What is Threat Intelligence in Cyber Security?
Intelligence has been defined as information that leads to an action that changes behavior. In cyber security, more organizations are turning to intelligence as the cyber arms race escalates between attacker and defender. Cyber Threat Intelligence enables defenders to make faster, more informed security decisions and change their behavior from reactive to proactive in the fight against breaches.
These organizations are increasingly recognizing the value of threat intelligence, with 72 percent planning to increase threat intelligence spending in upcoming quarters. However, there is a difference between recognizing value and receiving value.
Most organizations today are focusing their threat intelligence efforts on only the most basic use cases, such as integrating intelligence feeds with existing IPS, firewalls, and SIEMs — without taking full advantage of the insights that threat intelligence can offer.
Companies that stick to this basic level of threat intelligence are missing out on real advantages that could significantly strengthen their security postures.
Watch the on-demand webcast on “The Evolving World of Threat Intelligence” to discover how the combination of artificial intelligence, machine learning, and threat intelligence is improving real time defenses.
Why is Threat Intelligence Important?
In the world of cybersecurity, adversaries and defenders are constantly trying to outmaneuver each other. Organizations want to know the adversary’s next moves so they can proactively tailor their defenses and preempt future attacks.
To support proactive and predictive cybersecurity operations, security teams need knowledge. Threat intelligence provides that knowledge by shedding light on the unknown and enabling organizations to make better security decisions.
One of the primary benefits of threat intelligence is that it helps security professionals better understand the adversary’s decision-making process. For example, if you know which vulnerabilities an adversary is exploiting, you can choose the technologies and patching activities that will best mitigate exposure to those vulnerabilities.
Along the same lines, threat intelligence reveals adversarial motive. When you understand what drives threat actors to perform certain behaviors, you can monitor for advanced indication and warning of potential attacks.
Furthermore, threat intelligence helps security teams understand the tactics, techniques, and procedures (TTPs) that the adversary leverages. This understanding can be used to enhance threat monitoring, threat hunting, incident response, and a variety of other cybersecurity disciplines.
A clear understanding of the adversary is the foundation of a robust, proactive defense.
In addition to empowering cybersecurity stakeholders, threat intelligence can empower business stakeholders, such as executive boards, CISOs, CIOs and CTOs; to invest wisely, mitigate risk , become more efficient and make faster decisions.
Want to stay up to date on recent adversary activities? Stop by the Research and Threat Intel Blog for the latest research, trends, and insights on emerging cyber threats.
Want unique insights into adversaries that our threat hunters have encountered in the first half of 2019? Download the 2019 Report from the OverWatch Team:
What are the Types of Threat Intelligence?
We discussed in the last section how Threat Intelligence can empower us with knowledge about existing or potential threats. The information can be straightforward, such as a malicious domain name, or complex, such as an in-depth profile of a known adversary. Keep in mind that there is a maturity curve when it comes to threat intelligence represented by the three levels listed below. With each level, the context and analysis of threat intelligence becomes deeper and more sophisticated, caters to different audiences, and can get more costly.
- Tactical intelligence
- Operational intelligence
- Strategic intelligence
Tactical Threat Intelligence
Tactical threat intelligence is focused on the immediate future, is technical in nature, and identifies simple indicators of compromise (IOCs). IOCs are things such as bad IP addresses, URLs, file hashes and known malicious domain names. It can be machine-readable, which means that security products can ingest it through feeds or API integration.
Tactical threat intelligence is the easiest type of intelligence to generate and is almost always automated. As a result, it can be found via open source and free feeds, but it usually has a very short lifespan because IOCs such as malicious IPs or domain names can become obsolete in days or even hours.
It’s important to note that simply subscribing to intel feeds can result in plenty of data, but offers little means to digest and strategically analyze the threats relevant to you. Also, false positives can occur when the source is not timely or of high fidelity.
Operational Threat Intelligence
In the same way that poker players study each other’s quirks so they can predict their opponents’ next move, cybersecurity professionals study their adversaries.
Behind every attack is a “who,” “why,” and “how.” The “who” is called attribution. The “why” is called motivation or intent. The “how” is made up of the TTPs the adversary employs. Together, these factors provide context, and context provides insight into how adversaries plan, conduct, and sustain campaigns and major operations. This insight is operational threat intelligence.
Machines alone cannot create operational threat intelligence. Human analysis is needed to convert data into a format that is readily usable by customers. While operational threat intelligence requires more resources than tactical intelligence, it has a longer useful life because adversaries can’t change their TTPs as easily as they can change their tools, such as a specific type of malware or infrastructure.
Operational threat intelligence is most useful for those cybersecurity professionals who work in a SOC (security operations center) and are responsible for performing day-to-day operations. Cybersecurity disciplines such as vulnerability management, incident response and threat monitoring are the biggest consumers of operational intelligence as it helps make them more proficient and more effective at their assigned functions.
Strategic Threat Intelligence
Adversaries don’t operate in a vacuum — in fact, there are almost always higher level factors that surround the execution of cyber attacks. For example, nation-state attacks are typically linked to geopolitical conditions, and geopolitical conditions are linked to risk. Furthermore, with the adoption of financially motivated Big Game Hunting, cyber-crime groups are constantly evolving their techniques and should not be ignored.
Strategic threat intelligence shows how global events, foreign policies, and other long-term local and international movements can potentially impact the cyber security of an organization.
Strategic intelligence helps decision-makers understand the risks posed to their organizations by cyber threats. With this understanding, they can make cybersecurity investments that effectively protect their organizations and are aligned with its strategic priorities.
Strategic intelligence tends to be the hardest form of intelligence to generate. Strategic threat intelligence requires human collection and analysis that demands an intimate understanding of both cybersecurity and the nuances of the world’s geopolitical situation. Strategic intelligence usually comes in the form of reports.
Download the 2019 Global Threat Report on Adversary Tradecraft and The Importance of Speed to get insights on modern adversaries and their tactics, techniques, and procedures (TTPs).
Threat Intelligence the CrowdStrike Way
CrowdStrike’s threat intelligence solution, Falcon X, helps organizations easily consume intelligence, take action, and maximize the impact of their threat intelligence investment.
Integrated Intelligence, Tailored to Your Organization
Falcon X™ automates the threat investigation process and delivers actionable intelligence reporting and custom IOCs specifically tailored for the threats encountered on your endpoints. With this level of automation, you can stop picking and choosing which threats to analyze and start analyzing the most relevant threats to your organization.
Falcon X combines the tools used by world-class cyber threat investigators into a seamless solution and performs the investigations automatically. The integrated tool set includes malware analysis, malware search, and CrowdStrike’s global IOC feed. Falcon X enables all teams, regardless of size or sophistication, to understand better, respond faster and proactively get ahead of the attacker’s next move.
The Human Element of Threat Intelligence
Falcon X Premium intelligence reporting enhances your organization with the expertise of CrowdStrike’s Global Intelligence team to better fight against your adversaries. The CrowdStrike Intelligence team is a pioneer in adversary analysis, tracking more than 121 nation-state, cybercrime, and hacktivist groups, studying their intent and analyzing their tradecraft. This team of threat intelligence analysts, security researchers, cultural experts, and linguists uncover unique threats and provide groundbreaking research that fuels CrowdStrike’s ability to deliver proactive intelligence that can help dramatically improve your security posture and help you get ahead of attackers.
Interested in learning more about Falcon X? Check out the resources below: