What is a Threat Intelligence Platform?
A threat intelligence platform automates the collection, aggregation, and reconciliation of external threat data, providing security teams with the most recent threat insights to reduce threat risks relevant for their organization.
Threat intelligence is a key ingredient for cybersecurity defenders that enables decision making pre- and post- incident. Today, cybersecurity teams are not short on threat intelligence sources or outlets. Think about dozens of news articles, hundreds of free open source indicator feeds, industry community lists (ISACs) or vendor-provided threat intelligence and you can quickly see how professionals are becoming overloaded with intelligence. The questions for consumers of all this data are of course: which ones should I trust, is there any overlap and how can I translate all this data into directly consumable information for my controls or during workflows?
Roles that Use Threat Intelligence Platforms
A key benefit to using a threat intelligence platform is that it makes it easier to share external threat information across the organization to both technical and non-technical stakeholders. This is accomplished through automated workflows, integration and continuous enrichment of collected data .
Some of the organizational roles and use cases involved with threat intelligence are:
Security analyst and IT analyst
Use threat intelligence to optimize prevention and detection capabilities and develop stronger defenses.
Analyst use cases
- Integrate threat intelligence feeds with other security products
- Block bad IPs, URLs, domains, files, and more
Security Operations Center (SOC)
Prioritize incident response based on risk and impact to the organization.
SOC use cases
- Use threat intel to enrich alerts
- Link alerts into incidents
- Reduce false positives and alert fatigue
Computer Security Incident Response Team (CSIRT)
Speeds the investigation, management, and prioritization of a security event.
CSIRT use cases
- Look for information on the motives, attributions and tactics, techniques and procedures (TTPs) of an incident
- Analyze root cause to determine the scope of an incident
Uncovers and tracks threat activity targeting the organization, thereby gaining a better understanding of the relevant aspects of the current threat landscape and performing advanced analysis to understand quickly the context organizational alerts across known actors, campaigns, incidents, malware, signatures, TTPs and vulnerabilities.
Intel analyst use cases
- Aggregate structured and unstructured data (reports) related to threat actors to learn to detect them better
- Enables Alert Triage and incident response
- Directs Vulnerability patch prioritization
Understand the risks the organization faces and the options to address their impact.
Executive management use cases
- Assess the organization’s overall threat level
- Develop a security roadmap
How Threat Intelligence Platforms Work
Threat intelligence platforms automatically gather data from various external sources and then organize it into formats that can be analyzed by and packaged for human or machine consumption.
But threats are always evolving, and organizations need to adapt rapidly if they want to take decisive actions. A framework helps security teams optimize resources and stay up to date with the threat landscape. The threat intelligence lifecycle is a six-step framework that helps organizations achieve those goals:
This is the planning step, where an organization decides on consumers and desired outcomes of the produced intelligence. For instance, is the required intelligence for specific detection, post-incident response or to understand most relevant threats to the organization attack surface. To organize requirements it is important to start with the types of potential security threats that are most likely to matter such as the malicious actors most likely to target the organization, what are the most common tactics and who should be informed.
TIPs typically start with collecting raw data from outside the organization such as security vendors, communities, national vulnerability databases or open source feeds. Security solution vendors may aggregate data from across their user base and either incorporate the resulting intelligence feed into their solutions for the benefit of their customers or make the feeds available as a separate product. Industry-specific feeds, “trust circles” of cybersecurity professionals and dark web forums are other sources. Open source feeds are available from many places, including the Cybersecurity & Infrastructure Security Agency (CISA), SANS and Google, while web crawlers may be used to search the internet for exploits and attacks.
Raw data is converted into formats that can be analyzed. This entails decrypting files, translating foreign content, organizing data points into spreadsheets, and evaluating data for reliability and relevance.
In this step, raw data is transformed into actionable intelligence that is used to develop action plans in accordance with the decisions made in the “requirements” phase. The final insights are packaged into different types of reports and assessments for consumption by different types of audiences:
- Strategic intelligence is meant for senior security planners and focuses on broad trends to plan security investments and policies.
- Tactical intelligence focuses on indicators of compromise (IOCs) and is used to speed up the identification and elimination of a potential threat. Tactical threat intelligence is the most easily generated and is typically automated.
- Operational intelligence examines the who, what and how of a cyberattack with the goal of understanding the tactics, motives and skill levels of the malicious actors so the appropriate defensive posture can be established before the next attack or a similar attack.
The analysis results are translated into recommendations tailored for specific audiences and presented to stakeholders. In this step, it’s important to avoid technical jargon and remain concise. A single-page report or short slide deck are the best formats for presentation.
Because the threat landscape is always evolving, a continuous feedback loop must be established. In this step, seek feedback from stakeholders on the relevance of the provided reports and measure the effectiveness of technical controls in place. This feedback loop can be used to adjust selection of external threat intelligence sources as well as prioritization of newly produced insights based on context.
Key Features of a Threat Intelligence Platform
A threat intelligence platform based solely on indicators is not an adequate security tool in today’s sophisticated threat environment. Adversaries change their tactics often and collected indicators won’t expose the actor’s motives or sophistication. Seek a solution that integrates multiple forms of threat intelligence and allows users to navigate through, and distribute the data. Threat intelligence platforms should consolidate and de-duplicate indicators from multiple sources. However, it is the actor and attack tactic enrichment that provides security operations teams with guidance on what to do next. Also, the identification of new attack campaigns should be automated, and integrated with a broad range of controls or detection tools, such as security analytics (SIEM, NBA), endpoint detection and response (EDR), next gen fireWall (NGFW), vulnerability and asset management tools and incident response workflows.
How CrowdStrike Supports Threat Intelligence Platforms
CrowdStrike supports threat intelligence platforms by offering prebuilt integrations and API access to our award winning threat intelligence module, CrowdStrike Falcon X™. Falcon X provides context-enriched IOCs, threat reports, malware sandboxing, attribution and searchable malware repository. CrowdStrike also offers integrations with industry leading TIP vendors like ThreatQuotient, ThreatConnect and Anomali delivering actionable insights into the top threat actors, attack vectors and threat intelligence trends.
It’s worth noting that a TIP is just one solution to achieve the use cases discussed earlier in this article. The CrowdStrike Security Cloud correlates trillions of security events each day collected from millions of endpoints and cloud workloads around the globe. Using a combination of artificial intelligence as well as expert driven human analysis, millions of real-time IOCs and thousands of intelligence reports are delivered to our customers on an annually . This enables CrowdStrike customers to perform many of the TIP use cases listed above without need to deploy new infrastructure or design new workflows.