Cyber threat intelligence is information sourced, produced, gathered, and shared by cybersecurity teams about cybercriminals, unauthorized users, and other adversaries. This information can be used to take proactive steps to guard against specific threats, respond in real time to current threats, and guide business and cybersecurity decision-making and risk management.
Cyber threat intelligence stems from cyber threat analysis, which focuses on identifying and assessing malicious threats for their potential to cause damage. When executed correctly using a threat intelligence platform, cyber threat analysis forms the foundation for effective and actionable intelligence. This allows security operation centers (SOCs) to efficiently identify and block malicious files across all networks, reducing the time spent investigating threats and alerts.
Why is threat intelligence important?
Crowdsourcing and aggregating incident and attacker data has an exponential impact. In other words, the more data the security industry can share, the better-prepared SOCs will be against threats. When organizations invest in cyber threat intelligence, they gain access to enormous threat databases that can dramatically improve their success at identifying and blocking threats.
Where does cyber threat intelligence come from?
Cyber threat intelligence often comes from managed service providers that do the work of gathering, aggregating, and sometimes analyzing cybersecurity incident data. Data can also come from open-source threat intelligence platforms, some of which are created for high-risk industries like healthcare, utilities, and finance.
Organizations can also harvest threat intelligence from their own cyber defense data or through advanced threat hunting. Managed security providers can glean intelligence from the data streams created over time by the many technologies they use to defend their clients. Some outsourced threat intelligence services may also aggregate cybersecurity news and scan public data streams associated with hackers to compile even more threat data.
What information is included in cyber threat intelligence?
Strategic intelligence
This is high-level intelligence relating to organizational imperatives that intersect with cybersecurity, such as lines of business, foreign markets, and human resources.
Operational intelligence
This category includes intelligence on current threats and known indicators of compromise (IOCs) that SOCs use as guidance for adjustments to security posture and processes. Operational intelligence can also include threat actor behaviors and malware history. Finally, this category usually also includes business-specific context to help guide decisions about what architectures and technologies SOCs should adopt in the future.
Tactical intelligence
This type of intelligence is all about real-time detection and response when attacks are in progress, so it could be called the “meat and potatoes” category. Tactical intelligence is composed of detailed technical information that can help prevent or contain a threat before it becomes destructive. It may also include relevant data such as new privileged users, unusual data access, or unexplained configuration changes.