Threat intelligence - definition & overview

The term threat intelligence refers to collecting data, information and knowledge that keep an organization informed about past, present, or potential cyber-attacks. Threat intelligence helps organizations understand and mitigate the risks of some of the most common types of cyber attacks, including zero-day threats, advanced persistent attacks (APTs) and more.

Through threat intelligence, IT organizations gain a deeper understanding of their security vulnerabilities and can accurately organize and prioritize tasks to mitigate known threats.

Threat intelligence can be derived from external sources, such as open-source information sharing or communications between threat information-sharing groups. It can also come from internal information sources, such as an organization's Security Information and Event Management (SIEM) or log management tool. Threat intelligence feeds directly into other critical enterprise security functions like security planning, incident response, alerts and blocking.

Broadly speaking, sources of threat intelligence can be placed in two separate categories: internal and external.

• Internal threat intelligence requires IT organizations to source and analyze data from their networks, including event and application logs, firewall logs, DNS logs and other sources. IT organizations can also maintain information about past security events to help extract further threat intelligence. This could include data on the systems that were affected in the incident, what specific vulnerabilities were exploited by the attacker and what indicators of compromise (IoC) were detected, along with package data and other raw supporting data.

• External threat intelligence entails sourcing threat intelligence from a variety of sources outside the organization. These can include open source intelligence that is publicly available, like blogs, news reports, public block lists, private or commercial sources such as vendors of threat intelligence software, and even corporate sharing groups that have agreed to pool information on potential cyber security threats.

Threat intelligence plays a major role in maintaining an acceptable overall security posture for IT organizations. Importantly, threat intelligence feeds directly into security operations tasks that are vital for maintaining the security of your IT infrastructure and corporate hybrid cloud environments.

IT security analysts must determine how best to allocate financial and managerial resources toward effectively securing the IT infrastructure against cyber attacks. Analysts use threat intelligence as a critical input for their security planning to achieve this. Knowledge of past, present and future cyber threats is used to inform security architecture decisions and define processes and procedures to protect against known threats.

If an IT security team has collected log data from past security events, that data can be used to set up an automatic alert that will detect when a similar event happens in the future. Security alerts are one of the basic use cases for threat intelligence, as they enable a computer to immediately recognize a known threat based on its signature activity on the network. The alert can be configured inside an enterprise SIEM tool that may even initiate an automated response to block or quarantine the threat.

Threat intelligence feeds directly into the security event and incident response process. IT organizations correlate observed indicators of compromise (IoCs) with known threats to determine how best to respond when an intrusion is observed on the network.

Through a variety of monitoring tools, IT organizations can collect plentiful information on potential security threats, but how is that information distilled into meaningful threat intelligence? All useful items of threat intelligence can be characterized using three key attributes: they are evidence-based, create utility for the organization and are actionable.

Evidence-based threat intelligence means that the threat has been rigorously validated and the IT organization has confirmed that the threat is real. Without adequate evidence, any perceived threat might not be real, so it is vital that IT organizations can produce or view real evidence of a given threat. It is easy to produce evidence for threats that are discovered internally, but the IT organization may have to rely on its partners to provide evidence for threats that are discovered externally.

A good piece of threat intelligence should have some utility for the organization. There needs to be a strong potential for intelligence to impact security incidents positively.

Threat intelligence should also be actionable, meaning it should drive the development of a new security control or policy that mitigates the threat. In many cases, security analysts can achieve this by configuring an alert when the threat is detected via an IOC.

There are four broad sub-types of threat intelligence that IT organizations can use to beef up their security posture. Each represents a different type of threat information that can be applied to improve IT security.

• Strategic intelligence provides a high-level, risk-based viewpoint that is most relevant for executive decision-makers rather than being directly actionable by IT security analysts.

• Tactical intelligence contains detailed information about the threat tactics, techniques and procedures (sometimes abbreviated TTP) for carrying out a specific type of cyber attack.

• Operational intelligence consists of actionable information about a specific upcoming attack. Operational Intelligence is rarer than other types of threat intelligence but can serve as a timely warning against an upcoming security threat.

• Technical intelligence is mostly derived from internal sources and consists of technical threat indicators picked up through event logs aggregated in a SIEM.

Sumo Logic Threat Intelligence allows users to integrate their threat feeds alongside public and commercial sources. This feature empowers organizations to customize their security intelligence by directly importing diverse data points or "indicators," such as host names, file hashes, IP addresses and other potential compromise targets, into Sumo Logic.

Stored in a specialized data repository rather than as standard logs, these indicators can be queried and analyzed extensively. This capability ensures that users can tailor their threat intelligence to specific security needs, enhancing the detection and mitigation of cyber threats.

This feature, available across all Sumo Logic products, allows customers to fortify their security posture by effectively harnessing external intelligence and proprietary threat data.