What Is Threat Intelligence
A crash course
Public and private sector organizations now rely on threat intelligence to make informed decisions about risks impacting their assets and people.
This is true not only for cyber vulnerabilities—the context in which “threat intelligence” is typically used—but also for physical security and cyber-enabled crimes. In fact, cyber and real-world threats are often intertwined, as events like the COVID-19 pandemic have demonstrated. Threat intelligence for digital risks can help inform responses to non-cyber threats, and vice versa.
A robust threat intelligence program will help organizations mitigate or avoid damages related to both cyber compromise and real-world threats, especially when they overlap.
What is threat intelligence, and why is it crucial for public sector intelligence teams and corporate security professionals? Keep reading to learn more about threat intelligence methodologies, applications, and tooling.
According to DNSstuff.com, threat intelligence “refers to the information used by an organization to better understand past, current, and future threats. Threat intelligence provides the context necessary to make informed decisions about your network security, especially after an attack has occurred.”
Threat intelligence is useful to anyone who routinely faces actionable risks to people or assets, and must respond based on an in-depth understanding of the threat. In the context of threat intelligence, these risks are usually associated with attacking computer systems. But threat intelligence is also valuable for security or intelligence professionals handling real-world and cyber-enabled threats (which use the web to commit crimes like fraud or theft).
CHECKLIST: CHOOSING THE RIGHT SOLUTION
Threat intelligence also differs from data and information. Data provides a source of truth about an entity or an event, while information is gleaned by combining data points into a more contextual narrative. Threat intelligence makes connections between a number of narratives to gain a more comprehensive understanding of a threat. This heightened context is required for driving decisions behind serious risks where a lot is at stake—such as a company’s data or a country’s national security.
Why does threat intelligence matter?
There are a number of reasons why threat intelligence strategies are increasingly relevant for security teams in the public and private sector:
- Digital transformation. According to a report by IFS, 70% of businesses increased or maintained their investment in digital transformation in 2020—even as the global economy took a turn. Alongside the benefits of digital technology adoption, this shift increases digital attack surfaces, exposing more organizations to cyber threats. Attack surfaces are further exposed by a widespread transition to work-from-home environments where cybersecurity may be weaker.
- A more complex threat landscape. Threats now go beyond cybersecurity use cases. Digital risks are influenced by real-world environments, and physical security risks are influenced by online environments. An effective threat intelligence strategy must consider a variety of online and offline spaces to get a full picture of the threat.
- Skills shortages and alert fatigue. According to a 2020 Forrester report, security teams, on average, receive over 11,000 alerts each day, almost a third of them false positives—and only 72% are addressed at all due to time and resource constraints. Threat intelligence solutions help automate intelligence processes so organizations can better cope with analyst shortages and resource allocation.
A robust threat intelligence strategy also helps organizations respond more proactively to external threats, minimize fiscal and reputational damages, and better protect people and assets at risk.
Threat intelligence is usually categorized by three types for cybersecurity use cases: tactical, strategic, and operational.
Strategic threat intelligence is high-level intelligence intended for non-technical audiences like board members. These individuals have decision-making power for threat response but may not have technical cybersecurity knowledge. They need to know any business impacts of digital risks and understand broader themes and patterns emerging in the threat landscape. Strategic intelligence often combines cybersecurity intelligence with real-world factors like political or economic climates.
Tactical threat intelligence, on the other hand, is intended for technical audiences working in cybersecurity and system defense. This intelligence describes how threat actors operate (what their tactics, techniques, and procedures, or TTPs, are). This involves monitoring internal threat data feeds (e.g. network traffic data) to identify indicators of compromise. Tactical threat intelligence helps security professionals find direct attacks on their systems or understand emerging attack strategies more generally.
Operational threat intelligence is similar, in many ways, to tactical threat intelligence. It tells cybersecurity teams how a particular cyber attack was approached—like a comprehensive attack narrative including motives, timing, and specific techniques used. Operational threat intelligence also relies on external sources, like dark web forums, to gather information directly from threat actors.
As we’ve mentioned, threat intelligence also applies to use cases beyond cybercrime. These standard categories—strategic, tactical, and operational—may not translate to threat intelligence for physical or cyber-enabled threats. For that reason, we’re also introducing some alternative threat intelligence types:
Physical threat intelligence informs security professionals about real-world risks affecting their assets. This often relies on online data sources, such as public social media posts providing ground-truth information, as well as surface, deep, and dark websites. For example, some social platforms or forums could provide conversations from extremist communities indicating public safety risks. Social media also offers visual media coming from an area of interest, such as a conflict zone.
Cyber-enabled threat intelligence encompasses online risks that do not necessarily target computer systems. It’s useful for finding indicators of illicit activity when adversaries use digital communications for non-cyber crimes. For example, this includes fraud, trafficking, counterfeiting, or spreading misinformation.
It’s worth noting that cyber threat intelligence can inform physical security or cyber-enabled crime use cases, and vice versa. Security personnel must consider these different approaches as threat types interact with one another.
The threat intelligence lifecycle models how raw data transforms into actionable, contextual threat intelligence. The lifecycle is usually described in six phases, which are repeated and refined over time as goals shift and new intelligence surfaces.
- Plan and define intelligence requirements and objectives. What is the goal of the threat intelligence? This stage is usually most effective when driven by specific requirements or queries, and the intelligence’s target audience is clearly defined. A report outlining tactical threat intelligence in detail is probably unfit for executives making high-level decisions about an organization’s security posture.
- Collect raw data from a variety of threat intelligence feeds. Data sources depend on the cycle’s planning and direction. For cybersecurity, this usually combines internal network data, technical feeds, and external web sources relevant to cybercrime. Threat intelligence cycles motivated by physical security or cyber-enabled threats might also include social media or news sources.
- Process raw data. Not all collected data is useful for the mission at hand, and it can’t be used effectively when it’s disordered. This is where collected data is de-duplicated, tagged, and transformed into formats relevant to intelligence delivery. The aim is to refine what is likely a lot of data to something more manageable, removing as many false positives as possible. It should also organize or parse data in a way that is digestible to analysts.
- Analyze. At this point, the data is ready to be analyzed and contextualized to create finished intelligence. This will depend again on the audience and goals outlined in the planning stage. While analysis is usually a manual task, relying on the bias and interpretation of human analysts, machine learning models can help automate this process.
- Distribute the intelligence. The intelligence must reach its intended audience in the appropriate format at the right time.
- Incorporate feedback. The intelligence cycle doesn’t stop once it’s handed off to stakeholders. Their feedback, along with any new insights, informs the planning phase to initiate a new cycle. Feedback should be well-documented so that intelligence cycles stay focused at each iteration.
The intelligence cycle could be considered the status quo of threat intelligence development. Some sources, such as this article in the Intelligence and National Security journal, suggest that the model is a flawed reflection of real-world threat intelligence processes. While the cycle makes it easy to digest how raw data becomes finished threat intelligence, it’s worth noting that in practice, each stage can occur simultaneously and decisions may be enacted before the cycle is complete.
Threat intelligence has a wide range of applications across public and private sector intelligence teams. These use cases often combine digital and physical threat intelligence, and leverage machine learning to streamline processes. Here’s a broad overview of real-world threat intelligence applications.
Cybersecurity teams are bombarded with thousands of alerts every day, many of them false positives. As analysts face resource constraints and alert desensitization, legitimate risks inevitably slip through the cracks. Threat intelligence solutions use automation and machine learning to support analysts throughout the intelligence cycle, alleviating human resources during collection, processing, and in some cases, analysis.
Threat intelligence is required for effective cybersecurity, supporting incident response, vulnerability management, third-party security, cybersecurity education, executive decision-making, and other public or private sector functions that rely on cyber threat intelligence.
“Physical security” covers a wide range of applications that are supported by threat intelligence. In many cases, physical and cyber threat intelligence are interconnected. Here are just a few examples:
- Public or private sector organizations may have physical assets or personnel located in areas subject to political instability, extremism, or other high-risk circumstances. Threat intelligence provides security personnel in these situations with context about a physical environment. For example, social media platforms provide ground-truth photos or video from a specific location. Some fringe messaging applications and forums can also alert security personnel to active shooter manifestos or other indicators of an impending public safety threat.
- Data leaks are relevant for both physical and digital security responses. Say a dox is posted on DeepPaste, a dark web paste site, exposing a CEO’s personally identifiable information, including their home address and family members. This could compromise the CEO’s (and the organization’s) digital security—but it’s also valuable for executive protection teams who may need to deploy a detail in and around the target’s home and whereabouts.
- The image of an organization’s ID badge, infrastructure map, or SOC room is posted on a social network like Reddit or Twitter by an insider source. This information could be used to weaken a facility’s physical access control, compromise a digital system, or support a social engineering strategy. Security teams must monitor the web for data leaks that could compromise both physical and digital security.
National security initiatives are supported by threat intelligence gathered from cybersecurity feeds, public online data sources such as the dark web, and offline sources like human correspondence or satellite imagery. Analysts often must gather threat intelligence based on data in multiple languages.
Threat intelligence can provide in-depth context and support decision-making for national security risks including:
- Public crises. Online data sources like news and social media can help the public sector respond faster and more effectively to crises such as pandemics, natural disasters, or political instability.
- Misinformation. Over the last few years, the web has become a propaganda vehicle for nation-states intending to influence public opinion and undermine democracies around the world. Threat intelligence solutions can identify misinformation campaigns, map their online presence, and predict influence.
- Cyber threats. As with cybersecurity applications, threat intelligence helps address cyber compromises—such as data exfiltration and advanced persistent threats backed by nation-states.
- Terrorism. Online threat intelligence provides critical information related to terrorist propaganda, recruitment, funding, and in some cases, planning. This information is crucial for tracking extremist populations over time and predicting terrorist attacks.
- Organized blue and white-collar crime. Threat intelligence helps government and defense investigate corruption, fraud, trafficking, and other cyber-enabled crimes. The deep web and dark web host marketplaces, discussion forums, and other communication channels that enable these activities on a regional, federal, and international level.
Threat intelligence cannot be effectively created or applied without the help of software or third-party providers. At a high-level, threat intelligence tooling accomplishes two things:
- It gives end-users real-time access to data sources relevant to their goals. This typically includes a range of technical feeds and surface, deep, and dark web sources.
- It uses automation and/or machine learning to reduce the human resources required to collect, process, and analyze data.
Choosing Threat Intelligence Solutions
Not all threat intelligence solutions are equal, and there is no silver-bullet solution. Intelligence teams typically require a suite of tools to accomplish their goals. Some intelligence professionals, such as those working in defense, may develop bespoke threat intelligence tooling and rely on third-party APIs and integrations to funnel data into a system.
Threat intelligence services and solutions can focus on providing clients with finished intelligence reports (such as Recorded Future), essentially helping them fill multiple roles along the intelligence lifecycle. Other solutions focus on specific lifecycle steps, such as tools that streamline data collection and processing. Threat intelligence products can offer remediation options, which help clients respond to threats.
There’s no right or wrong solution—threat intelligence solutions depends on the end user’s goals and requirements.
For example, say a large enterprise aims to gather cyber threat intelligence to improve their risk profile. They also struggle to retain enough skilled analysts. This use case may be suited for a finished threat intelligence service that helps the company stay on top of cybersecurity risks.
Defense teams, on the other hand, have unique threat intelligence requirements that don’t necessarily fit the goals of a finished intelligence service. They tend to work with proprietary tooling and processes and develop their own internal intelligence reports for a specific mission. In this case, a threat API or tools that provide early value chain data discovery and processing might be more appropriate.
Regardless of a security or intelligence team’s goals, an effective solution should:
- Address alert fatigue. Automation and machine learning provide much-needed support for overburdened and understaffed intelligence teams. Threat intelligence solutions can automatically parse out relevant information from raw data and remove false positives. Machine learning also helps contextualize text or image-based data for faster triaging, and can even predict threat activities.
- Combine relevant data sources in one platform. While multiple tools are generally necessary for threat intelligence strategies, pivoting between more tools than necessary can bog analysts down even further. Data discovery solutions like the Echosec Systems Platform combine social media, deep, and dark web data in one interface so users don’t need separate tools for each source type.
- Be intuitive for its end-users. Threat intelligence tools can hinder more than help end-users if its UI is too complex. Threat intelligence solutions should be intuitive enough for users to adopt quickly without sacrificing the data quality or functionality required for threat intelligence applications.
Echosec Systems focuses on supporting data collection, processing, and in some cases, analysis, for non-technical data. This includes a range of surface, deep, and dark web sources, including social media platforms and breached data repositories.
Echosec Systems provides access to a mixture of mainstream and obscure online sources that are not typically combined in commercial threat intelligence solutions. This breadth of data supports both cybersecurity and real-world threat applications, allowing analysts to track online breadcrumbs as they intersect different web spaces and use cases.
Data is accessible via the Echosec Systems Platform, which provides users with an intuitive UI for data collection and processing. Users who already have their own tooling and interfaces—such as those working in SOCs and defense—can funnel data directly into their systems via the Echosec Systems API.
Echosec Systems’ machine learning capabilities also automatically tag and rank content within eight distinct threat categories to help analysts more rapidly contextualize and triage threat data.
Whether the goal is to support a cyber threat intelligence strategy or national security mission, Echosec Systems products improve data quality and accessibility throughout the threat intelligence lifecycle.