What Is Threat Intelligence?
Ransomware is in the news. However, backdoors are actually the most common adversary action, according to the 2023 IBM-sponsored Threat Intelligence Index. Ransomware wasn’t too far behind, begging the question, how are we going to address this cyber climate? That’s where threat intelligence comes in.
But what is threat intelligence? Read on to find out.
What you need to know about threat intelligence
According to the National Institute of Standards and Technology (NIST), threat intelligence is threat information that’s been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for cyber resilience decision-making processes.
Gartner defines threat intelligence, or TI, similarly. The analyst firm refers to TI as evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
What threat intelligence isn’t
That’s a broad definition. And so, one thing to remember about threat intelligence is that it’s actionable data.
In other words, to be “intelligent,” threat information must go through the threat intelligence lifecycle to provide necessary context for decision making.
By this definition, threat intelligence can’t be any of the following:
- A list of indicators without additional context
- Dated information that fails to help an organization protect itself or understand its attackers
- An ignored data source
The two types of threat intelligence
What, then, are relevant examples of threat intelligence?
Well, there’re two types of threat intelligence about which you should know. The types are internal threat intelligence and external threat intelligence.
Internal Threat Intelligence
Internal threat intelligence, as the name suggests, comes from the organization. This type of threat intelligence consists of data points and information that have been collected from within the entity, then organized into meaningful content.
External Threat Intelligence
External threat intelligence comes from without the organizations. Examples of external threat intelligence include:
Data subscriptions or feeds
Often vendor-provided threat information which comes from a delivery mechanism for specific types of data provided at pre-determined intervals. The value of this type of feed is usually only realized when the receiving organization implements the data into its own tools.
Commonality or communal information (by industry or geographic location)
Organizations with similar interests often create industry-specific groups that facilitate the sharing of threat information.
Relationships formed with government entities and law enforcement
This is threat intelligence that comes from relationships with government and law enforcement.
Threat information that comes from platforms that have funneled information from a large group of people.
How else does internal and external threat intelligence differ?
Of course, there’s more to internal and threat intelligence than where they come from. And understanding how else they differ is crucial for your cyber resilience efforts. So, what are the other differences between internal and external threat intelligence?
For starters, internal threat intelligence sources tend to produce more contextually-relevant information.
That’s no surprise. Internal threat intelligence sources are those coming from within the organization.
However, external threat intelligence sources have their importance, as well. Most significantly, they highlight information that organizations aren’t currently aware of.
What to do with threat intelligence?
To maintain cyber resilience, organizations will need both internal and external threat intelligence. What’s more, they will need to know what to do with both sets.
After all, the point of threat intelligence is to use it, irrespective of source, to shorten the time from attack infection to detection and from detection to remediation.
But for this to happen, companies will have to submit both sets of threat intelligence sources to differing tests.
What should those be?
Of external threat intelligence sources, companies should ask:
- What is the fidelity level of the information provided?
- Is the intelligence provided relevant to operations? To the industry?
- Can the intelligence be followed up on with the provider?
- How is the information provided?
And of their internal threat intelligence sources, businesses should ask:
- What we know?
- How have we been attacked?
- What are we/have we been protecting?
Of course, those aren’t the only questions companies should be asking and measures they should be taking.
What else, including investing in the right integrated security management software to help make your threat information actionable, should you be doing with your threat intelligence to keep your organization secure? Check out our Resilience Manager’s Guide to Threat Intelligence to find out.