Public and private sector organizations now rely on threat intelligence to make informed decisions about risks impacting their assets and people.
This is true not only for cyber vulnerabilities—the context in which “threat intelligence” is typically used—but also for physical security and cyber-enabled crimes. In fact, cyber and real-world threats are often intertwined, as events like the COVID-19 pandemic have demonstrated. Threat intelligence for digital risks can help inform responses to non-cyber threats, and vice versa.
A robust threat intelligence program will help organizations mitigate or avoid damages related to both cyber compromise and real-world threats, especially when they overlap.
What is threat intelligence, and why is it crucial for public sector intelligence teams and corporate security professionals? Keep reading to learn more about threat intelligence methodologies, applications, and tooling.
According to DNSstuff.com, threat intelligence “refers to the information used by an organization to better understand past, current, and future threats. Threat intelligence provides the context necessary to make informed decisions about your network security, especially after an attack has occurred.”
Threat intelligence is useful to anyone who routinely faces actionable risks to people or assets, and must respond based on an in-depth understanding of the threat. In the context of threat intelligence, these risks are usually associated with attacking computer systems. But threat intelligence is also valuable for security or intelligence professionals handling real-world and cyber-enabled threats (which use the web to commit crimes like fraud or theft).
Threat intelligence also differs from data and information. Data provides a source of truth about an entity or an event, while information is gleaned by combining data points into a more contextual narrative. Threat intelligence makes connections between a number of narratives to gain a more comprehensive understanding of a threat. This heightened context is required for driving decisions behind serious risks where a lot is at stake—such as a company’s data or a country’s national security.
Why does threat intelligence matter?
There are a number of reasons why threat intelligence strategies are increasingly relevant for security teams in the public and private sector:
A robust threat intelligence strategy also helps organizations respond more proactively to external threats, minimize fiscal and reputational damages, and better protect people and assets at risk.
Threat intelligence is usually categorized by three types for cybersecurity use cases: tactical, strategic, and operational.
Strategic threat intelligence is high-level intelligence intended for non-technical audiences like board members. These individuals have decision-making power for threat response but may not have technical cybersecurity knowledge. They need to know any business impacts of digital risks and understand broader themes and patterns emerging in the threat landscape. Strategic intelligence often combines cybersecurity intelligence with real-world factors like political or economic climates.
Tactical threat intelligence, on the other hand, is intended for technical audiences working in cybersecurity and system defense. This intelligence describes how threat actors operate (what their tactics, techniques, and procedures, or TTPs, are). This involves monitoring internal threat data feeds (e.g. network traffic data) to identify indicators of compromise. Tactical threat intelligence helps security professionals find direct attacks on their systems or understand emerging attack strategies more generally.
Operational threat intelligence is similar, in many ways, to tactical threat intelligence. It tells cybersecurity teams how a particular cyber attack was approached—like a comprehensive attack narrative including motives, timing, and specific techniques used. Operational threat intelligence also relies on external sources, like dark web forums, to gather information directly from threat actors.
As we’ve mentioned, threat intelligence also applies to use cases beyond cybercrime. These standard categories—strategic, tactical, and operational—may not translate to threat intelligence for physical or cyber-enabled threats. For that reason, we’re also introducing some alternative threat intelligence types:
Physical threat intelligence informs security professionals about real-world risks affecting their assets. This often relies on online data sources, such as public social media posts providing ground-truth information, as well as surface, deep, and dark websites. For example, some social platforms or forums could provide conversations from extremist communities indicating public safety risks. Social media also offers visual media coming from an area of interest, such as a conflict zone.
Cyber-enabled threat intelligence encompasses online risks that do not necessarily target computer systems. It’s useful for finding indicators of illicit activity when adversaries use digital communications for non-cyber crimes. For example, this includes fraud, trafficking, counterfeiting, or spreading misinformation.
It’s worth noting that cyber threat intelligence can inform physical security or cyber-enabled crime use cases, and vice versa. Security personnel must consider these different approaches as threat types interact with one another.
The threat intelligence lifecycle models how raw data transforms into actionable, contextual threat intelligence. The lifecycle is usually described in six phases, which are repeated and refined over time as goals shift and new intelligence surfaces.
The intelligence cycle could be considered the status quo of threat intelligence development. Some sources, such as this article in the Intelligence and National Security journal, suggest that the model is a flawed reflection of real-world threat intelligence processes. While the cycle makes it easy to digest how raw data becomes finished threat intelligence, it’s worth noting that in practice, each stage can occur simultaneously and decisions may be enacted before the cycle is complete.
Threat intelligence has a wide range of applications across public and private sector intelligence teams. These use cases often combine digital and physical threat intelligence, and leverage machine learning to streamline processes. Here’s a broad overview of real-world threat intelligence applications.
Cybersecurity teams are bombarded with thousands of alerts every day, many of them false positives. As analysts face resource constraints and alert desensitization, legitimate risks inevitably slip through the cracks. Threat intelligence solutions use automation and machine learning to support analysts throughout the intelligence cycle, alleviating human resources during collection, processing, and in some cases, analysis.
Threat intelligence is required for effective cybersecurity, supporting incident response, vulnerability management, third-party security, cybersecurity education, executive decision-making, and other public or private sector functions that rely on cyber threat intelligence.
“Physical security” covers a wide range of applications that are supported by threat intelligence. In many cases, physical and cyber threat intelligence are interconnected. Here are just a few examples:
National security initiatives are supported by threat intelligence gathered from cybersecurity feeds, public online data sources such as the dark web, and offline sources like human correspondence or satellite imagery. Analysts often must gather threat intelligence based on data in multiple languages.
Threat intelligence can provide in-depth context and support decision-making for national security risks including:
Threat intelligence cannot be effectively created or applied without the help of software or third-party providers. At a high-level, threat intelligence tooling accomplishes two things:
Not all threat intelligence solutions are equal, and there is no silver-bullet solution. Intelligence teams typically require a suite of tools to accomplish their goals. Some intelligence professionals, such as those working in defense, may develop bespoke threat intelligence tooling and rely on third-party APIs and integrations to funnel data into a system.
Threat intelligence services and solutions can focus on providing clients with finished intelligence reports (such as Recorded Future), essentially helping them fill multiple roles along the intelligence lifecycle. Other solutions focus on specific lifecycle steps, such as tools that streamline data collection and processing. Threat intelligence products can offer remediation options, which help clients respond to threats.
There’s no right or wrong solution—threat intelligence solutions depends on the end user’s goals and requirements.
For example, say a large enterprise aims to gather cyber threat intelligence to improve their risk profile. They also struggle to retain enough skilled analysts. This use case may be suited for a finished threat intelligence service that helps the company stay on top of cybersecurity risks.
Defense teams, on the other hand, have unique threat intelligence requirements that don’t necessarily fit the goals of a finished intelligence service. They tend to work with proprietary tooling and processes and develop their own internal intelligence reports for a specific mission. In this case, a threat API or tools that provide early value chain data discovery and processing might be more appropriate.
Regardless of a security or intelligence team’s goals, an effective solution should:
Echosec Systems focuses on supporting data collection, processing, and in some cases, analysis, for non-technical data. This includes a range of surface, deep, and dark web sources, including social media platforms and breached data repositories.
Echosec Systems provides access to a mixture of mainstream and obscure online sources that are not typically combined in commercial threat intelligence solutions. This breadth of data supports both cybersecurity and real-world threat applications, allowing analysts to track online breadcrumbs as they intersect different web spaces and use cases.
Data is accessible via the Echosec Systems Platform, which provides users with an intuitive UI for data collection and processing. Users who already have their own tooling and interfaces—such as those working in SOCs and defense—can funnel data directly into their systems via the Echosec Systems API.
Echosec Systems’ machine learning capabilities also automatically tag and rank content within eight distinct threat categories to help analysts more rapidly contextualize and triage threat data.
Whether the goal is to support a cyber threat intelligence strategy or national security mission, Echosec Systems products improve data quality and accessibility throughout the threat intelligence lifecycle.