Threat intelligence can be defined as what becomes of data after it has been gathered, processed, & analysed. Organisations can use threat intelligence against cyber threats. Here is a review as to what threat intelligence is, its types, how it works, & importance.
DEFINE THREAT INTELLIGENCE?
Threat intelligence or cyber threat intelligence is information organisations can use against cyber threats. This is quite distinctive from the raw data, which has to be analysed first in order to gain insights.
So, threat intelligence is what becomes of raw data after it has been collected, processed, & analysed. This can be used for making informed decisions. It should be accurate, actionable, relevant, & hopefully timely.
WHY IS THREAT INTELLIGENCE IMPORTANT?
With numerous cyber threats, threat intelligence can help organisations gain the information they need to identify & protect themselves. E.g., if organisations could learn the patterns of hackers or cyber-attackers, they could put effective defences in place, & mitigate any risks that could impact upon their businesses.
Threat intelligence helps companies avoid data breaches too. Also, they can share intelligence with other companies, which aids the discipline to collectively prevent future threats.
Sometimes threat intelligence looks like the area of advanced analysts, but it is true that anyone who has an interest in security can be benefited.
Those involved with security operations, vulnerability management, fraud prevention, & risk analysis can all use threat intelligence to inform their decisions.
THE LIFE-CYCLE OF THREAT INTELLIGENCE
Separate from an end-to-end process, threat intelligence works differently, in a ‘circular process’, called the ‘threat intelligence life-cycle’.
It is a cycle, since new questions & knowledge gaps could appear during the process which may create new collection requirements.
The cyber threat intelligence cycle is made up of several stages:
- Planning & direction: Requirements for data collection are first defined. So, ask the correct questions in order to generate actionable data.
- Collection: After defining the collection requirements, raw pieces of data about current or future threats are then gathered together. Different threat intelligence sources are used, e.g. internal logs & records, but also the Internet & other technical sources.
- Processing: The collected data is then organised with metadata tags. Redundant information, false positives, & false negatives are then filtered away. Solutions (like SIEM or SOAPA) are a good tool, making it quite easy to organise the collected data.
- Analysis: This is what sets apart threat intelligence from just information gathering & dissemination. Processed data is analysed using structured analytical techniques. Cyber threat intelligence feeds are produced that then help analysts find indicators of compromise (IOC). Examples of common IOCs include suspicious links or websites, emails & email attachments, & registry keys.
- Dissemination: The result of analysis is then sent to the correct people in a timely fashion. Dissemination is also tracked, to allow continuity between each cycle.
- Feedback: Request-maker reviews the threat-intelligence & will go on to decide if the intelligence adequately addressed their queries. If ‘Yes’ is the answer, then the cycle ends. Where there is then a fresh need, then the process goes back to the beginning.