Threat Intelligence (TI), also known as Cyber Threat Intelligence (CTI), provides detailed and actionable information to help companies and organizations prevent and combat cyber security threats. TI includes detailed, actionable threat intelligence that enables security teams to take proactive action. TI can be used to take controlled and manual actions to prevent cyber attacks before they occur. In addition, the threat intelligence helps to detect and respond to attacks faster.
Why is Threat Intelligence so important?
Only with up-to-date and detailed information are security solutions, such as an endpoint detection and response solution (EDR), able to know which areas of a company network are currently in the focus of attackers before an attack occurs. In addition to EDR, NDR, SIEM or XDR solutions also use this data to improve their defense.
But good threat intelligence is not only important for security solutions. A company’s SOC teams and their threat hunters also use the detailed information to directly identify vulnerabilities in the company network and initiate suitable response measures. If a company relies on a managed SOC team, this team also uses threat intelligence.
Sources of Threat Intelligence
Security analysts create threat intelligence by collecting “raw” threat data from various sources. Next, they correlate and analyze this data to uncover trends, patterns and relationships related to actual or potential threats.
One platform that provides such information is AV-ATLAS, for example. It contains the analyzed threat data collected by AV-TEST experts and provided by the institute’s analysis systems. The basic version of the platform is accessible to everyone free of charge and shows an impressive selection of the available TI data. For companies, the system also provides threat intelligence feeds that can be linked to security solutions or used by Threat Hunter with appropriate tools.
As Maik Morgenstern, CTO of AV-TEST and a threat hunter himself, points out: “Good threat intelligence, for example in the form of IoC – Indicators of Compromise – is essential for security solutions and threat hunters when evaluating a potential incident. With the help of the TTPs – Tactics, Techniques, and Procedures – contained in the TI, an IT security defense strategy can be reliably planned and implemented.”
Other sources of threat intelligence are CTI reports, for example from AV-TEST, which describe the security landscape in short time intervals, in this case weekly, and report on attack campaigns by APT groups. However, reports covering long periods of time, such as Check Point Software’s 2023 Cyber Security Report, also provide important threat intelligence in an international summary. The report identifies trends, particularly vulnerable sectors, frequently used attack tools and tactics, as well as background information on network and cloud attacks. Less globally focused, but no less informative, is the current AV-TEST report “Cyber Incidents in Figures: The year 2023”, which is free to download.
What's in Threat Intelligence?
Some of the available threat intelligence feeds have different content. Some key components are:
- Threats that affect companies: This usually involves current campaigns against specific branches, for example their supply chains, which are the focus of attackers and the way in which these attacks are carried out.
- Threat actors: Background data on APT groups and other attackers can be used to develop defense strategies based on their previous actions.
- TTPs – Tactics, Techniques, and Procedures: TTP provides information on techniques and tools used by attackers in their campaigns.
- IoCs – Indicators of Compromise: This data identifies signals or suspicious processes that can be used to detect and identify a cyber attack.
- Evaluated data streams and files: From a feed of dangerous URLs, for example, an endpoint security solutions is provided with EDR. Based on up-to-date information, this prevents a company’s employees from accessing dangerous websites or carrying out downloads classified as dangerous.
- Vulnerability assessments: Information on new vulnerabilities for which there are no patches yet, but for which there is already a walkthrough or preliminary protective measures, such as blocking a network port or downgrading user rights.
The different types of Threat Intelligence
Experts often divide threat intelligence into three categories: strategic, tactical and operational. As these classifications are not standardized, the sub-items vary somewhat within the categories depending on the expert working on them. They are classically divided as follows:
- Strategic Threat Intelligence: This analysis is highly summarized and is addressed to non-experts, such as board members. The focus is only on threatened areas. The analysis also focuses on current trends, which often originate from public reports. The analysis is a kind of risk barometer.
- Tactical Threat Intelligence: The first practical steps are already taken and IoCs are used, for example, to check networks and prevent potential attacks. The information usually comes via a TI or CTI feed and is generally processed automatically.
- Operational Threat Intelligence: This part refers to TI during and after an attack. Current information on the attackers’ tactics, techniques and procedures (TTP) is evaluated and used. However, conclusions also need to be drawn after the attack has been prevented, for example about attack targets: Were the attackers targeting specific data, and if so, which data? Or is the attack possibly only a test of the individual defense points and the real attack is still to come?
Threat Intelligence Life Cycle
- When security experts talk about the life cycle of a cyber threat, they mean a breakdown according to the following “threat phases”:
- Planning
- Collection
- Processing
- Analysis
- Dissemination
- Feedback
This process is not a once-only event, but should be run through repeatedly to ensure perfect and cost-optimized cyber defence.
In the “Direction” phase, it is important to set targets for threat intelligence, such as which parts of the company require special protection and what consequences an attack could have.
In the second phase, “Detection”, the data and IT structure areas that were identified as particularly at risk in the first phase are defined. In this phase, a company should decide on the data sources for its future threat intelligence, such as reports, blogs, CTI feeds from security providers or metadata from its own network, such as EDR or SIEM.
In the third phase, “Processing”, it must be clarified how the stream of information can be processed in a feasible way. Can available systems already process these feeds directly and do the SOC and threat hunter have the right tools?
Once this has been clarified, we move on to phase 4, “Analysis”. This involves evaluating the information and transforming it into practically usable findings. The results of this analysis also clearly show whether important security tools are still missing and whether the current security budget is sufficient.
Phases 5 and 6, “Distribution” and “Feedback”, use the actual findings of the threat intelligence lifecycle. The conclusions must be implemented within the various teams of a company, such as the SOC and the traditional IT department. However, the company management should also be involved in these phases. In the feedback phase, the responsible department and project managers must ensure that all phases have been implemented in a way that makes sense for the security requirements and objectives.