What is Threat Intelligence and why is it important?
In recent years, cyberthreat intelligence has become an important supporting pillar in a mature cybersecurity strategy. When applied well, threat intelligence can help security teams defend against an ever-more sophisticated threat landscape before, during and after attack. By studying adversaries and understanding their strategies and objectives, organizations can build more effective, more refined and more robust cyberdefenses.
The challenge, as will be outlined in this series, is to understand how threat intelligence can be used to help organizations of all sizes strengthen their security posture and accelerate security decision-making processes. With a smarter and more targeted response to cyberthreats, organizations can allocate (often scarce) security resource more efficiently, proactively getting ahead of future attacks and raising the barrier to entry for cybercriminals intent on breaking in.
There is of course no one-size-fits all approach to cybersecurity as a whole, let alone threat intelligence. However, threat intelligence can start to provide a greater level of understanding around the factors which lead to attacks, mitigate the impact of one when it happens, and proactively put in place measures to protect the organization and its infrastructure. Similarly, this article is not intended to be 100% comprehensive in its discussion of threat intelligence themes. Instead, it provides information and guidelines to help build a program or improve their existing setup. It first addresses a problem of definition in threat intelligence, followed by explanations around its usage and application, and concludes by offering advice around implementation and deployment.
Gartner: Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
What threat intelligence is not
Threat intelligence then, is broadly is a collection of enriched or correlated data points about existing or potential threats which can help an organization improve their security. These can be simple technical indicators on one side of the spectrum to in-depth profiles of adversaries on the other – but the key is that they are contextualized and actionable. The use of such a wide-ranging definition means that vendors of all stripes are able to say that they offer ‘threat intelligence.’
There is an argument that this definition is simply too broad, creating confusion in the market. It is helpful to therefore offer some explanation of what threat intelligence isn’t. Data, information and intelligence are too often used interchangeably, and this muddies the waters when it comes to choosing between different solutions.
This is the raw material, often extracted in huge quantities, unstructured and requiring processing before it can be called information, and then intelligence. IOCs are a good example of this: a list of IP addresses or domain names is usually high volume and can be ingested by an SIEM solution to try to make sense of it all. We can’t call it intelligence, however, because the data is not immediately actionable and has no context.
Information is selectively extracted and, when organized, provides more detail for its users than the sum of its parts. If datapoints are simply statements of fact, then information entails a more structured grouping which allows its users to make an analysis of trends or ask questions of it. Still, it is still not immediately actionable, even though it has context, and cannot be interrogated to the same extent threat intelligence can.
What threat intelligence is
Threat intelligence is what threat data or threat information become when they have been gathered and evaluated from trusted, reliable sources, processed and enriched, then disseminated in a way where it can be considered actionable to its end-user. Source code or JSON files from an underground forum need to be reformatted, for example, or relevant articles need archiving and indexing, in order to make this data and information usable as intelligence. Intelligence means that the end-user can identify threats and opportunities in the cybersecurity landscape, using accurate, relevant, contextualized information. By eliminating the need to sort through thousands of alerts from data, security teams can maximize their own limited resources and accelerate their decision-making processes.
Due to the extraordinarily time-poor nature of their roles, this is where external threat intelligence providers really come into their own. Using automated or manual correlation, internal teams are able to reach out to other organizations to help them prioritize alerts and indicators. Threat intelligence utilized in this way is outlined in the process below.
Gathering data should rely on a broad range of reliable sources to enable high quality threat intelligence. This should not rely solely on log data gathered by SIEMs – many organizations use their Security Incident and Event Manager as a collection source – because good intelligence relies on a broad range different sources for broader coverage. These range much wider than IP addresses, domains and file hashes. What about leaked confidential information, compromised credentials, or credit card numbers? These necessarily rely on a huge variety of sources on the open, deep and dark web, as well as closed and private forums which threat intelligence analysts gain access to.
Processing and actionable delivery
The second stage after gathering is to sort and enrich the data. At Blueliv, this relies on a combination of automated threat classification and scoring, OSINT and HUMINT, plus various other threat identification and enrichment methodologies. This is where the dots are joined together. We can extract useful metadata from botnet samples from one side, a dark web forum actor profile on the other, but putting them together is whether the intelligence really is – that a certain actor is advertising certain malware targeting a certain sector, for example. The intelligence is targeted and contextualized, allowing security teams to identify and prioritize incidents based on the level of criticality.
Integration, visualization and dissemination
Depending on how the end-user requires the data at this point, the intelligence can start being put into production.
Machine-readable data may be distributed directly into a SIEM through flexible APIs and plug-ins. Threat lists can be used to create firewall rules, signatures for incident response platforms, or a list of domains to be blocked.
A note here, however, on the difference between data feeds and threat intelligence. A data feed is a list of indicators which can be correlated with internal security systems. If there is a match, then an action can happen. It is tempting to ask why we need actionable, relevant threat intelligence when we can simply gather all the threats that are on the internet, pump them into a machine for correlating and then see what we need to do.
The truth is these feeds often become very burdensome to security teams, unless customized targeting is employed to manage the data that the SIEM ingests and correlates. Blueliv’s MRTI feeds, for example, arm clients with ultra-fresh data relating to crimeservers, bot IPs, malware hashes, attacking IPs from honeypots, hacktivist activities and TOR IPs. However, their aggregation and management are required when plugged into customers’ existing setup. With huge amounts of unstructured data ingested, more potential security incidents can be detected, but these have to be manually sifted in order to avoid false positives. When processed correctly, data feeds from reliable sources can certainly help an organization improve their security. But when processed and combined with other contextual information, the data moves towards becoming highly valuable threat intelligence. It is important to note that the intelligence comes from the context associated with the IOCs which trigger the alerts – is this a targeted attack? A world-wide distributed campaign? An old domain which is no longer a threat?
At a more human level, in-depth reports can be shared with analyst teams, or delivered via a dynamic dashboard. It is key to put the data into a finished format which allows it to be consumed easily by those humans or machines that need it. A DevOps team will have very different needs to C-level management. To make the intelligence actionable for their purposes, the intelligence should be relevant to different levels and formats. This is where we can divide threat intelligence into different categories.
Categories of threat intelligence
Threat intelligence can be divided broadly into three categories: Tactical, Operational and Strategic. This section will differentiate between the three and assess where there is overlap. At the organizational level it is important to determine which type of threat intelligence is delivered to the right decision-maker in the right way, at the right time.
Tactical intelligence is technical and comparatively short term. It might be as simple as looking for IOCs, but this is not to underestimate its importance – it is focus is to deliver meaningful information to those in need of it immediately. In other words, tactical threat intelligence is information from known attacks, as a result of direct action by cybercriminals, which have the potential to immediately influence cybersecurity decision-making. It supports daily operations and events and is limited in analysis.
Real-time solutions are common providers of this sort of intelligence – providing IOCs like file hashes, malicious domains, email subjects, links and attachments, registry keys, filenames, DLLs etc. and can be delivered through MRTI feeds or simple integration with security products. This sort of immediate threat intelligence is relatively easy to gather, process and disseminate.
However, there are several shortcomings when it comes to tactical threat intelligence. First, it is relatively short term in nature, due to the fact that some IOCs, such as a malicious domains, can become obsolete very quickly. Furthermore, the ever-evolving threat landscape dictates that sources must be timely and of high quality – if not, this category of intelligence tends to generate false positives.
Operational threat intelligence provides a greater level of context than tactical threat intelligence. Though still focusing on the near to immediate consequences of threat actors’ activities, it offers insight into their motivations, capabilities and objectives. While remaining technically focused, it helps teams assess specific incidents relating to events and investigations, helping guide and support incident response. With this in mind, TTPs or tactics, techniques and procedures (and how to foil them) are key components of operational threat intelligence. This sort of intelligence, augmented by human analysis, lasts longer than tactical intelligence – where threat actors can change their tools (malware families, botnet infrastructure etc.), it is more difficult for them to change the ways they use them.
Strategic intelligence informs its users about high-level cyber-risk that tends to be associated with foreign policy, global events and movements on the internet which can impact the cyber safety of an organization. This situational intelligence helps decision-makers allocate budget to investments that best protect their enterprise, align it to strategic business priorities, and make long term calculations regarding how their organization and sector might be affected by its environment – both digital and otherwise.
It is the most complex form of intelligence to generate and is human resource-intensive. It demands a nuanced understanding of the cyberthreat landscape and assesses disparate sources before integrating to form an overall picture of long-term issues for decision-makers. A strategic threat intelligence report identifies overarching trends and patterns, alongside operational and tactical intelligence. An easy-to-read example would be our report into The Credential Theft Ecosystem.
|Tactical||Security events, IOCs like file hashes, malicious domains, emails, links and attachments, registry keys, filenames, DLLs||MRTI, data feeds||Short-term|
|Operational||Malware family behavior and profiles, threat actors, human behavior, tactical intel, TTPs, communications and persistence techniques||Reports, lists and trend patterns||Medium-term|
|Strategic||Operational intelligence, cyberthreats in the context of business objectives, mapping online threats onto geopolitical events||Reports, trends, methodologies||Long-term|
When to use threat intelligence
By this stage it should be clear that threat intelligence is multi-purpose and can be used in many different practical ways. On the tactical level, knowing the type of adversary that they’ll be up against enables decision makers to allocate resource and put in place appropriate defense measures. On an operational and strategic level, executives can make long-term business decisions based on intelligence, and take necessary risks based on the reward and ROI. It is critical to create a strong culture of cybersecurity within the organization, extending from management team to newest hires, who recognize and can implement the value of threat intelligence before, during and after and attack.
Before an attack
As discussed above, a common application is on the tactical side, where technical indicators are used to block known bad IPs, URLs, hashes etc. By integrating tactical threat intelligence directly in intrusion detection systems, firewalls and SIEMs, organizations can detect emerging and known threats before an attack happens and automatically defend against them.
All categories of threat intelligence can be used proactively as well as reactively too. It is an opportunity to get one step ahead of the attackers, using contextualized information about emerging and known threats. For example, intelligence about specific malware families and infrastructures used to attack organizations in the insurance sector allows insurers, who have not yet been breached, to put in place appropriate defenses. Likewise, a threat actor analysis might flag up that a particular sector or organization is at risk, giving security teams an opportunity to protect themselves before it is too late. If you know the exploit kits commonly used in an attack you would prioritize patching the vulnerabilities exploited proactively.
In sum, the better prepared a security team is, the stronger its security posture. Threat intelligence helps teams prioritize their activities to counter threats which have the highest probability of occurring and protect assets which have the highest probability of being targeted.
During an attack
One of the most commonly-used phrases in the business is ‘acceleration’ and it is clear why. Threat intelligence can speed up triage processes, for a start. Intelligence-driven incident detection – when inputted into SIEMs and endpoint solutions – massively speeds up the time it takes to detect and respond to events. Faced with too many alerts, too many false positives and lack of context, it can be difficult to determine which incidents to focus on (and after, spend too much time investigating them). Contextualizing this data – turning it into intelligence, as described above – allows security teams to prioritize more effectively and streamline their workflow. For example, automatic correlation, using qualified information from the likes of Threat Context – helps orchestration systems prioritize relevant IOCs.
Furthermore, threat intelligence can be used for a technique known as threat hunting, when an attack has already commenced. This means looking for the tell-tale signs that an incident is occurring, rather than waiting for the alerts to come through that the attack has happened. Operational intelligence allows security teams to hunt for subtle evidence, including file removals, changes to running processes, registry settings and other signs of presence. This intelligence also allows security teams to narrow down what they are looking for, with a greater understanding of the motivations of the attacker. In other words, intelligence can accelerate detection, prioritization and hunting activity.
After an attack
At the most basic level, threat intelligence can provide the required detail for forensics, investigations and reporting after an attack takes place. It brings us back to the beginning of the cycle too – and allows us to perform continuous cyber-hygiene within an organization to prevent future attacks. The bad guys are constantly testing new ways to exploit organizational infrastructure, so remaining static when it comes to security protocols is a sure-fire way to get breached.
When investigations start, threat context and attribution speed up the process. Incident response teams can very quickly gain a full understanding of the cybercriminals TTPs, protect assets which are being targeted, and fully evaluate the scope of the incident across the whole organization. Furthermore, intelligence ‘connects the dots’ – where alerts may have appeared disconnected at first may point to a much more advanced attack than first anticipated. For example, a malicious IP is detected by your SIEM, but your contextualized intelligence tells you that this IP is part of a campaign by a specific threat actor that is has previously been targeting banks but now has broadened its scope. There are other IOCs related to this actor, so you feed these into your systems to prevent future attempts to penetrate.
Threat intelligence also helps with red-teaming activities. Red teams are a designated group with tactical experience who are persistently challenging a company’s security protocols. The idea is to identify weaknesses before the bad guys do. To be effective, they must operate relatively independently, challenging the assumptions of your security team and trying a variety of attack techniques without prior notice to employees. These sort of ‘surprise’ attacks, on a routine but irregular basis, can be most effective in exposing flaws and weaknesses in organizations’ security posture. Generally, red teaming is an immensely valuable method to strengthen your organization’s security conditioning and must be informed by threat intelligence.
The benefits of real-time, dynamic threat intelligence
So, it is clear that quality threat intelligence helps accelerate threat detection, prioritization and incident response capabilities. Trying to detect threats is like looking for the proverbial needle in the haystack. Sorting through false positives and the reams of data that you collect, combined with ever-more sophisticated TTPs employed by cybercriminals, means this haystack isn’t getting any smaller. Threat intelligence means that you can focus scarce cybersecurity resources on where they are most needed at the tactical, operational and strategic levels.
Real-time threat intelligence can help you maintain visibility of landscape so that your security infrastructure is able to respond to the latest threats, in real-time. This includes detecting malicious activity already inside your network, analyzing it and helping your security team understand the attackers’ objectives. Many companies are yet to see the value of adding threat intelligence to their cybersecurity infrastructure as a crucial layer of deep defense.
In part, this is due to the misconception that the expense is significant and not worth the ROI. This may be true of vendors who push a one-size-fits-all approach – you either buy or you don’t. On the other hand, the clear benefit of cyberthreat intelligence delivered through modules is that it works to a pay-as-you-need model. Organizations are able to select the modules which are most relevant to their business and plug the gaps in their cybersecurity infrastructure.
Other articles in this series will discuss the practical applications of threat intelligence to particular sectors, from banking, to insurance, to retail and others. For now, we offer some generic uses based on the threat intelligence modules that Blueliv provides.
Threat intelligence from Blueliv
We divide the intelligence we provide into two main areas:
1. Blueliv Threat Compass provides a central point of control for automated operational, tactical and strategic threat intelligence. It uses sophisticated algorithms to ingest data from open, closed and private sources on the open and dark web, correlating and enriching it, before delivering structured, actionable intelligence through its different modules. These modules address various cyberthreat categories that could impact a business from a cybersecurity perspective: from identifying targeted malware variants, tracking stolen credit card details and confidential credentials belonging to the organization, to plugging data leaks, finding rogue mobile apps, uncovering hacktivist activities and targeted phishing campaigns against the customer’s organization.
2. Our machine-readable threat intelligence (MRTI) feed arms clients with ultra-fresh data around Bot IPs, crimeservers, attacking and TOR IPs, malware and hacktivist activities. This dynamic data stream allows customers and their security analysts to identify IoCs (Indicators of Compromise) and manage threats effectively. It is simple to set up and offers frictionless integration with SIEMs (Security Information and Event Management products), firewalls, TIPs and other security products, because of translation from human to machine-readable formats and rapid dispersion to cloud and on-site security infrastructure. These customizable feeds plug in using APIs developed by Blueliv for this purpose.
Freshness and broadness of data
We are able to provide ultra-fresh information, which is often extremely important. For example, the very early detection of compromised credentials (no more than a few days after they have been compromised) can massively reduce the impact of their theft, since cybercriminals will not have time to use them and achieve their (financial) objectives. We also have the broadest threat collection on the market due to our automated gathering mechanisms and number of alliances, turning global threat data from open, closed and private sources into targeted intelligence.
Blueliv Threat Compass is developed with the end user in mind. The interface itself is extremely easy to use, and even more importantly the information it provides is accessible to all levels within an organization. This means you don’t need an expert analyst to process the intelligence. If you want to dig deeper, however, Threat Compass has significant detail to help security analysts with their investigations. For example, forensic investigations and post-incident reporting demand a level of detail for a variety of stakeholders. Analysts want to know how it happened, while CISOs and the management want to be assured that it won’t happen again. Threat Compass can provide both.
Collaboration at our core
We believe the fight against cybercrime is a collaborative effort, and in order to build the most effective defenses, organizations must share intelligence as openly as possible – a hivemind of cybersecurity professionals fighting the bad guys is infinitely better than siloing ourselves. We consistently strive to build new partnerships, alliances and drive forward initiatives like the Threat Exchange Network, a growing community of cybersecurity professionals, academics and law enforcement agents. Its primary function is to share news, views and IOCs, breaking down barriers more efficiently.
Modular threat intelligence
Threat Context provides security teams with continuously updated and intuitive information around threat actors, campaigns, IOCs, attack patterns, tools, signatures and CVEs. A database of 90 million+ items offers graphical interrelationships, so analysts can rapidly gather enriched, contextualized information before, during and after an attack. – Threat Context Module
Find actionable intelligence around leaked, stolen and sold user credentials. We locate them in real-time on the open, deep and dark web, along with information about relevant malware used to steal the information. Blueliv’s sinkholes, honeypots, crawlers and sensors are continuously searching for your stolen credentials, helping eliminate blind spots in your threat landscape. – Credentials Module
Dig deep enough and you can find all sorts of credit card data online. This module can dramatically reduce losses from theft and fraud of credit cards. We retrieve stolen credit card data and provide information to help organizations mitigate the damage. – Credit Card Module
Monitor global hacktivism activity on social networks and the open and dark web that can affect your infrastructure. Using an advanced early-warning system and active geolocator, the module generates targeted threat intelligence to shield against potential attack vectors. – Hacktivism Module
Malicious and illegal applications are hiding in plain sight in non-official marketplaces, luring your customers away and even stealing their data. Our module specializes in detecting applications claiming affiliation to your organization or using company assets without authorization to protect your brand and reputation. – Rogue Mobile App Module
Monitor your organization’s digital footprint on social networks and search engines. Find websites not authorized to use your brands, logos, assets claiming partnership affiliation assets and more, so you can take proactive steps to shut them down. Social Media Module
Discover if your organization’s sensitive documents have been leaked on the internet, deep web or P2P networks, intentionally or not, such as with shared internal documents with poorly-secured file sharing providers. – Data Leakage Module
Our targeted malware module allows you to detect malware seeking to steal sensitive information or commit fraud. The aggressive solution proactively hunts down targeted malware and ‘Man in the Browser’ attacks, aimed specifically at your organization. Through robust and continuous analysis of millions of samples per month, we provide forensic reporting on malware behavior targeting your systems. – Malware Module
Boost your awareness of what’s going on in the underground, observe malicious activities targeting your organization and proactively prevent future attacks. Gain an advantage by putting a spy in the enemy’s camp: become better informed about criminals targeting your organization; proactively prepare countermeasures; find stolen user credentials. – Dark Web Module
Fraudulent domains are a risk to your organization and your end customers, with the goal of stealing information or damaging your brand. Combat phishing and cybersquatting by proactively detecting attacks and take countermeasures. – Domain Protection Module
Threat intelligence is one of the most critical weapons we can use in cyberdefense. In an ever-evolving threat landscape, security teams often find themselves one or two steps behind the attackers. This is not just because of the attackers using new TTPs, but also because environments are becoming more complex, expanding attack surfaces and affording them greater opportunities.
In this article, we defined what threat intelligence is – and what it isn’t – by differentiating it from data and information. We then discussed the process converting this raw material into intelligence, and how it then becomes categorized into tactical, operational and strategic. We discussed how it can be used before, during and after an attack, before covering the benefits of working with it in real time.
Other articles in this series will discuss who should be using threat intelligence, from CISOs to CIRT teams. We’ll also provide information around how to evaluate threat intelligence vendors and the services they provide, the questions to ask them, and indeed to ask yourself.