What is External Threat Intelligence?

7 minute read

External threat intelligence is a rapidly growing focus area for astute security organizations. While Forrester first published it as an official category in the Forrester Wave in 2018, it has actually been around for a long time. You’ve probably heard the term before, but what does it mean? In order to understand external threat intelligence, it’s helpful to understand threat intelligence as a whole first.

What Does Threat Intelligence Mean?

Threat intelligence fundamentally is information that helps organizations understand, identify, prevent and respond to security threats. In the security industry, it can be used interchangeably with the term cyber threat intelligence.

According to Gartner’s industry-standard definition, this means “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

Since long before the advent of the internet, intelligence has been used in the military to understand adversaries. As attacks have evolved, large and sophisticated organizations, especially in Financial Services, are increasingly establishing threat intelligence teams to help their organizations strategize around, prevent and respond to cybersecurity threats and adversaries around the globe. These organizations are increasingly turning to external providers for threat intelligence at an exponential rate. In fact, the latest Forrester Wave: External Threat Intelligence Services, Q1 2021 notes that “according to Forrester Analytics’ Business Technographics® survey data, global security decision-makers now subscribe to an average of 7.5 commercial external threat intelligence services, which is up from an average of 4.2 vendors in 2018.” 

What is External Threat Intelligence?

If threat intelligence provides organizations information about potential security threats, external threat intelligence simply focuses on threats outside of an organization.

There’s a great deal of open-source threat intelligence published to different blogs, available from industry groups and websites. Even Twitter has grown to be a key venue for sharing intelligence. Because of the ever-expanding set of external threat intelligence information out there, commercial enterprises have started to consolidate and package up threat intelligence for customer organizations.

Sources of External Threat Intelligence

In order to identify relevant external threat intelligence, you have to look at a lot of different places. This includes dark web chat rooms where threats may be discussed, publicly available information on compromised accounts or security vulnerabilities, and threats to an organization’s public presence like phishing websites or social media profiles that abuse a customer’s brand. All of these represent different forms of threat intelligence and need to be observed to create a complete view of threats facing an organization.

As detailed in our report “Fact vs. Fear: Dark Web Trends Security Teams Need to Focus On,” the hacking group “ShinyHunters” became the most prolific data dumper in 2020 regarding sharing compromised information. Throughout the year, ZeroFox acquired 20 databases with email and password combinations leaked by this group on primarily Raid Forums and added these records to its historical repository of nearly seven billion unique compromised credentials. In total, over 200 unique data dumps were detected circulating freely in various forums this past year and processed for uploading to the repository, including a massive leak from the now-defunct breached database site Cit0Day.

RaidForums Profile of ShinyHunters Hacking Group
RaidForums Actor Leaking Full Cit0Day Collection Data

Finally, when defining external threat intelligence, it’s also worth comparing it to internal threat intelligence, which comes from security teams analyzing their organization’s network. Internal threat intelligence can come from past threats the team has identified and from gathering information from DNS, application and firewall logs, amongst other sources.

Three Types of External Threat Intelligence

The most commonly defined types of threat intelligence are strategic, tactical, and operational. Strategic threat intelligence provides a macro view of the threat landscape as it tracks high-level trends affecting particular industries, regions, or systems.

Operational threat intelligence can include the tactics, techniques and procedures (TTPs) or different methods attackers use in relevant threats. That can consist of the modus operandi for different groups. Are they sending out spear-phishing links, or are they taking a broader approach? Are they using phishing kits or creating their own phishing sites?

Tactical intelligence dives into the nitty-gritty of threats. It can take the form of individual indicators or things like feeds of URLs, IP addresses, or malware file hashes that help organizations identify hazards as they monitor their perimeter.

Why is External Threat Intelligence Important?

External threat intelligence is important because organizations have a growing threat profile. The types of threats continue to vary, and new threats are introduced every day as organizations expand remote operations and add new software tools. Many organizations gather their own internal threat intelligence, but organizations rarely have the level of in-house monitoring to claim a comprehensive view of their external attack surface alone.

While external threat intelligence is important from a traditional security perspective to identify potential threats to your business network and critical systems, it also includes a growing type of threat intelligence that identifies threats that exist entirely outside your network. This includes fraud, scams, information leaks, and other challenges that can hurt your business operations and your brand, which is an incalculably valuable asset for businesses. 

Key Attributes of Effective Threat Intelligence

Every year, threat intelligence is coming from more and more places, be they new covert channels on peer-to-peer chat services or new niche social networks, so it’s important to make sure that you’re choosing the right threat intelligence to focus on.


In this world of fake news, it’s tough to ensure the validity of everything that you see. But taking action on the wrong threat intelligence can waste valuable time and resources and ultimately cause more headaches. For that reason, it’s important to make sure you leverage trustworthy sources as you put together your threat intelligence portfolio.


For any action to be worthwhile, for cybersecurity or in the broader world, there needs to be a clear endgame in mind. For threat intelligence, that means there needs to be a clear action to be taken. Clarity can come from context, but actionable threat intelligence really means that there needs to be some direct impact, be it blocking a particular IP or URL or setting up further monitoring around a potential campaign to be effective.


There needs to be enough context around each indicator or finding for the consumer to understand the reason for the classification. It can provide much-needed background, verify findings or help you correlate multiple indicators to identify larger patterns.


In addition to everything else in this section, threat intelligence is of no use if it’s in a hard-to-understand format or if it doesn’t easily integrate into your existing systems or business processes such that it’s hard to adopt. Therefore, threat intelligence must be structured in a way that’s easy for your organization to use.


If you’re receiving a large amount of threat intelligence, but it doesn’t relate to your organization, it will not be useful. While not everything that a threat intelligence provider finds will be relevant to every customer organization, it’s important the particular feed is a match for the threat intelligence an organization is looking for. Tailored threat intelligence, provided via a managed service, can often be the answer to ensure the intel hits the mark. 


Finally, while it may be essential that we learn from the past to create effective threat intelligence, the primary value of effective threat intelligence is in preparing consumers for the future. Stale data can waste time and resources, causing you to miss out on the newest threats that may significantly impact your business.

ZeroFox’s Unique Threat Intelligence and Response

ZeroFox provides complete external threat intelligence encompassing all of the major qualities needed to be effective. ZeroFox uses a combination of an extensive Threat Research team, now boosted by the acquisition of Cyveillance and the ZeroFox AI-powered platform to ensure accuracy in our findings.

One of ZeroFox’s biggest strengths is in actionability. Not only does ZeroFox help build context around each threat, but ZeroFox provides direct recommendations as well as easy actions and integrations to respond to and mitigate threats directly. The power of ZeroFox managed services is the expertise to vet content and to provide it to customers in a timely manner so that they react to threats as early as possible and can reduce the impact a threat will have.

ZeroFox has expanded its threat intelligence offerings to go beyond indicators and alerts. Services include deep-dive reports, security forensics, threat assessments, research projects, and ad-hoc analyst projects. All services follow industry best practices and can be customized to meet the specific needs of your security and risk management programs.

Learn more about the state of the External Threat Intelligence Services market and see how ZeroFox stacks up against other threat intelligence vendors by downloading a copy of the Forrester Wave: External Threat Intelligence Services here

To learn more about ZeroFox’s threat intelligence solution, check out our video.

See ZeroFox in action