What is Threat Intelligence?
What is Threat Intelligence?
Threat intelligence combines data from various internal and external sources to understand existing and emergent cyber risks to the business and strengthen defensive strategies. A successful threat intelligence program triangulates threat information, filters and prioritizes threats based on business risk, and feeds back into internal systems and security controls. Threat intelligence is a key component of a mature cybersecurity program.
Why is threat intelligence important?
Cyber threat intelligence surfaces the current and emergent threats to the organization. By understanding the tactics, techniques, and procedures of adversaries, organizations can more effectively counter threats before, during, and after a security event.
Threat intelligence programs help organizations make more effective decisions about how to address vulnerabilities, conduct testing strategies, develop incident response plans, and ensure business continuity in the case of an event. Threat intelligence teams work in collaboration with cyber risk teams and security teams.
What is a threat intelligence system?
A threat intelligence system is a central hub that collects, analyzes, and generates insights in reaction to cybersecurity data. These systems help to trace security events and determine what threat actors are present, and brief security teams on how to respond. They often draw upon cyber threat intelligence (CTI), which is a collection of internal and external data sources that help provide context to the system.
A threat intelligence system works as part of a holistic security software solution. Solutions like AWS Security Hub often integrate threat intelligence lifecycle activities for centralized management.
What are the components of the threat intelligence lifecycle?
The threat intelligence lifecycle is a continuous process that requires regular updates and reviews.
Here are the main stages of the threat intelligence lifecycle.
Environment scope
Before deploying a threat intelligence program, organizations must define their systems, data, networks, services, users, and other organizational assets. Organizations should classify organizational assets by operational criticality and data sensitivity. By understanding the scope of the organizational environment, it becomes possible to understand which threats will be relevant to the business and which assets may be a larger target.
Threat data collection
Once scoping is complete, the next step in the cyber threat intelligence lifecycle is to collate numerous data sources into a central source of truth. The threat intelligence system will ingest internal security data, system reports, and external sources like real-time open-source and vendor-distributed threat feeds, vulnerability databases, and social media and dark web monitoring.
This stage aims to capture as much threat data as possible to obtain a comprehensive range of information. Data ingestion at this stage is highly automated, constant, and not filtered for business scope.
Data processing
After data collation, the organization then filters, structures, standardizes, enriches, and transforms it to make it useful. Unstructured data is transformed into a machine-readable format, while structured data is cleaned to improve data quality and tagged with metadata. Redundant and out-of-scope data is removed. Processing should be as automated as possible.
Analysis
The analysis phase transforms threat intelligence data into actionable insights for the business. Automated systems will begin to identify patterns and relationships in any processed data, looking for anomalies, discrepancies, or results that cybersecurity teams investigate further.
At this stage, data analysts can use a range of advanced techniques, like applying machine learning and predictive modeling, to map specific threat indicators. These processes are both manual and automatic, designed to provide security teams with relevant and useful insights that inform cyber defense strategies.
Reporting
Reporting delivers the outcomes of threat intelligence analysis to business stakeholders and relevant teams. Reports are tailored to the audience and may include limited dashboards, text files, presentations, or other forms of communication.
The reporting stage is often automated, with threat intelligence systems generating a report and distributing it to any required personnel. When larger security threats surface, it may trigger the need for manual reporting.
Teams may also report new and unknown threats to the wider community, so that other organizations can integrate this information within their own systems.
Monitoring and adjusting
Threat intelligence systems monitor potential security issues, trace IOCs, and help support security teams. A threat intelligence system is a key software within a 24/7, staffed security operations center (SOC).
During analysis, teams can trace indicators of compromise (IOCs) related to potential security events to develop incident response plans and playbooks, deploy new or adjusted security controls, make system architectural changes, and update risks to the business. This informed response ensures a company’s security posture remains uncompromised.
Teams must learn from unexpected security events and new information to then iterate and improve on their previous performance. Security teams can review the performance of security tools, comment on responses, and flag inconsistencies to help threat intelligence software continuously improve.
What are the features of threat intelligence programs?
The features of a cyber threat intelligence program depend on business environment complexity, sensitive data requirements, and compliance obligations. Here are some of the most common features of threat intelligence programs.
Data feeds
Data feeds refer to all of the sources of information that threat intelligence platforms rely on to deliver their insights. These threat intelligence services are a core component of a threat intelligence program.
External data feed sources include real-time open-source intelligence (OSINT), public threat feeds, and information provided by government cybersecurity agencies. Internal data feed sources include firewall logs, user access behaviors, intrusion detection system (IDS) alerts, endpoint logs, and cloud service telemetry.
Technologies
Threat intelligence draws upon several technologies that work in harmony to deliver data, analyze information, and provide actionable insights for security teams. For example, some threat intelligence software helps to ingest and organize data, as well as share insights directly with security teams when they need to take action.
Analytics technologies are essential in finding patterns and anomalies in data that help to flag potential security events. The analytical capabilities of cyber threat intelligence refer to any technology that teams use to enhance the clarity, precision, and depth of data. These include machine learning analysis, predictive algorithms, and behavioral analytics.
Security information and event management (SIEM) systems correlate internal security log data to event information to offer real-time insight into how emerging threats could impact your business. Some companies also embed in-app warnings into their products, which will provide developers with additional context on potential bugs when working on certain aspects.
Frameworks
Frameworks that include threat intelligence offer a standardized structure for organizations to follow. These frameworks are highly valued and regularly updated to include descriptive and prescriptive guidance for organizations. Cybersecurity frameworks that focus on threat intelligence are the MITRE ATT&CK framework and the Cyber Kill Chain. Both of these frameworks include ways to handle tactics, standard vectors, and IOCs.
Activities
Cyber threat intelligence systems engage in a number of activities to generate insights and improve their capabilities. For example, these systems may conduct real-time risk assessments, patch known vulnerabilities with updates, respond to incidents with feedback, and offer cybersecurity experts insight into which events they should prioritize.
What are the different types of threat intelligence?
There are four main types of cyber threat intelligence that security professionals will utilize.
Strategic threat intelligence
Strategic threat intelligence refers to broader threat landscape information that systems collect, including geopolitical data, economic data, and other non-technical intelligence that can be useful in building a contextual profile of a potential security event. This type of non-technical, strategic threat intelligence provides valuable insights that help in understanding wider security vulnerabilities and their development.
Tactical threat intelligence
Tactical threat intelligence refers to collecting information that relates to adversary tactics, techniques, and procedures (TTPs), including TTPs from advanced persistent threats (APTs). Industry-wide intel data is shared on public security feeds. This information provides security professionals with an understanding of the typical behavior of specific attacks, used vectors, and the sequence of actions that occur in any given security event.
Technical threat intelligence
Technical threat intelligence refers to any machine-identified signs of compromise. These IOCs, such as the presence of malicious IP addresses, unexpected security URLs, firewall responses, or the sudden change in expected operational values of a system, will all be flagged for teams to investigate further.
Operational threat intelligence
Operational threat intelligence is a composite form of intelligence between tactical and technical information. This form of operational intelligence will offer insight into industry-wide knowledge, like how a specific form of ransomware or malware is being seen increasingly in certain companies or regions. Operational threat intelligence allows companies to take steps to mitigate potential security events before they occur.
How does AWS support your threat intelligence program?
AWS Cloud Security helps secure your cloud environment with dedicated threat intelligence integrations, automation, and visualizations. AWS Cloud Security helps to identify potential risks, protect infrastructure by adopting data protection measures, monitor security posture for unexpected events, and even respond directly to incidents.
AWS Security Hub prioritizes your critical security issues and helps you respond at scale to protect your environment. It provides threat intel, detects critical issues by correlating and enriching signals into actionable insights, enabling a streamlined response.
Get started with threat intelligence on AWS by creating a free account today.