Threat intelligence is evidence-based knowledge about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
Cyber threat intelligence is a subset of intelligence focused on information security. This curated information is intended to help you make better decisions about how to defend yourself and your business, from cyber based threats. Some of the questions threat intelligence can answer includes:
Gartner definition of threat intelligence
|Type||Taglilne||Half life of utility (for good guys and bad guys)||Focus||Built on the analysis of||Output data types|
|Long (multiyear)||Non-technical||Big campaigns, groups, multi victim intrusions (and operational intel)||Long form writing about: victimology, YoY methodology, mapping intrusions and campaigns to conflicts, events and geopolitical pressures|
|Medium (one year plus)||Mixed (both really)||Whole malware families, threat groups, human behavior analysis (and tactical intel)||Short form writing, bulleted lists, about: persistence and comms techniques, victims, group profiles, family profiles, TTP descriptions, triggers, patterns, and methodology rules|
|Tactical||What?||Short (months)||Techincal||Security events, individual malware samples, phishing emails, attacker infrastructure||Atomic and machine-readable indicators such as IPs, domains, IOCs, "signatures"|
There are generally three “levels” of cyber threat intelligence: strategic, operational and tactical.
Collecting each flavor of intelligence is important because they serve different functions. Analysts leveraging the sum knowledge of these three types of intelligence are better able to determine what security solutions to use, how they should be leveraged, and how to proactively and reactively respond to threats.
We’ll use APT29 and the Education Sector to illustrate the differences between these three types of intelligence.
Tactical threat intelligence is the most basic form of threat intelligence. These are your common indicators of compromise (IOCs). Tactical intelligence is often used for machine-to-machine detection of threats and for incident responders to search for specific artifacts in enterprise networks.
Tactical threat intelligence and IOCs are meant to historically document cyber attacks, serving both as a corpus of evidence (for compliance, law enforcement, investigations, legal purposes, etc) and also as reference material for analysts to interpret and extract context for use in defensive operations.
IOCs are provided to analysts to serve as examples of a particular threat, such as a malware sample, malware family, intrusion campaign, or threat actor. Analysts can enrich alerts from security solutions with tactical threat intelligence to provide more context and determine which threats are worth worrying about and which can safely be ignored.
Operational threat intelligence provides insight into actor methodologies and exposes potential risks. It fuels more meaningful detection, incident response, and hunting programs. Where tactical threat intelligence gives analysts context on threats that are already known, operational intelligence brings investigations closer to uncovering completely new threats.
This kind of intelligence is most frequently used by forensic investigators and incident responders, and typically includes the following types of items:
Consider the following from an incident response perspective: If you are responding to an intrusion event, you may wonder how a particular actor performs privilege escalation, lateral movement or data theft. If you are hunting for undiscovered malicious activity, you might want to start your hunt by looking for a specific actor behavior. Whatever your scenario, you need to answer the question “How do you search for this actor within your environment?”
Operational threat intelligence is knowledge gained from examining details from known attacks. An analyst can build a solid picture of actor methodology by piecing together tactical indicators and artifacts and derive into operational intelligence. This can help to achieve a number of defensive goals, like enhancing incident response plans and mitigation techniques for future attacks and incidents.
Analysts can also implement and bolster a proactive discovery program (“hunting program”) to identify suspicious files and activity that have bypassed traditional security technologies. From there they can develop detection methodologies that are not dependent on IOCs, ensuring broader coverage of threats in a more timely fashion.
Strategic threat intelligence provides a big picture look at how threats and attacks are changing over time. Strategic threat intelligence may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.
Strategic threat intelligence might include information on the following topic areas:
Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical threat intelligence from known cyber attacks. This intelligence is particularly useful for people in leadership roles such as CISOs and executive leadership who must justify budgets and make better-informed investment decisions. Some uses of strategic threat intelligence include:
Threat intelligence always has a purpose—to inform decision making and drive action. However, it’s not uncommon for businesses to struggle when determining the value of their threat intelligence team, processes, and tools. The terminology of threat intelligence is usually not compatible with the business lexicon, leading to misunderstandings of its purpose and value.
Businesses can help derive value from their intelligence programs by aligning them to a generic, macro-level set of priorities as can be seen below (not all inclusive):
Once the threat intelligence team understands the business objectives, they can align their operations and efforts to support the business. Not all of the business priorities will perfectly align with threat intelligence capabilities, and that’s okay. You can develop granularity and nuance as you build out your requirements. Here are some starting goals for any threat intelligence team:
Threat intelligence will continue to evolve and be a key security function. Integrating tactical, operational, and strategic threat intelligence will provide valuable insights into IOCs and threat actors methodologies. This will lead to more secure environments where you can identify your adversaries. A growing number of public and private sector organizations are now using cyber threat intelligence. Recent research published by the Ponemon Institute revealed that 80 percent of organizations are using it and that an even higher percentage regard it as critical.
Organizations using cyber threat intelligence are meeting numerous security challenges. They are detecting and responding to advanced threats. They are preventing data breaches and protecting sensitive information. They are lowering cybercrime and fraud costs. Most importantly, they are reducing overall business risk.
The information on this page should provide you with a solid understanding of what cyber threat intelligence is and the value it provides. However, this is only a starting point. In addition to this information, Anomali provides numerous resources that can help you to make a smart decision about why you should add cyber threat intelligence capabilities to your security stack and how to integrate them with minimal friction.