Threat intelligence provides the actionable information organizations need to enhance their security strategies.
Most security tools are designed to detect and defend against specific types of cyberattacks. Firewalls allow only trusted traffic to flow through, while intrusion prevention systems examine data packets and drop those that appear to be malicious. Antimalware solutions look for viruses, Trojans and other malicious software and keep them from causing damage to systems.
These tools are very effective at combatting known threats. But as Gartner noted in a recent report, “leading indicators of risk to an organization are difficult to identify when the organization’s adversaries, including their thoughts, capabilities and actions, are unknown.” That’s why advanced persistent threats (APTs) and zero-day exploits are so hard to detect using traditional security tools.
Typically, however, there are clues. Security threats don’t exist in a vacuum. The challenge lies in uncovering those clues and using them to predict how and when a cyberattack might take place.
That’s the role of threat intelligence. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” In other words, threat intelligence tells organizations who is targeting them, what tactics are being used, and what systems or data are being targeted so they can take action.
“As an organization seeks to hone its information security team and harden its security posture, it is a natural step to consider the use of TI. Detecting incidents sooner, and potentially even preventing them, is the overall goal of TI. Mature information security teams often see TI as a way to bolster the environment and prepare for both known and unknown threats,” wrote cybersecurity consultant Matt Bromiley in a recent SANS Institute whitepaper.
What Is Threat Intelligence?
The term “intelligence” is frequently used in a military context. It refers to the gathering and assessment of data about the enemy’s size, movements and capabilities so that leaders can develop the best strategy. The FBI has defined intelligence as “information that has been analyzed and refined so that it is useful to policymakers in making decisions — specifically, decisions about potential threats to our national security.”
The same definition could be used for threat intelligence by substituting “policymakers” with “IT security professionals” and “national” with “organizational.” Threat intelligence isn’t raw, unfiltered data but information that has been evaluated in the proper context. It is accurate, current and actionable, enabling security teams to respond to threats quickly and effectively.
Threat intelligence can be internal or external. Internal threat intelligence uses data gathered from security devices and systems within an organization. Security information and event management (SIEM), log management, security and vulnerability management (SVM), risk management, and incident forensics are some of the tools used for internal threat intelligence.
External threat intelligence uses data from sources outside an organization. Many organizations subscribe to data feeds, including free services from the SANS Internet Storm Center, CERT and some IT vendors, and fee-based services that aggregate and correlate multiple data feeds and provide customer-specific alerts. Other sources of external threat intelligence include crowdsourced platforms and information from industry groups, government and law enforcement.
Gartner Research Vice President Anton Chuvakin divides threat intelligence tools into two broad types. Tactical threat intelligence includes system and network-level indicators that humans and machines use to detect and respond to attacks. Strategic threat intelligence includes higher-level reports on cybercriminals, their capabilities and activities that humans use for planning and decision-making.
Strong Demand but Hurdles Remain
According a new report from Research and Markets, the threat intelligence market should see a compound annual growth rate of 17 percent through 2023. Demand for threat intelligence solutions is being driven by increasing numbers of cyberattacks, rapid uptake by small to midsize enterprises, and widespread adoption of crowdsourced platforms.
Adopters of threat intelligence claim to have greater visibility of attacks in context, and improved accuracy and speed in detecting and responding to threats. In addition, these organizations are using threat intelligence to develop general security policies and strategies.
However, threat intelligence remains underutilized. In a study by the Ponemon Institute and Webroot, 40 percent of organizations had a security breach within the preceding two years, and 80 percent of those victims believed threat intelligence could have stopped or reduced the impact of the attack. Yet 47 percent of survey respondents admitted that threat intelligence is not a core component of their security strategy.
Poor-quality data limits the value of threat intelligence, according to 85 percent of respondents — 56 percent believe intelligence data becomes stale within minutes or seconds. In addition, 49 percent use paid sources of data because free sources do not adequately support threat analysis and prioritization.
But data quality and the sources of data aren’t the only problems. Only one in six respondents believe they have effective processes for using threat intelligence from external sources, and less than 30 percent believe they are capable of effectively handling internally generated data.
Nevertheless, threat intelligence is receiving a lot of attention as organizations seek to stem the tide of cyberattacks. By gathering and analyzing security data, and applying it to internal processes, organizations can supplement attack-specific tools with a strategic approach that will protect against the most elusive threats.