What Is Threat Intelligence?
What is Threat Intelligence? Threat intel has always been understood as contextualized data that can be leveraged to disrupt active threats. This has been true since the first lookout told their group of a predator near by tens of thousands of years ago. Fundamentally, threat intelligence is analysis of information leveraged by decision makers to shape their protection strategies.
Digital transformation refocused the threat intelligence discussion among security experts, analysts and marketers who have focused on outputs such as feeds of IOCs and other network-centric related data. Threat Intelligence’s core purpose is often left behind in this conversation. Protecting the asset still remains the core mission of TI regardless of medium. ZeroFox’s sole focus is to protect our customers’ identified assets. The combination of our hyper-focused proprietary collection methodologies and advanced analysis allow us to generate indications of threats which helps our customers shape their strategic and operational protection efforts thereby protecting their brands, employees, customers and networks. Early warnings of potential threats reduces the overall risk to our customers’ business and protects its value.
The old cliche “Where you stand, depends on where you sit” still rings true when it comes to threat intelligence. When asked for a definition, network security analysts may be inclined to list types of compromise indicators (IOCs). Security Operations Center analysts might look beyond IOCs to discuss techniques, tactics and procedures (TTPs). Physical and Executive Protection teams are likely to focus on direct threats made by disgruntled employees towards facilities. Meanwhile, executives see intelligence as the critical knowledge required to understand the organization’s overall risk. And they’re all right in their own respect. Even analysts have their own definition (here’s a Gartner blog on the topic, for example). All of these interpretations are core parts of threat intelligence and each individual statement is true to each persona.
The Core Attributes of Threat Intelligence
Regardless of the consumer, most would agree in the core value of threat intelligence: that “threat intelligence must make you more knowledgeable and lead to better outcomes.” All of the above are aspects of threat intelligence, but single handedly do not provide a holistic approach.
Several years ago, Cyveillance (recently acquired by ZeroFox!), took the stance that ultimately, threat intelligence wasn’t intelligence unless it included the following three main attributes:
- Relevancy: The data needs to apply to your mission. Irrelevant data leads to the danger of fake-signal and inaccurate thought-processes.
- Actionability: You need to be able to do or not do something with the data set.
- Added Business Value: Taking action increases the monetary value of your business by reducing costs, reducing risks, or enabling action.
Threat Intelligence is consumed and can facilitate the daily activities of multiple different people within an organization. This ranges from the tactical to the operational to the strategic. The intelligence and manner in which each role consumes it is the key to understanding the value of threat intelligence.
Tactical – the daily grind
Tactical threat intelligence is focused on identifying and remediating existing threats and ensuring those threats are prevented using internal playbooks. The main user of this type of intelligence is the security analyst and team manager. Threat Intelligence in this role is experienced at the “indicator level,” through machine-readable feeds into SIEMS and TIPs and reducing risk by emphasizing “sources and methods.” Remediation speed is the key performance indicator within this function. Understanding relevancy, actionability and the value of taking action all play into deciding whether to spend the resources required to act.
When it comes to tactical intelligence, the Security Analyst and Team Manager’s main concerns are:
- Keeping data within the network
- Keeping bad actors out of the network
- Keeping employees and executives safe
- Maintaining brand equity in the eyes of our customers
Having access to a wide net of unique sources, such as dark web nets, and unique methods to collect data is critical to a tactical threat intelligence program. The true value of a strong tactical intelligence program is through integrations, enabling analysts to view all relevant threat data within a single-pane of glass.
Operational – teamwork to make the dream work
The goal of operational intelligence is to communicate the state of the threat landscape to the organization and organize cross-functional resources to best protect the organization. The main user within this function is the CISO who is responsible for cross-functional communication outside of the security team and the allocation of team resources.
Being able to communicate with non-technical business stakeholders is critical for this threat intelligence function. Typically operational communication comes in the form of written reports by dedicated analysts providing human-readable context. By socializing threat data, threat intelligence teams are able to create allies with the organization and establish credibility across the business and with the executive team.
Strategic – C-Level risk and business discussions
Strategic intelligence’s ultimate goal is to facilitate and guide executive-level decision making. The highest level user resides in the company of the C-suite. This requires the analysis and understanding be leveled up to a strategic level. The CEO, CFO, CRO or similar persona will need to speak about trends and overall risk direction of the industry in an effort to proactively plan for the future.
This intelligence should drive business-level decisions that are projected over prolonged periods of time, typically over the next one to two years. This is where strategic global intelligence deliverables establishing examples can be used to great effect.
Some common deliverables of strategic threat intelligence include:
- Executive level written reports
- Presentations on top threats and trend analysis
- Charts and diagrams showing threat trends
The ZeroFox Approach: Actionable Threat Intelligence
The ZeroFox approach focuses on the question “How can our consumer derive value from the intelligence we produce?” Threat intelligence is a key part of ZeroFox’s DNA. We are now accelerating our traditional capabilities by adding the Cyveillance threat data lake and subject matter expert analysts.
High-quality threat intelligence services are singularly designed to make organizations smarter and more capable to meet their ultimate mission of protecting the organization. The end result of the intelligence cycle is a flexible set of deliverables that can be exploited on multiple business levels, from the Security Operations Center (SOC) to the Boardroom.