What is Cyber Threat Intelligence and Why Does it Matter?
According to the 2020 Crowdstrike Global Security Attitudes Survey,
• 71% of respondents are more worried about ransomware attacks due to COVID-19
• 73% believe that nation-state-sponsored cyberattacks will pose the single biggest threat to organizations in 2021
• The average estimated time to detect a cybersecurity incident or incursion is still worryingly high at 117 hours
In the ever-expanding threat landscape, there’s an ongoing battle between the good guys and the villains. The good guys, i.e. organizations and their IT security teams, are trying to protect their information security from the bad guys, i.e. the threat actors armed with sophisticated cyber attack tools, and easy access to “X-as-a-Service” platforms on the Dark Web.
The good guys now realize that they cannot win this serious battle of wits by being reactive. As security breaches, data thefts, and malware attacks increase everywhere and every day; organizations need a more effective, more proactive security strategy that protects them from the baddies in real-time. Here’s where cyber threat intelligence is a game-changer.
What is Cyber Threat Intelligence?
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets.”
Simply put, threat intelligence is not just raw data about threat vectors, threat actors, or their tactics, techniques, and procedures (TTPs). Yes, data about potential attackers, and their motivations, capabilities, and possible Indicators of Compromise (IoC) is a big part of what makes threat intelligence so useful. However, what makes this data “intelligent” is that it is contextual.
Threat intelligence enables intelligence analysts to collect, process, and analyze threat data. More importantly, it provides the right context that enables them to understand the threats to their IT infrastructure and make informed decisions and proactive action to prevent or mitigate cyber attacks.
The Importance of Cyber Threat Intelligence
Threat intelligence is not only contextual – but it is also timely and actionable. It empowers organizations to identify cyber threats, and take the right action to protect their assets: networks, systems, and data.
Between 2020 and 201, the average cost of a data breach has risen from $3.86 million to $4.24 million. Moreover, between Q1 and Q2 2020, publicly reported data breaches in the U.S. increased by 38%. Clearly, the cost of cyber attacks is increasing so organizations can no longer afford to simply sit back and wait for one to happen. They require a way to understand the probability of an attack and shore up their defenses before it happens. And for this, a robust threat intelligence program is critical.
Since threat intelligence provides key data about threat actors, and their intents and capabilities; it enables security professionals to better understand the threat landscape. It also reveals previously unknown threats and helps them tailor the enterprise defense strategy to prevent attacks. And if – or more likely when – an attack does happen, it provides real-time, relevant information to help improve incident response and remediation.
Cyber Threat Intelligence Tools
Threat intelligence tools automatically review data feeds from disparate sources to collect and process actionable threat data. They automate the threat investigation process and provide vital and tailored context around threats to endpoints, as well as compromised IoCs such as bad IP addresses, malicious domains, etc. This enables security analysts to immediately start analyzing (and actioning) the most relevant threats, instead of wasting time on threat reviews, prioritization and triage.
The best threat intelligence tools integrate with existing security ecosystems to boost enterprise security with minimal friction. Some tools also take in unstructured data from various sources and then create a holistic picture of IoCs and the TTP of threat actors.
Reporting is another key capability of threat intelligence tools. With updated and actionable intelligence reports, security teams can respond faster to threats and proactively get ahead of threat actors.
Types of Threat Intelligence
There are three main types of threat data – each serving a different purpose for a specific audience.
Strategic Threat Intelligence
Benefit: Shows how long-term, large-scale events can impact the organization’s security posture, and supports business decision-making about cybersecurity
Aimed at: C-Suite, Board
Strategic intelligence enables leaders to understand the cyber threat landscape and its risks to the organization. This intelligence is less technical and usually comes in the form of reports. Since it is “strategic”, it can be difficult to generate, and therefore requires human data collection, plus research and analysis. To simplify the process and generate high-value strategic threat intelligence, automated data collection and processing can be useful.
Operational Threat Intelligence
Benefit: Aims to understand adversarial capabilities and TTPs to streamline and improve cybersecurity operations
Aimed at: Threat hunters, SOC analysts, vulnerability management, and incident response teams
As the name suggests, operational threat intelligence focuses on the operational aspects of cyber threats, such as threat actor capabilities and TTPs. It enables security teams to create adversary profiles, to better understand them, and even predict their next move. This type of threat intelligence usually includes technical information that reveals attack factors plus context, so security personnel can implement more targeted and prioritized actions to protect the enterprise.
Tactical Threat Intelligence
Benefit: Focuses on the short term with contextual, technical information about TTPs and IoCs
Aimed at: System architects, SIEM, SOC analysts, firewall, endpoints
Tactical intelligence is almost always automated. It enables the enterprise to better understand immediate threats from threat vectors, and take action to prevent potential attacks. Although IoCs can become obsolete in a matter of just days or hours, tactical intelligence is still useful as a means to improve incident response and strengthen existing security controls.
Conclusion
From risk analysis and vulnerability management to alerts triage and fraud prevention – there are many use cases for cyber threat intelligence. By effectively leveraging threat intelligence, modern organizations can protect themselves from short-term threats. Equally important, they can also understand the long-term cyber threat landscape, and implement the right security strategies to strengthen their infrastructure, and secure their assets. Threat actors are everywhere. Threat intelligence provides a means to identify them and beat them at their own game.