What is threat intelligence?

Threat intelligence is more than just raw threat information. It is threat information that has been correlated and analyzed to give security professionals an in-depth understanding of the potential threats their organizations face—including how to stop them.

More specifically, threat intelligence has three key characteristics that distinguish it from raw threat information:  

• Organization-specific: Threat intelligence goes beyond general information about hypothetical threats and attacks. Instead, it focuses on the organization’s unique situation: specific vulnerabilities in the organization’s attack surface, the attacks these vulnerabilities enable and the assets they expose. 

• Detailed and contextual: Threat intelligence covers more than just the potential threats to an organization. It also covers the threat actors behind the attacks, the tactics, techniques and procedures (TTPs) they use and the indicators of compromise (IoCs) that might signal a successful cyberattack. 

• Actionable: Threat intelligence gives information security teams insights that they can use to address vulnerabilities, prioritize threats, remediate risks and improve overall security posture.

According to IBM’s Cost of a Data Breach Report, the average data breach costs the victim organization USD 4.88 million. Detection and escalation costs account for the most significant portion of that price tag at USD 1.63 million.

Threat intelligence programs give security professionals information that can help detect attacks sooner—and completely stop some attacks from happening. These faster, more effective responses can reduce detection costs and significantly limit the impact of successful breaches.

The threat intelligence lifecycle is the iterative, ongoing process by which security teams produce and share threat intelligence. While the particulars can vary from organization to organization, most threat intelligence teams follow some version of the same six-step process.

Security analysts work with organizational stakeholders to set intelligence requirements. Stakeholders can include executive leaders, department heads, IT and security team members and anyone else involved in cybersecurity decision-making.  

Intelligence requirements are, essentially, the questions that threat intelligence must answer for stakeholders. For example, the chief information security officer (CISO) might want to know whether a new, headline-making strain of ransomware is likely to affect the organization.

The security team collects raw threat data to meet intelligence requirements and answer stakeholders’ questions.

For example, if a security team is investigating a new ransomware strain, they might gather information on the ransomware gang behind the attacks. The team would also look into the types of organizations they’ve targeted in the past and the attack vectors they’ve exploited to infect previous victims.

This threat data can come from various sources. Some of the most common sources include:

Threat intelligence feeds are streams of real-time threat information. The name is sometimes misleading: While some feeds include processed or analyzed threat intelligence, others consist of raw threat data. (The latter are sometimes called threat data feeds.)

Security teams typically subscribe to multiple open source and commercial feeds provided by various threat intelligence services. Different feeds can cover different things.

For example, an organization might have separate feeds for each of these purposes:

• Tracking the IoCs of common attacks

• Aggregating cybersecurity news

• Providing detailed analyses of new malware strains

• Scraping social media and the dark web for conversations about emerging cyberthreats

Information-sharing communities are forums, professional associations and other communities where analysts share firsthand experiences, insights, threat data and other intelligence with one another.  

In the US, many critical infrastructure sectors—such as the healthcare, financial services and oil and gas industries—operate industry-specific Information Sharing and Analysis Centers (ISACs). These ISACs coordinate with one another through the National Council of ISACs (NSI).

Internationally, the open source MISP Threat Sharing intelligence platform supports several information-sharing communities organized around different locations, industries and topics. MISP has received financial backing from both NATO and the European Union.

Data from internal security solutions and threat detection systems can offer valuable insights into actual and potential cyberthreats. Common sources of internal security logs include:

• Security information and event management (SIEM) systems 

• Security orchestration, automation and response (SOAR) platforms

• Endpoint detection and response (EDR) tools

• Extended detection and response (XDR) platforms

• Attack surface management (ASM) solutions 

Internal security logs provide a record of the threats and cyberattacks the organization has faced, and they can help uncover previously unrecognized evidence of internal or external threats.

Information from these disparate sources is typically aggregated in a centralized dashboard, such as a SIEM or a dedicated threat intelligence platform, for easier management and automated processing.

At this stage, security analysts aggregate, standardize and correlate the raw data they’ve gathered to make analysis easier. Processing might include applying MITRE ATT&CK or another threat intelligence framework to contextualize data, filtering out false positives and grouping similar incidents.

Many threat intelligence tools automate this processing by using artificial intelligence (AI) and machine learning to correlate threat information from multiple sources and identify initial trends or patterns in the data. Some threat intelligence platforms now incorporate generative AI models that can help interpret threat data and generate action steps based on their analysis.

Analysis is the point at which raw threat data becomes true threat intelligence. At this stage, security analysts extract the insights they need to meet intelligence requirements and plan their next steps.

For example, security analysts might find that the gang connected with a new ransomware strain has targeted other businesses in the organization's industry. This finding indicates that this ransomware strain might be an issue for the organization, too.  

Armed with this information, the team can identify vulnerabilities in the organization’s IT infrastructure that the gang might exploit and the security controls they can use to mitigate those vulnerabilities.

The security team shares its insights and recommendations with the appropriate stakeholders. Action can be taken based on these recommendations, such as establishing new SIEM detection rules to target newly identified threat indicators or updating firewalls to block suspicious IP addresses and domain names.

Many threat intelligence tools integrate and share data with security tools such as SOARs, XDRs and vulnerability management systems. These tools can use the threat intelligence to automatically generate alerts for active attacks, assign risk scores for threat prioritization and trigger other response actions.

At this stage, stakeholders and analysts reflect on the most recent threat intelligence cycle to determine whether the requirements were met. Any new questions that arise or new intelligence gaps identified will inform the next round of the lifecycle.

Security teams produce and use different types of intelligence, depending on their aims. The types of threat intelligence include: