyber threats and prevent data breaches from releasing sensitive information.
- Provide direction on safety measures: By identifying and analysing threats, CTI spots patterns hackers use and helps organisations put security measures in place to safeguard against future attacks.
- Inform others: Hackers get smarter by the day. To keep up, cybersecurity experts share the tactics they have seen with others in their community to create a collective knowledge base to fight cybercrimes.
Types of threat intelligence
Cybersecurity threat intelligence is often split into three categories – strategic, tactical, and operational. Let’s look at these in turn:
Strategic threat intelligence:
This is typically a high-level analysis designed for non-technical audiences – for example, the board of a company or organisation. It covers cybersecurity topics that may impact broader business decisions and looks at overall trends as well as motivations. Strategic threat intelligence is often based on open sources – which means anyone can access them – such as media reports, white papers, and research.
Tactical threat intelligence:
This is focused on the immediate future and is designed for a more technically-proficient audience. It identifies simple indicators of compromise (IOCs) to allow IT teams to search for and eliminate specific threats within a network. IOCs include elements such as bad IP addresses, known malicious domain names, unusual traffic, log-in red flags, or an increase in file/download requests. Tactical intelligence is the most straightforward form of intelligence to generate and is usually automated. It can often have a short lifespan as many IOCs quickly become obsolete.
Operational threat intelligence:
Behind every cyber attack is a 'who', 'why', and 'how'. Operational threat intelligence is designed to answer these questions by studying past cyber attacks drawing conclusions about intent, timing, and sophistication. Operational threat intelligence requires more resources than tactical intelligence and has a longer lifespan. This is because cyber attackers can't change their tactics, techniques, and procedures (known as TTPs) as easily as they can change their tools – such as a specific type of malware.
Cyber threat intelligence life cycle
Cyber security experts use the concept of a lifecycle in relation to threat intelligence. A typical example of a cyber threat lifecycle would involve these stages: direction, collection, processing, analysis, dissemination, and feedback.
Phase 1: Direction
This phase focuses on setting goals for the threat intelligence program. It might include:
- Understanding which aspects of the organisation need to be protected and potentially creating a priority order.
- Identifying what threat intelligence the organisation needs to protect assets and respond to threats.
- Understanding the organisational impact of a cyber breach.
Phase 2: Collection
This phase is about gathering data to support the goals and objectives set in Phase 1. Data quantity and quality are both crucial to avoid missing severe threat events or being misled by false positives. In this phase, organisations need to identify their data sources – this might include:
- Metadata from internal networks and security devices
- Threat data feeds from credible cyber security organisations
- Interviews with informed stakeholders
- Open source news sites and blogs
Phase 3: Processing
All the data which has been collected needs to be turned into a format that the organisation can use. Different data collection methods will require various means of processing. For example, data from human interviews may need to be fact-checked and cross-checked against other data.
Phase 4: Analysis
Once the data has been processed into a usable format, it needs to be analysed. Analysis is the process of turning information into intelligence that can guide organisational decisions. These decisions might include whether to increase investment in security resources, whether to investigate a particular threat or set of threats, what actions need to be taken to block an immediate threat, what threat intelligence tools are needed, and so on.
Phase 5: Dissemination
Once analysis has been carried out, the key recommendations and conclusions need to be circulated to relevant stakeholders within the organisation. Different teams within the organisation will have different needs. To disseminate intelligence effectively, it’s worth asking what intelligence each audience needs, in what format, and how often.
Phase 6: Feedback
Feedback from stakeholders will help improve the threat intelligence program, ensuring that it reflects the requirements and objectives of each group.
The term ‘lifecycle’ highlights the fact that threat intelligence is not a linear, one-off process. Instead, it’s a circular and iterative process that organisations use for continuous improvement.
Who benefits from threat intelligence?
Everyone who has an interest in security benefits from threat intelligence. Particularly if you’re running a business, benefits include:
Hackers are always looking for new ways to penetrate enterprise networks. Cyber threat intelligence allows businesses to identify new vulnerabilities as they emerge, reducing the risk of data loss or disruption to day-to-day operations.
Avoiding data breaches
A comprehensive cyber threat intelligence system should help to avoid data breaches. It does this by monitoring suspicious domains or IP addresses trying to communicate with an organisation’s systems. A good CTI system will block suspicious IP addresses – which could otherwise steal your data – from the network. Without a CTI system in place, hackers could flood the network with fake traffic to carry out a Distributed Denial of Service (DDoS) attack.
Data breaches are expensive. In 2021, the global average cost of a data breach was $4.24 million (although this varies by sector – the highest being healthcare). These costs include elements like legal fees and fines plus post-incident reinstatement costs. By reducing the risk of data breaches, cyber threat intelligence can help save money.
Essentially, threat intelligence research helps an organisation to understand cyber risks and what steps are needed to mitigate those risks.
What to look for in a threat intelligence program
Managing threats requires a 360-degree view of your assets. You need a program that monitors activity, identifies problems, and provides the data you need to make informed decisions to protect your organisation. Here’s what to look for in a cyber threat intelligence program:
Tailored threat management
You want a company that accesses your system, spots weaknesses, suggests safeguards, and monitors it 24/7. Many cybersecurity systems claim to do this, but you should look for one that can tailor a solution to your specific needs. Cybersecurity isn’t a one-size-fits-all solution, so don’t settle for a company selling you one.
Threat data feeds
You need an up-to-the-minute feed of websites that have been placed on a deny list plus malicious actors to keep an eye on.
Access to investigations
You need a company that provides access to its most recent investigations, explaining how hackers obtain entry, what they want, and how they get it. Armed with this information, businesses can make more informed decisions.
A cyber threat intelligence program should help your company identify attacks and mitigate risks. The program has to be comprehensive – for example, you don’t want a program that only identifies potential problems and does not offer solutions.
In a continually expanding threat landscape, cyber threats can have serious consequences for your organisation. But with robust cyber threat intelligence, you can mitigate the risks that can cause reputational and financial damage. To stay ahead of cyber attacks, request demo access to Kaspersky’s Threat Intelligence portal and start exploring the benefits it can provide to your organisation.