How Threat Intelligence Works
In the field of cybersecurity, threat intelligence is any information related to cyberthreats and the attackers behind them. Threat intelligence comes in many forms, depending on the type of threat under consideration. Examples of threat intelligence include:
- Domain names known to host or spread malicious files
- IP addresses that are either part of a botnet, or used by an attacker to control one
- Vulnerabilities exploited by malware to infect computers on a network
- Checksums of known malicious files
- Email subject lines used in a phishing campaign
- Registry entries created by a family of malware
- Prepared reports and indicators of compromise (IOCs) for active threats
According to Gartner’s definition, another key characteristic of threat intelligence is that it “can be used to inform decisions” about how you and your organization will respond to a threat. In a word, threat intelligence can be said to be actionable.
The different types of threat-related information are also referred to collectively as indicators of compromise, or IOCs. This reflects the fact that matching information, like a firewall log entry for a malicious domain, may indicate that one or more systems on that network have been compromised by an associated threat.
Sources of threat intelligence
Threat intelligence is available from a wide range of sources in the cybersecurity community. Among these sources are well-known companies like Kaspersky and VirusTotal. While some companies provide general-purpose threat intelligence, other sources are highly specialized. For example, the Ransomware Tracker project maintains lists of domains and IP addresses associated with ransomware attacks.
In addition to these varying degrees of specialization, threat intelligence is offered at many price points. Large companies offering comprehensive, enterprise-grade services typically sell subscription-based access to their products, with rates that depend on usage levels. However, many valuable threat intelligence resources are offered for free, which makes getting started with threat intelligence affordable.
Choose the right threat intelligence tools
To derive the greatest benefit, you should select threat intelligence tools that align with your organization’s needs. With hundreds of feeds to choose from, this isn’t always an easy task. Many feeds also draw on some of the same sources, which can lead to data duplication problems if you select several of these feeds unknowingly.
Other considerations in this area include factors like scope and cost, as described above. On one hand, the cost of paid threat intel feeds can add up quickly; on the other, paid feeds may be of higher quality and better targeted to your organization’s particular needs. Whether you choose paid sources, free sources, or a combination, keep in mind that simply subscribing to a large number of feeds does not automatically improve your organization’s security posture — quantity is not a substitute for quality.
Using threat intelligence
In the same way that an encyclopedia or atlas offers no benefit if left to gather dust on a shelf, it’s not enough to simply have threat intelligence — to benefit, you need to apply it correctly. Fortunately, there are many ways to apply threat intelligence, as well as tools to help you take full advantage of it.
Some forms of threat intelligence, like written reports about the latest threats, are meant for use by humans, rather than machines. They contain information and advice that you can apply to protect your organization from the latest threats. Other forms of threat intelligence are more useful to machines than humans; while a list of malicious IP addresses is simple in principle, you’re not going to spend hours poring over printed firewall logs with a highlighter, comparing the addresses in the log to those in the list. You could, however, use the list to update your firewall rules.
Making the most of threat intelligence
Today, it’s not always enough to apply threat intelligence manually. To make the most of the threat intelligence available to you, you can use a security orchestration, automation, and response (SOAR) tool. SOAR solutions can retrieve and act on threat intelligence without human intervention, improving efficiency and keeping your organization secure around the clock. Here are just a few of the things you can do with a SOAR tool:
- Periodically update firewall and IDS rules using lists of malicious IP addresses and domains.
- Look up and display information about a file during an alert investigation, using the file’s MD5 hash.
- Automatically isolate a suspicious device from the rest of the network until an analyst can inspect it manually.
- Flag user accounts at risk of being compromised through social engineering attacks.
Ultimately, your goal should be to use threat intelligence to automate as much as possible (within reason). While automation cannot replace human security analysts, it can make their work much more efficient. By correctly implementing automation, your SOC will be able to get more done in less time. Your organization will save money, and its security posture will improve.