What is Threat Intelligence?

Actionable Attacker Insights, Relevant to You

Introduction

Digital, cloud-centric transformation creates hidden risks and threats for the extended enterprise amid a fluid and entangled threat landscape. Digital transformation has only accelerated during the 2020 
pandemic creating cyber risk for every business. An organization’s
 brand, customers, employees, and infrastructure are targets for these increasing threats and attacks.

Moment by moment, the internet changes—infrastructure, apps, pages, attackers, third parties—and the enterprise attack surface changes with it. With increasing volume and complexity, a daily flood of data full of irrelevant information and false alarms comes pouring down on security teams. Threat analysts and response teams are left with too much information or not enough, not to mention a total lack of direction. Obtaining direct, real-world observations of the internet attack surface is one of the biggest challenges facing security teams today.

Attack surface intelligence is a predominant concern for many security teams and their senior leadership, who need to know what threats they’re facing now that they’ve turned their business inside out and put their most crucial infrastructure outside the firewall. Frankly, many aren’t sure of their overall digital exposures and what should be driving strategic decisions and security actions to safeguard the digital enterprise.

The challenge to keep pace with the growing digital attack surface is magnified when factoring the response to the 2020 pandemic. Relevant, actionable threat intelligence gives security teams line-of-sight to attackers and threat systems and infrastructure. It can map cyberthreats to the enterprise to prioritize response and fully extinguish compromises.

What is The Purpose of Threat Intelligence?

Security professionals often consider threat intelligence to serve three general purposes: strategic, tactical, and operational intelligence(s). Beyond these three purposes, the following represents the key requirements and technical capabilities for enterprises to realize the full potential of relevant, actionable security intelligence in their threat programs.

What is Strategic Threat Intelligence?

According to Gartner:

Strategic Threat Intelligence (TI) includes reports and other human-readable products on threat actors and their intentions, affiliations, interests, goals, capabilities, plans and campaigns. Strategic TI is typically produced by human analysts and is likely consumed by humans as well. Strategic TI is often associated with decisions that are longer-term in nature, such as what new programs to implement, what processes to change or what new infrastructures to invest in.would be able to satisfy eight criteria data collection and processing, integrate with your existing solutions, take in unstructured data from disparate sources, and then connect the dots by providing context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) of threat actors.

-“How to Use Threat Intelligence for Security Monitoring and Incident Response” Gartner, 2020.

Delivering robust and strategic threat intelligence starts with hard observations from the internet—attackers, enterprise, and third parties—analyzed with security expertise to identify threats most dangerous to the organization. Analyst expertise must extend from outside of typical security skills, including strong business acumen and geopolitical experience, particularly a strong understanding of sociopolitical and business concepts. A threat intelligence solution that automates data assembly, graphs attack relationships and keeps a 10-year history of the internet intelligence gives security teams the missing awareness needed for airtight detection and response.

What is Tactical Threat Intelligence?

Returning to the same report from Gartner:

Tactical Threat Intelligence (TI) often consists of IOCs, such as IP addresses, domains, URL or hash lists, and other system-level or network-level artifacts. These artifacts can be matched to what is observed on information systems. Tactical TI is most often consumed by security controls, but it is also manually looked at or used during investigations and incident response. Tactics, techniques and procedures (TTPs) are another example of tactical TI. Tactical TI is typically associated with decisions that are shorter-term in nature, such as urgent alerts to personnel, invocation of an existing escalation process or configuration changes on existing infrastructure.

The value of tactical intelligence is its applicability in the moment to uncover hard observations of what is and what isn’t attacking you. The best solutions will primarily collect hard observations of internet activity—attacker, enterprise, and third-party. Then, by graphing those attributes, or digital DNA, security teams, processes, and technologies all gain awareness of the threat real estate, borders, boundaries, and pathways coming from attacker infrastructure related to a specific organization’s exposed attack surface.

Now that the enterprise has essentially been extended, there are once-physical but now-digital things that demand strong tactical intelligence to pinpoint proximate and relevant attacks across brands, infrastructure, third parties, and people—hard, real-world observations.

What is Operational Threat Intelligence?

Every enterprise needs awareness for attackers and their systems, attacks, events, campaigns, and relatedness to their own IT environments. Operational threat intelligence provides insights to understand the nature of attackers and their activity, systems landscape, and capabilities—all with a view of an organization’s digital footprint, which is increasingly becoming entangled with attacker infrastructure. These forms of operational intelligence will often be referred to as technical intelligence because of the methodological purpose it serves.

Whereas strategic and tactical intelligence consist of know-what, operational or technical intelligence is considered the know-how that underlies discovering the relevant significance of an attacker and their targeting activity, communications, and weapons. This information includes observed vectors in use, observed exposed ports, services, and vulnerable assets in the enterprise attack surface, command-and-control, bots, DDoS, and most important of all, history of activity and observations. This kind of intelligence is also referred to as technical threat intelligence. These pieces of the picture are enriched and illuminated with more insight when joined (graphed) together into a composition of hard observations and activity history throughout the internet—attackers, enterprise, customers, partners, third parties.

Observation-Based | Relevant, Actionable Security Intelligence

The best solutions capture two primary forms of hard, real-world observations of threat intelligence:

  1. Current Observations: always-on observation tracking internet activity, behavior
  2. Historical Observations: change and trend, associations and relationships in the wild

Current Observations are verified facts about attacker systems, the enterprise attack surface, and activities and behavior gathered within the previous seven (7) days. Observation-based intelligence arrives 3-5 times as quickly as raw open-source intelligence (OSINT) and traditional threat profiler intelligence. With the capability to access direct observations of attacker infrastructure and activity, security teams can analyze, triage, prioritize based on real-world relevance, and take action more quickly and with more confidence, based on factful observations. Current observations may vary within different solutions, but most enterprises require a shortlist of observations necessary for their security intelligence choice:

  • Exposed Ports and Services
  • PassiveDNS with History
  • Resolutions
  • WHOIS with History
  • Trackers
  • Components
  • Hosts and Host Pairs
  • Open-source intelligence (OSINT)
  • Deep / Dark Web Sources
  • Reverse DNS
  • Hashes
  • Cookies
  • Attacker Infrastructure

Historic Observations are records of factful observations of what were formerly current observations, with one significant addition—change activity is another hard observation. The second factor for constructing observations-based security intelligence gives security teams an overall understanding of the environmental conditions, context, and identifiers to unmask attackers in the wild.

Leading security intelligence solutions—those with a foundation of current and historic factful observations— will apply machine-learning that can draw upon 100+ billion observations and graph relevant attacker systems that are most pertinent to the enterprise attack surface. They offer a clear view of where they’re hiding and targeting attacks against victims, including the digital supply chain and third parties.

The output of real-world observations, current and historic, creates a four-dimensional graph of the internet, including attackers and their infrastructure and activities. Any threat intelligence solution without the foundation of real-world, factful observations through time is left with speculations and rumor—because there are no alternative facts.

When to Choose Strategic, Tactical, or Operational Threat Intelligence?

Both strategic and tactical security intelligence play roles in the organization’s overall ability to find and eliminate threats. Typically, whether to prioritize one over the other comes down to each organization’s specific requirements and use cases. Everyday use cases include:

Threat Intelligence programs and teams gain perspective on specific threat indicators and pivot through our data to understand other connections, possibly identifying additional indicators to use in the identification of malicious actor activity relevant to their digital attack surface. Threat analysts and programs can quickly determine relationships to threat indicators and indicators of compromise (IOCs) and search for adjacent threats and attacker behaviors related to observed threat systems and their attack surface.

Third-Party Intelligence uses internet and threat observations to reveal risks embedded in the entangled, extended enterprise, such as examining digital dependencies for e-commerce supply chain components to pinpoint the weakest link. It finds critical exposures within partners, components, service providers, and other non-corporate-controlled vectors for attack.

Brand Protection use cases and programs leverage threat intelligence (strategic and tactical) to identify threats such as phishing sites and campaigns, domain attacks, rogue mobile, social engineering and deception, scams, fraud, and tarnishment.

Executive Protection and Safety leveraging insights from combining hard observations drawn from a long history to understand the changes and activities threat actors are using to target attacks on individual persons; intelligence for how threat actors exploit the human attack surface, including personally identifiable information (PII), financial data, and other data at-risk, to exploit and attack them and their organizations.

Security Operations & Response tends to be a primary group using tactical and strategic threat intelligence, but often choose which intelligence depending on the chronology of the threat’s relevance. For example, security operations teams and management will often examine threat research and attacker activity to implement risk-based controls and defenses. At the same time, response teams will reach for timely tactical intelligence that expands a single indicator to reveal an attacker’s systems, relevance, and scope for a more complete and scaled workflow that fully removes the compromise.

Vulnerability Management and Risk rely on all three kinds of threat intelligence—strategic, tactical, and operational—by harnessing knowledge of vulnerabilities being exploited by threat actors (strategic), existing exposures within their attack surface (tactical/operational), and mitigation based on critical risks and priorities (combined intelligence).

TI Class AttributesStrategicTacticalOperational
Created ByHumans using technical and non-technical sourcesMachines or humansMachines and humans
Consumed ByHumansMachines and humansMachines and humans
Delivery Time FrameDays to yearsSeconds to hoursHours to weeks to months
Useful Life SpanLongUsually ShortLong and Short
Rate of ChangeSlowRapidRapid
FocusPlanning and high-level decisionsDetection, triage, and responseProtections, defenses; Detection, triage,  and response
ExamplesTargeted, relevant threats, attacks, and attacker; cyber-connectedness to the organization, intentions, preferred tools, and threat actor profilesHard observations collected from the internet and infrastructure activity through time: domains, pages, hosts, components, code, services, and weaponizationKnowledge about cyberattacks, events, or campaigns and information flows to and from the organization

Table 1.1 | Quick reference for three purposes for threat intelligence and distinguished attributes.

The Threat Intelligence Lifecycle

What are the stages of going into producing threat intelligence?  Raw feeds of data are gathered from numerous sources.  Artificial intelligence (AI) or computer systems normalize the data and index it so that it can be processed to create predictions, advisories, and warnings of impending threats. The threat intelligence lifecycle is broken into six stages.  It is a cycle because just like a weather prediction it is not 100% certain of happening.  The process needs to be constantly adjusted to collect new information and to make new determinations and predictions more accurately than before.  The feedback on the usefulness of the predictions, advisories, and alerts tightens the focus of the planning and direction of new collections over time.  Below we will be breaking down each step in the Threat Intelligence Life cycle.

Planning and Direction

The first step to producing relevant, actionable threat intelligence is to have the right questions in mind.  You need to understand the predictions of trends and so relevant actionable advisories can be given with alerts to impending attacks or activity to active malicious infrastructure.

Not only knowing how significant a potential threat is to the world in general but does it affect me and my organization.

The other aspect is how the threat intelligence will help make accurate, relevant, and actionable decisions.  Who is going to use this information, an Executive who needs to see trends?  An Incident Responder and wants to understand the scope of the current attack.  The Vulnerability Management professional that wants to remove all the holes that attackers could exploit in a system or application.  Threat Intelligence needs to look broadly and help define the trends to help organizations utilize their current security tools to help make faster and better future decisions.

Collection

The next step is the collection of raw data.  This can be relying upon multiple independent vendors to specialize in the gathering and presenting of specific types of raw internet data.  Threat Intelligence vendors might not even gather their own data at all and rely upon others to crawl or collect the information.  When this occurs it might be difficult to normalize the data or understand the full context of the information.  With data coming from multiple sources correlation between relationships might be hard to analyze or determine.

Threat Intelligence data is usually thought to be a list of indicators or compromise made up of IP address, domains, and file hashes of known bad.  But threat intelligence can also include information about CVE (Common Vulnerabilities and Exposures) depicting vulnerabilities in an application or system.  Personal Identifiable Information (PII) of customers or executives, raw code from applications, and text form social media accounts and news sources.

Processing

After the raw data is collected, it has to be processed. Data has to be organized with metadata tags and normalized. Data needs to be programmatically filtered to remove redundant information and false positives and negatives.

Organizations today internally collect, store, and process thousands, if not millions of log events. Organizations don’t do this by hand; it is too much information for a human analyst to process efficiently. Organizations automate this process usually by using a tool like a SIEM or Splunk. These tools aggregate internal logs and messages to make it easy to find information and relate it to other internal messages. This can be to determine abnormal activity in an application or system or the exfiltration of data from an internal system to an external domain or IP address.

The collection and processing of internet data are more than collecting unstructured data and allowing it to be searched easily. It can be how the data was collected and how the collection allowed for real observations to be counted and measured.  The means of collection can be a data source on its own. Understanding how each domain and IP address is interconnected to each other domain or IP can allow the data to have more context and meaning.

For example, when you visit a website, it might redirect you to an SSL connection to make it more secure.  When the page loads in your local browser it might pull an image from a social media site or send analytic data to a search engine to track user experience.

The collection mechanism itself can be used when processing the data it crawls to build a relationship map and metadata to infrastructure chain information together to identify related infrastructure.  For example, if a collections method interacted with websites like a real user would with a browser.  It would interact and see the website as a real user would. Javascript would execute in the browser, the user state would be tracked and links and redirects would be seen.

But suppose the Threat Intelligence vendor fails to collect the raw data as a real user and relies upon others for the raw data. In that case, they will miss the subtle relationship information that can only be seen and recorded during the collection process.

Analysis

The next step is to determine results of the processed data to determine if it answers the questions you were looking for in the planning and direction phase. The goal is to determine potential security threats and categorize them into different types of threat intelligence.

Strategic Intelligence- trends seen in attacks. For example, this season, we think we will have a lot of hurricanes.

Tactical Intelligence - the Tactics, Techniques, and Procedures threat actors are utilizing. For example, a hurricane warning for the Gulf of Mexico region of Texas. Operational Intelligence would answer if the threat target you, or can you be directly affected by it. For example, the Hurricane will directly hit Galveston, Texas, in the next 72 hours.

Dissemination

The finished product needs to then be distributed to its intended consumers.  For threat intelligence to be actionable, it needs to get to the right person at the right time.  But the information needs to be relevant as well.  The information needs to be able to show how you are affected by the information so it is not considered noise and wasting resources in your organization.

The information depending on the type of intelligence, can take many different forms based upon the intended audience, but the information must be in a way the consumer understands and trusts the information.  This can be a blacklist of known bad domains to human intelligence based upon collections of information to identify all of the infrastructure involved in an attack.  It could also be in the form of a report of risk to your organization because your organization relies upon an application or process from a partner that has risk or that has been compromised.

Feedback

The final step in the process is reviewing the information and feeding it back into the initial planning and direction phase. Whoever received the finished intelligence product checks it and determines whether their initial questions were answered. This feeds back directly into the next intelligence cycle.

When to Use Security Intelligence?

Security and threat intelligence provide situational and contextual awareness of the organization and cyber threats. Ultimately, enterprise security teams rely on security intelligence for relevant context that drives more-informed business decisions and security actions. Every organization is likely to begin a different starting points on their journey toward intelligence-driven security, but they tend to enhance people, processes, and technology.

DateTimeDescription
Threat Analysts
IT Risk
Operations Analyst, Operator
CISO
Incident Response
Security Operations
Vulnerability Risk Management
Fraud and Digital Forensics
Security Architecture, Strategy
SOAR
SIEM
Endpoint Security (EDR)
Firewalls, Intrusion Defense
Cloud Security
Digital Supply Chain
Secure SDLC

Whether individual persons or teams or technology in the security stack, each benefit from having relevant, actionable intelligence as a beacon for their digital enterprise. Importantly, threat and security intelligence should be aligned with critical projects and initiatives to maximize its impact on the business’s strategic outcomes. Common projects and initiatives that benefit from security intelligence include:

Threat Program and Analysis

Threat investigations are manual, labor-intensive tasks. Analysts and response teams often do not have access to the relevant data necessary to pinpoint threats and threat infrastructure. They are forced to assemble and analyze disjointed information, which commonly results in perceiving only a piece of the picture.

Security intelligence reduces pressure in multiple ways:

  • High-fidelity threat triage based on real-world observations
  • Precision response by identifying relevant systems and direct attacker behavior
  • Comparing information from internal and external sources

RiskIQ customers have achieved up to 10 times faster response than before adopting security intelligence solutions. Not only does this remove active threats, but it allows them to extinguish threats from hidden pockets in the digitally entangled attack surface.

Security Operations (SOC)

Security teams are overloaded with alerts. SOC teams struggle to focus their efforts and prioritize because there is so much noise. It’s challenging to scale and automate security programs when the foundation is missing: relevant, actionable security intelligence.

With security intelligence, you can stop wasting time:

  • Faster triage, real observations with rapid insight
  • Reduce false positives by focusing on relevant threats
  • Validate controls and defenses for improved resilience

Most security operations center (SOC) teams speed up by 50% by removing the friction in analysis, triage, and response.

Vulnerability and Risk Management

Many vulnerability programs lack visibility outside their firewall, leaving them unaware of external risks and threats—the primary source of data breaches. At the same time, digital growth continues to outpace an enterprise security team’s ability to protect it—magnified during the 2020 pandemic.

Prioritizing vulnerabilities that matter based on relevant, actionable intelligence:

  • Attack surface intelligence—exposed services, web apps, mobile apps, devices.
  • Intelligently cluster critical vulnerabilities, prioritization.
  • Keep pace with cloud and digital growth with dashboards and reports.

Threat actors are opportunistic, and reshape their infrastructure moment-by-moment, which is why continuous observations with graphed history is so vital for exposure and vulnerability mitigation—as attacker behavior changes, priorities can adapt so you’re always patching what matters. This is a critical VRM capability in a world where it only takes an average of 15 days before a new vulnerability is exploited in the wild.

General Requirements for Security and Threat Intelligence

Enterprises have difficulty obtaining actionable threat intelligence, at the same time, their rapidly evolving attack surface is exposed to more cyber threats. Cyber threats continue to grow in quantity and complexity, many times exploiting gaps in the rapidly evolving enterprise attack surface. Without relevant threat intelligence, specific to the enterprise attack surface, security performance suffers—security blind spots increase, limited attacker awareness or visibility, slow and incomplete response, attacker success, and financial loss.

Unlike other kinds of security and threat intelligence, RiskIQ provides definitive, real-world observations, active and historic, to give security teams confidence to unmask and defeat adversaries.

RiskIQ hits all seven (7) essential requirements for any threat program:

Accuracy: RiskIQ’s Illuminate Platform consists of more than ten years of security intelligence, absorbed by real-world observations, and graphed into a single Internet Intelligence Graph. Security teams, programs, and leadership depend on RiskIQ as their beacon for relevant, actionable security intelligence.

Convergence: RiskIQ has mapped the internet and systematically assembled and graphed real-world observations of attackers and their infrastructure and behavior. Paired with relevant attack surface indicators, RiskIQ shows you the impact of where the extended enterprise is threatened.

On-Time: Each and every day, RiskIQ absorbs security intelligence to identify and monitor attackers and enterprise infrastructure. Regularly updated with the latest open-source intelligence (OSINT) and RiskIQ intelligence drawn from our global sensor network and web simulation.

Contextual: RiskIQ speeds up threat analysis and triage by showing attack surface indicators that show the impact of threats to your digital resources—devices, services and ports, web apps—and in-product human intelligence so you know what to do about it.

Relevant: RiskIQ is the only full-scale security intelligence platform powered by real-world observations and out-of-the-box threat and attack surface indicators; threat intelligence, mapped to you so you can go from alert to triage to response in just a few clicks.

Sustainable: Security intelligence, powered by 10-years of internet data and in-product human intelligence (HUMINT) from RiskIQ Labs—trace analysis through real-world observations and curated OSINT, with adaptive and durable insights.

Portability: RiskIQ’s fluid and flexible security intelligence is extensible throughout the IT security ecosystem—EDR, SOAR, SIEM, IDS/IPS, NetSec, Vuln Scanners, and ITSM—all enriched and scaled for smarter, faster security operations and response.

Conclusion

Despite the demand for more resilient digital security and knowable information on cyber threats, enterprises have difficulty obtaining relevant, actionable security intelligence. Primarily, the difficulty centers around the limited observations—current and historic—any security team could ever hope to collect, process, analyze, and interpret for triage, let alone trigger the correct response. Such an undertaking would be impracticable.

So, enterprise security teams look to security intelligence solution providers to assemble, graph, enrich, prioritize, and deliver relevant information about threats that matter to them and their extended enterprise — infrastructure, people, brands, and nth degree parties. Organizations realize the conditions facing the extended, digital enterprise demands relevant, actionable security intelligence driving their security programs and most impactful: strategic, tactical, and/or operational. To discern which of these paths is best, organizations should examine which frequent and impactful value they could get from security intelligence within their people, processes, and technologies.

Finally, identify projects and programs that will experience the greatest success once they’ve embedded relevant, actionable security intelligence into the professional discipline: threat analysis programs, security operations and response, and vulnerability and risk management. There are seven (7) essential requirements enterprises should consider when assessing the best security intelligence for them: accuracy, convergence, on-time, contextual, relevant, sustainable, and portable.

RiskIQ makes intelligence-driven security a reality. With relevant, actionable security intelligence, RiskIQ gives elite security teams a clear picture of the threats that matter to them, finely tuned to their extended enterprise: infrastructure, people, brands, and nth degree parties. Security teams can easily integrate RiskIQ security intelligence into their ecosystem—people, processes, and technologies—as a beacon for real-world observations and insights.

Let’s do this. Together.