Threat intelligence is an organisation’s best tool to move from a reactive to a proactive cybersecurity posture. By gathering and analysing information about potential and current threats, you can better understand the risks your organisation faces and take steps to mitigate them.
In this article, we’ll explain what threat intelligence is and how it can benefit your organisation. We'll also provide some tips on how to get started with a threat intelligence program and where to find quality intelligence sources.
By the end of this article, you should have a good understanding of how threat intelligence can help you to keep your organisation safe against emerging threats in your industry.
“Threat intelligence” or “Threat intel” describes the collection and analysis of information about potential or current threats to an organisation's security.
Threat intel can include details about the tactics, techniques, and procedures used by attackers, as well as information about the tools and infrastructure they use. It’s typically gathered from a variety of sources, including security researchers, government agencies, and private intelligence firms.
Threat intelligence can benefit organisations is by helping them to prioritise their cybersecurity efforts. By understanding the types of threats they are most likely to face, organisations can focus their resources on defending against the most critical threats first.
Threat intelligence can also help SOC teams to be more proactive. By staying up-to-date on the latest threats, organisations can anticipate potential attacks and take steps to prevent them before they happen. In some cases, threat intelligence can even be used to automatically prevent certain types of attacks, such as automatically blocklisting an IP address associated with phishing activity.
According to John Hubbard of the SANS Institute, there are three main things your organisation need to get started with threat intelligence:
Threat intelligence ranges from extremely broad to incredibly granular. The varying specificity of threat intel represents one of the main challenges involved with working in this space. Most threat intel falls into one of three categories:
To bring these concepts to life, here are some examples of different types of threat intelligence.
The first example below is an example of threat intelligence at the highest, or “strategic” level. It provides a high-level overview of an emerging threat (in this case, a Russian state-sponsored APT).
A tell-tale sign that threat intel sits at the strategic level is that it focuses mainly on the “who” and “why” rather than the “how” and “what”.
STRATEGIC THREAT INTELLIGENCE EXAMPLE
Operational threat intelligence dives into the “operations” of threat actors, such as the specific TTPs they’ve used.
An example of this kind of threat intelligence is leaked internal chat logs from a threat group. For example, in February 2022 a Ukrainian security researcher published leaked chat logs from the ransomware group Conti. In the logs, the group discusses victim bots infected with malware. Because this threat intelligence delves primarily into the “what” and the “how” of the threat group, it is operational threat intelligence.
Tactical threat intelligence is the most fine-grained level of threat intelligence, consisting mainly of IOCs (Indicators of Compromise). This kind of intelligence is particularly useful for feeding into your automated systems using something like MISP.
Examples of tactical threat intelligence/IOCs are things hashes, IP addresses, domains and port numbers.