The term Threat Intelligence refers to the practice of collecting data, information and knowledge that keep an organization informed about potential cyber security threats. Threat intelligence can be used to gather data on cyber attacks that have happened in the past, are currently happening, or that the organization may be affected by in the future. Through threat intelligence, IT organizations gain a deeper understanding of their security vulnerabilities and can accurate organize and prioritize tasks to mitigate the known threats.
Threat intelligence can be derived from external sources, such as open source information sharing or communications between threat information sharing groups. It can also come from internal information sources, such as an organization's Security Information and Event Management (SIEM) or log management tool. Threat intelligence feeds directly into other critical enterprise security functions like security planning, incident response, alerts and blocking.
Threat intelligence helps organizations understand and mitigate the risks of some of the most common types of cyber attacks, including zero-day threats, advanced persistent attacks (APTs) and more.
IT organizations collect threat intelligence from a variety of sources to ensure they gain as much proactive knowledge as possible about cyber security threats that could impact their deployed applications and network. Broadly speaking, sources of threat intelligence can be placed in two separate categories: internal and external.
- Internal threat intelligence requires IT organizations to source and analyze data from their own networks, including event and application logs, firewall logs, DNS logs and other sources. IT organizations can also maintain information about past security events to help extract further threat intelligence. This could include data on the systems that were affected in the incident, what specific vulnerabilities were exploited by the attacker and what indicators of compromise were detected, along with package data and other raw supporting data.
- External threat intelligence entails sourcing threat intelligence from a variety of sources outside the organization. These can include open source intelligence that is publicly available (blogs, news reports, public block lists, etc.), private or commercial sources such as vendors of threat intelligence software and even corporate sharing groups that have agreed to pool information on potential cyber security threats.
Threat intelligence plays a major role in maintaining an acceptable overall security posture for IT organizations. Importantly, threat intelligence feeds directly into security operations tasks that are vital for maintaining the security of your IT infrastructure and corporate hybrid cloud environments.
Threat Intelligence and Security Planning
IT security analysts must determine how best to allocate financial and managerial resources towards effectively securing the IT infrastructure against cyber attacks. To achieve this, analysts use threat intelligence as a critical input for their security planning. Knowledge of past, present and future cyber threats is used to inform security architecture decisions and define processes and procedures in ways that protect against known threats.
Threat Intelligence and Alerts
If your IT security team has collected log data from past security events, that data can be used to set up an automatic alert that will detect when a similar event happens in the future. Security alerts are one of the basic use cases for threat intelligence, as they enable a computer to immediately recognize a known threat based on its signature activity on the network. The alert can be configured from inside an enterprise SIEM tool that may even be able to initiate an automated response to block or quarantine the threat.
Threat Intelligence and Incident Response
Threat intelligence feeds directly into the security event and incident response process. IT organizations correlate observed Indicators of Compromise (IoCs) with known threats to determine how best to respond when an intrusion is observed on the network.
[Read More: Threat Hunting]
Through a variety of monitoring tools, IT organizations can collect plentiful information regarding potential security threats, but how is that information distilled into meaningful threat intelligence? All useful items of threat intelligence can be characterized using three key attributes: they are evidence-based, create utility for the organization and are actionable by the organization in a useful way.
Evidence-based threat intelligence simply means that the threat has been rigorously validated and the IT organization has confirmed that the threat is real. Without adequate evidence, any perceived threat might not be real so it is vital that IT organizations can produce or view real evidence of a given threat. It is easy to produce evidence for threats that are discovered internally, but the IT organization may have to rely on its partners to provide evidence for threats that are discovered externally.
A good piece of threat intelligence should have some Utility for the organization. There needs to be strong potential for the intelligence to positively impact security incidents.
Threat intelligence should also be actionable, in the sense that the information should drive the development of a new security control or policy that mitigates against the threat. In many cases, security analysts can achieve this by configuring an alert when the threat is detected via an Indicator of Compromise (IOC).
There are four broad sub-types of threat intelligence that IT organizations can use to beef up their security posture. Each one represents a different type of threat information that can be applied to improve IT security.
- Strategic Intelligence provides a high-level, risk-based viewpoint that is most relevant for executive decision-makers rather than being directly actionable by IT security analysts,.
- Tactical Intelligence contains detailed information about the threat actor tactics, techniques and procedures (sometimes abbreviated TTP) for carrying out a specific type of cyber attack.
- Operational Intelligence consists of actionable information about a specific upcoming attack. Operational intelligence is rarer than other types of threat intelligence, but can serve as a timely warning against an upcoming security threat.
- Technical Intelligence is mostly derived from internal sources and essentially consists of technical threat indicators that are picked up through event logs aggregated in a SIEM.
Sumo Logic's security analytics platform incorporates industry-leading threat intelligence capabilities from CrowdStrike that offer up-to-date IOC data that can be used to detect the newest cyber threats and stop them in their tracks with configured alerts and other countermeasures. Sumo Logic can replace your legacy SIEM tool, or co-exist with an existing SIEM solution.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.