In the context of security, threat intelligence (TI) refers to knowledge or data that can be used to make actionable decisions regarding attacks that can threaten an organization.
Threat intelligence is not just about gathering information; it is also about understanding how data can help an organization effectively combat threats. Threat intelligence is essentially about “knowing one’s enemy.” It aims to give the business knowledge on how to deal with any potential threats within the organization.
Threat intelligence serves as an important aspect of an organization’s overall detection and response (D&R) capabilities. However, it can be resource-intensive for an organization to develop and act on threat intelligence by itself. Detection and response solutions therefore exist so that organizations can take advantage of the threat intelligence of cybersecurity companies.
Threat intelligence helps businesses by helping them gain knowledge on the nature of threats, which in turn allows them to strengthen their security profile against any potential attack. For example, indicators of compromise (IoCs) in a targeted attack scenario can help a security team understand the nature of an attack, including who the threat actor is and what tools, tactics, and procedures are used. Threat intelligence can also help organizations pinpoint the weak points in their security chain, such as unpatched vulnerabilities and unsecure critical assets, which can then be addressed by security teams.
Threats have evolved from being single attacks or malware to well-planned and -executed attacks that can be difficult to detect and can cause devastating damage to an organization. Much buzz has been generated around solutions like endpoint detection and response (EDR) as answers to such cyberattacks. However, such tools often generate numerous gray alerts that organizations need to address. Threat intelligence is also needed to make sense of and provide context to these gray alerts.
While there’s no hard rule on how threat intelligence is developed, it is typically gathered from two main sources:
Internal threat intelligence is information and data gathered from within the organization. This includes information on past and current attacks, network indicators, and knowledge of the specific vulnerabilities and exploits that can cause potential compromise.
External threat intelligence refers to information gathered from external sources or providers. This can come from threat intelligence databases of security companies. Data subscriptions, government organizations, law enforcement, and crowdsourcing are also some of the ways external threat intelligence can be acquired.
There are numerous tools that IT and security teams can use for threat intelligence. Websites such as VirusTotal and Malshare are often used by security teams and researchers for sourcing samples and gathering information. Another useful website is SANS ISC Suspicious Domains, which provides a list of suspicious domains classified according to threat level.
Security tools play a large part in threat intelligence. They can detect malicious content and behavior within an organization’s network. These solutions integrate technologies such as network traffic inspection, which can scan the network for any suspicious activities, and machine learning algorithms that are able to make accurate predictions based on previous experience with malicious threats.
The main limitations of threat intelligence usually lie in the organization’s own limitations. While regular IT staff members may be aware of the basic tools and techniques used by cybercriminals, such as the use of social engineering or compromised URLs, they may not be able to correlate this information or data to build an overall picture of the threat landscape in which the business is operating. The logical answer to this would be to beef up the security staff. However, the global shortage of cybersecurity skills makes this infeasible.
An organization may enlist a traditional managed security service provider (MSSP). The threat intelligence afforded by such a provider, though, may not be very in-depth and may instead be focused on known threats. On the other hand, more modern, complex solutions such as EDR entail a considerable amount of time and skill to use.
Thus, organizations may opt not to prioritize threat intelligence because of their personnel’s lack of expertise in handling the different aspects of threat intelligence, especially in regard to contextualizing threats.
Furthermore, there are certain problems that businesses often encounter when trying to build their security profile. A large problem is the global cybersecurity skill shortage, which makes it difficult to find staff members who are qualified enough to perform effective detection and response, in which threat intelligence plays an important part, and able to operate complex security tools whose proper use might need a considerable amount of time to learn. In addition, while modern detection tools are excellent at providing organizations alerts for suspicious activity, they do not provide context, such as with the large number of gray alerts that need to be investigated, correlated, and prioritized.
According to a 2018 survey, 51 percent of IT professionals cited a shortage of cybersecurity skills within their respective organizations. The immensity of resources required to train professionals to perform detection and response may be more than what businesses are willing to spend. Many IT teams also double as their organizations’ security teams, which means that security is only one aspect of their work. Often, more time has to be spent managing the day-to-day requirements of the business, leaving less time for the actual work of threat intelligence.
Managed detection and response (MDR) helps address the cybersecurity skill gap by providing the expertise these businesses lack, often at a cost that’s less than what is required to build a dedicated security team, and in less time at that.
Organizations may be using EDR tools to address attacks designed to bypass traditional security systems. Such tools can generate numerous gray alerts daily — perhaps too many for an in-house team to prioritize and analyze. At times, gray alerts seem insignificant until they are correlated with other seemingly insignificant threats and turn out to be real problems. MDR can help organizations make proper correlations across endpoints and networks, and essentially maximize the threat data provided by EDR tools.
Threat intelligence is always the concern of a dedicated MDR team, regardless if it requires threat hunting, analysis of IoCs, or even in-depth research into the nature of threat actors. This setup serves the dual purpose of lightening the load of the internal IT team and strengthening the organization’s security posture at the same time.
MDR teams are professionals, usually with years of experience and always with the collective knowledge of a security organization behind them. These give them an advantage when dealing with advanced threats, since they are able to effectively correlate various indicators to create a clear picture of what the affected organization is dealing with. These also allow them to react faster and address potential threats before damage is inflicted to the organization.
MDR is all about lending a much-needed deeper expertise to threat intelligence. While security tools can provide raw information and data, there is a need for security analysts and researchers who can process and contextualize the collected data. MDR teams can provide guidance to businesses to help them create various defense strategies against any security threat that they may encounter.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.