November 5, 2019 • The Recorded Future Team
As we recently explored, organizations are beginning to move toward a security intelligence philosophy. Security intelligence means leading with intelligence across threat prevention, third-party risk management, and brand protection strategies. This shift helps amplify the effectiveness of security teams in reducing exposure by uncovering unknown threats and informing better, faster decisions. Today, we’ll delve into the what, who, and why of threat intelligence — and how its adoption paves the way for a comprehensive security intelligence program.
What Is Threat Intelligence?
Threat intelligence is knowledge that allows you to prevent and mitigate attacks on digital systems. It is not raw data or information, but rather, it analyzes data and information to uncover patterns and stories. Threat intelligence provides valuable context like who’s attacking you, what their motivation and capabilities are, and what indicators of compromise (IOCs) in your systems to look for. It helps you make faster, more informed decisions about your security, while putting everybody in your organization on the same page.
Threat intelligence can generally be categorized into two types of intelligence:
- Generally sourced from machines, operational threat intelligence is knowledge about ongoing cyberattacks, events, and campaigns. It gives incident response teams specialized, technical insights that help them understand the nature, intent, and timing of specific attacks as they are occurring.
- Strategic threat intelligence provides a wide overview of an organization’s threat landscape, such as risks associated with certain actions, broad patterns in threat actor tactics and targets, and geopolitical events and trends. It’s most helpful for informing high-level decisions by executives, and the content is generally presented through reports or briefings — materials that really can only be generated by humans with expertise, not machines.
Producing effective threat intelligence takes deep research and massive volumes of data, often across multiple languages. These challenges can make initial data collection and processing too difficult to perform manually, even for those rare analysts who possess the right language skills, technical background, and tradecraft. A threat intelligence solution that automates data collection, processing, and analysis across internal, external, technical, and human sources helps dramatically reduce this burden and allows analysts with less expertise to work much more effectively.
Who Can Benefit From Threat Intelligence?
Everyone! There’s a common misconception that threat intelligence is the domain of elite analysts. This couldn’t be further from the truth. In reality, it adds value across security functions for organizations of all sizes — whether you’re staffing a SOC, managing vulnerabilities, leading fraud prevention or risk analysis, or making high-level security decisions.
- For SOC teams, threat intelligence enriches internal alerts with the external information and context necessary to accelerate triage, speeds the “time to no,” reduces alert fatigue, and ultimately helps SOC teams make faster, risk-based decisions. Threat intelligence can also help SOC teams simplify incident analysis and containment.
- For incident response teams, threat intelligence helps bridge the massive cybersecurity skills gap, reduce false positive alerts, and provide actionable insights needed to quickly identify, prioritize, and respond to probable threats.
- For vulnerability management teams, threat intelligence provides the necessary context on specific vulnerabilities that represent risk to the organization and gives them visibility into their likelihood of exploitation. With this knowledge, teams can quickly weigh the potential disruption of applying a patch against the real-world threat posed by the vulnerability — and make a rapid, informed decision.
- For security leadership, threat intelligence helps them gain a holistic view of their specific cyber risk landscape (including emerging threats and “known unknowns” that might impact the business), identify the right strategies and technologies to mitigate the risks, communicate the nature of the risks to top management, and justify investments in defensive measures.
- For fraud protection teams, threat intelligence can help them safeguard their organization’s reputation and brand by monitoring for direct threats to the business (domains, credentials, executive mentions, BIN/PIN numbers, etc.), alerting on threats from the dark web, paste sites, and more, and taking down social media abuse and typosquatting.
- For risk management teams, threat intelligence helps them gain a holistic, threat-centric view of third-party risk across all vendors and partners that will help them understand, analyze, and address issues more quickly and confidently.
Why Is Threat Intelligence Important?
Research firm IDC found that threat intelligence as part of a broader security intelligence program can significantly reduce risk while driving improvements in both security and operational efficiency. With threat intelligence, organizations can:
- Find threats 10 times faster, resolve threats 63% quicker, and identify 22% more security threats before impact
- Boost productivity across their entire IT security team by 32% by replacing manual tasks and research with automation
- Realize greater operational efficiency resulting in additional time for teams to implement strategic, proactive cybersecurity measures that drive down risk
- Save money through reduced IT expenditures (such as external security reports and consulting) and breach-related penalties and fines (up to $1 million per breach avoided)
How Does Threat Intelligence Adoption Underpin Security Intelligence?
Threat intelligence is not some kind of monolith that needs to be dropped onto the security organization all at one time. Instead, you have options to draw on a wide range of data sources and then process, analyze, and disseminate threat intelligence to every major group in your security organization. You can start your journey toward a full security intelligence program by researching the needs of each group and seeing how threat intelligence can help them achieve their objectives. Then, over time, you can build toward a comprehensive program that:
- Scours the widest possible range of technical, open, and dark web sources
- Uses automation to deliver easily consumable intelligence
- Provides fully contextualized alerts in real time with limited false positives
- Integrates with and enhances existing security technologies and processes you already rely on
- Consistently improves the efficiency and efficacy of your entire security organization
Threat intelligence helps everyone in cybersecurity — enabling teams to anticipate threats, respond to attacks faster, and make better decisions on how to reduce risk. It can be applied to several facets of an organization’s security strategy, enabling a shift toward a more proactive, comprehensive security approach. This is security intelligence — a philosophy that amplifies the effectiveness of security teams and tools by exposing unknown threats, informing better decisions, and driving a common understanding to ultimately accelerate risk reduction across the organization.
Interested in learning more? Download the second edition of our popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.”