What is Threat Intelligence?
Threat intelligence, also called Cyber Threat Intelligence (CTI) is information about existing or emerging cyber threats and digital threat actors, processed or analyzed by cybersecurity experts, that helps organizations understand, identify, prevent, and respond to risks in the digital space.
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Intelligence is a unique kind of information and cyber threat intelligence involves more than just gathering information. Threat intelligence is the output of a strategically-driven process of collecting and analyzing information that pertains to the activities of digital threat actors and can be used to understand and mitigate against harmful cyber threats.
3 Levels of Threat Intelligence
Threat intelligence experts often differentiate between three levels of threat intelligence: strategic, operational, tactical. Each level of threat intelligence provides a different perspective that can help organizations anticipate and mitigate against cyber threats.
- Strategic Threat Intelligence deals with high-level information about the cyber threat landscape as it pertains to a given organization. Strategic intelligence aims to identify digital threat actors, understand their motivations for targeting organizations in a particular market sector or industry vertical, and assess the potential risks and implications of a successful attack.
- Operational Threat Intelligence is focused on understanding the tactics, techniques, and procedures used by digital threat actors to penetrate target organizations. Effective operational threat intelligence gives organizations the ability to anticipate how cyber criminals might attack their systems, and which digital infrastructure components are likely to be targeted.
- Tactical Threat Intelligence is the most basic form of threat intelligence. This level of threat intelligence is primarily concerned with identifying Indicators of Compromise (IOCs), such as file names, IP addresses, and domain names, that can be used by SecOps teams to proactively hunt for threats in enterprise networks.
5 Attributes of Effective Threat Intelligence
Threat intelligence is only effective when it can be used by the organization to understand and mitigate against a potential cyber attack. Ineffective threat intelligence comes at a cost, but provides limited or no benefit to the organization.
Effective threat intelligence should have the following attributes:
- Accurate – Threat intelligence must be consistently accurate and correct, such that organizations can confidently act on it without second-guessing its reliability.
- Complete – Complete threat intelligence is thorough and provides the details that organizations need to mitigate the threat. Incomplete threat intelligence limits an organization’s ability to proactively utilize that intelligence for detecting or preventing a cyber attack.
- Relevant – Threat intelligence must be relevant to the organization to be of use. Intelligence pertaining to a digital threat against manufacturing companies would be useless to businesses operating in the financial or health sectors.
- Easy-to-Use – Threat intelligence should be presented in a format that is easy to understand, emphasize the most important information, and recommend a course of action that the organization can take to mitigate the threat.
- Timeliness – The best threat intelligence relates to the most current threats against an organization’s networks and systems. Threat intelligence reporting must occur on a regular basis, and must be put into action quickly enough to positively impact the organization’s security posture.
What is the Threat Intelligence Cycle?
Threat intelligence is more than simply collecting information about cyber threats and digital threat actors. The process of generating and distributing high-quality, actionable threat intelligence is known as the threat intelligence cycle and may be described in six phases:
- Planning and Direction – In the Planning and Direction phase, threat intelligence analysts establish the scope of their intelligence-gathering activities by identifying and prioritizing information assets and business processes that must be protected, and recognizing where new threat intelligence can fill gaps in existing organizational knowledge.
- Data Collection – In the Data Collection phase, threat intelligence analysts gather relevant threat data from a variety of sources across the public and private attack surface. Data sources may include network event logs, external threat intelligence feeds, the deep and dark web, and others. Data collection may yield strategic intelligence (e.g. the identities of digital threat actors), operational intelligence (e.g. TTPs), or tactical intelligence (IOCs).
- Data Processing – Before threat data can be analyzed at scale, it must be cleaned, transformed, and processed. AI-based threat intelligence platforms like ZeroFox help analysts normalize, structure, and deduplicate threat data so it can be analyzed to produce useful insights.
- Data Analysis – In the data analysis phase, a combination of human and AI-based analysis is used to transform threat data and information into actionable threat intelligence. At ZeroFox, we analyze threat data using automated machine learning and AI-driven processes to deliver the most accurate and relevant threat intelligence to our customers.
- Data Production – In the data production phase, threat intelligence is validated, sorted, and arranged into contextually relevant visualizations and dashboards that make it easier for cybersecurity experts to identify what’s important, draw meaningful conclusions, and implement the right procedures for mitigating threats.
- Distribution and Feedback is the final phase in the threat intelligence cycle. Here, analysts compile finished threat intelligence into reports and deliver those reports to the appropriate stakeholders, which often include CSOs, SecOps, and incident response teams. CTI analysts collect feedback on these reports to support continuous improvement of their threat intelligence activities.
Safeguard Your Organization with ZeroFox Global Threat Intelligence
ZeroFox leverages the world’s only historically complete threat data lake to produce full-spectrum intelligence tailored to your organization.
ZeroFox’s team of 150+ threat analysts conduct research and AI-backed analysis at a global and individual scale to help you better understand the global threat landscape, plus identify and address targeted threats against your enterprise.
Check out our free webinar ATT&CK or Be Attacked: Using Threat Intelligence to Disrupt Targeted Threats to Your Brand’s Perimeter to learn more about how security teams are leveraging threat intelligence to improve the resiliency of digital infrastructure against cyber attacks.