Threat intelligence is information about current threats and threat actors. Companies can use the information to study goals, tactics, and tools and build an effective defensive strategy against attacks. Companies can collect threat intelligence themselves or acquire it from third-party suppliers.
Types of threat intelligence
Threat intelligence exists in three main categories:
- Tactical — technical information, such as indicators of compromise.
- Operational — a description of techniques and procedures used by attackers, as well as their capabilities and objectives.
- Strategic — data about risks associated with specific threats.
Threat intelligence may be delivered as streams of raw data or as analytical reports with conclusions and recommendations.
Working with threat intelligence
Threat intelligence is collected manually or automatically from various sources including endpoints and other elements of the corporate infrastructure, news and data provided by infosec companies, websites and forums, and darknet resources. The information is then analyzed and converted into a readable format.
The process of working with threat intelligence takes place in the following stages:
- Planning — setting tasks for programs or experts.
- Data collection and processing — harvesting information about current threats, including the removal of duplicate data, and presenting it in a single format. Processing is necessary for real-time search and retrieval of specific data.
- Analysis — studying the collected data, including suspicious files and programs, with a view to forming hypotheses and recommendations. The analysis stage also identifies any deficiencies in the data collection and processing methods.
- Distribution — delivering threat intelligence to the relevant parties: for example, internal specialists, if the company collected the data for itself, or a client.
- Feedback — the reaction of employees or clients to the information provided, and follow-up measures.
Applying threat intelligence
Threat intelligence can be applied at various stages of defense. In particular, the company’s infosec team can use it to hunt for threats in the corporate infrastructure. Indicators of compromise are useful for improving passive protection tools, such as updating firewall rules. In addition, threat intelligence can assist in the attribution of cyberincidents.
Threat intelligence is used in various infosec solutions, such as SIEM systems and EDR platforms, as well as Threat Intelligence Gateways (TIGs).