What Is Threat Intelligence and Why Is It Important?
Threat intelligence is knowledge about security threats, threat actors, exploits, malware, vulnerabilities, and compromise indicators (according to SANS). The more aware you are of possible threats, and the more details you have about their mode of operations, capabilities, infrastructure, motives, and goals, the better you are equipped to defend your organization.
With the growth in cybercrime and the huge proliferation of attackers and attack types, threat intelligence has become an industry. Commercial providers operate research bodies and sell information in the form of feeds. Government institutes and independent research bodies also provide feeds with valuable data, typically open for use. And there are platforms which help organizations receive, organize and act upon all this information.
The 4 Layers of Threat Intelligence
Figure 1 – Threat intelligence is made up of four layers, which help organizations ingest and make use of threat data.
From bottom to top in the diagram above:
- Sources—raw data about security incidents and threats
- Feeds—raw data packaged into a standardized format which enables real time streaming of new events, around a certain security theme
- Platforms—a system that helps an organization receive data from multiple feeds, correlate it with internal data, manage it and derive insights
- Professional services—in many cases threat intelligence providers go beyond supplying data and software, they also provide experts who can help their customers review threat data and identify pertinent information
A threat intelligence provider is a commercial body that provides some or all of the four layers. We list some of the leading tools in the platforms and providers section below.
Sources—Where Does Threat Intelligence Come From?
A threat intelligence source is the raw data, which can be parsed, analyzed and packaged to create an intelligence feed. Organizations should have their own sources, and not base all their knowledge on external providers.
There are many other important sources of threat data which organizations typically cannot access or consume on their own—they rely on feeds provided by others in the industry.
A few examples of sources available directly to security staff at organizations:
- In-house threat analytics—based on network monitoring and data about past incidents from incident response and Security Operations Center (SOC) teams
- Professional communities—such as a Financial Services Information Sharing and Analysis Center (FS-ISAC) for financial security pros
- Security news and blogs—reading security publications and being aware of current attacks and exploits in your industry is an excellent source of threat intelligence
- The dark web—many security professionals dive into the dark web of underground forums to identify stolen assets, learn who threat actors are targeting, analyze exploit kits, and so on (proceed with caution)
There are six primary sources of data used by public or commercial threat intelligence feeds:
- Open source—open data collected and shared among security professionals
- Customer telemetry—information collected from security companies operating tools across many organizations
- Dark web and honeypots—obtaining intelligence directly from attackers
- Scanning and crawling—systematically crawling the internet to find exploits, attacks, or malicious entities
- Malware processing—identifying malware and running it in a safe sandbox environment to understand its properties
- Human intelligence—analysts investigating incidents and discovering vulnerabilities through exploration
Feeds: Packaged Threat Intelligence for the Masses
A threat intelligence feed is a packaged collection of data, taken from a variety of sources, typically falling into one or more of the six sources we list above. Most feeds focus on one area of interest, such as domains, malicious IP addresses, or botnet activity. Many security feeds are freely available; others require paid subscriptions.
Threat intelligence feeds stream information in real time—as soon as a new threat or malicious entity is discovered, the information is packaged into the feed format and streamed to subscribers. Time is of the essence, because a primary goal of users is to become aware of threats and defend against imminent attacks before they happen.
Security professionals use feeds by:
- Coupling them to security tools—for example, some firewalls can accept feeds about bad IP addresses and can block those IP addresses.
- Using them to generate alerts—for example, threat intelligence feed data can be saved to a Security Information Event Management (SIEM) or User Event Behavioral Analytics (UEBA) solution, which can correlate threat data with internal security events, and generate alerts when threats are relevant for your organization.
- Manual review—many security professionals receive threat intelligence feeds and review them manually, investigating threats that seem relevant to their security posture.
Here are a few lists of important threat intelligence feeds:
- Lists of threat intelligence feeds by commercial providers
- List of cyber intelligence data provided by governments
- Lists of free and open source threat intelligence feeds
Threat Intelligence Platforms and Providers
Threat intelligence platforms help organizations take in, store, analyze, organize and compare multiple feeds. A platform combines all your feeds into one, correlates them with internal security events, and creates prioritized alerts for analysts to review. A SIEM, while it has many other uses, also functions as a threat intelligence platform.
A few popular threat intelligence platforms include:
- Palo Alto Networks AutoFocus—threat intelligence service with threat analytics. Provides intelligence, correlation, added context and automated prevention workflows.
- Anomali ThreatStream—helps identify new attacks by collecting millions of threat indicators. Helps deduplicate data, remove false positives, and feeds intelligence to security tools.
- ThreatQuotient—helps accelerate security operations with an integrated threat library, shared contextual intelligence that empowers security teams, and customizable workflows combining human and automated threat detection.
- ThreatConnect—combines external threat data from trusted sources with in-house data, provides analytics showing the impact of security efforts and the most relevant threats to your organization.
Challenges of Threat Intelligence
Threat intelligence has proven to be extremely valuable in helping defend against cyber attacks. However, there are several common difficulties experienced when managing it:
- Too much data—analysts are drowning in alerts and data. Feeds only add large volumes of data to this mix. Without effective workflows and prioritization, data can become overwhelming and lead to alert fatigue.
- Selecting the wrong feeds—helps identify new attacks by collecting millions of threat indicators. Helps deduplicate data, remove false positives, and feeds threat intelligence to security tools.
- Context—threat intelligence often provides pertinent information, but without the relevant context. How important is a threat to your security posture? Have you or organizations in your neighbourhood been hit by this attack? Which current events may be correlated with this attack signature?
- Process and skills—threat intelligence feeds are not useful on their own; they require trained analysts to turn them into actionable insights for the organization. Many organizations do not have enough analysts available to review all relevant feeds and alerts, or do not have an efficient process in place to proactively discover new threats, leveraging threat intelligence data.
- Workflow—when analysts get an Indicator of Compromise (IoS) via a threat intelligence feed, they commonly need to leave the solution to investigate and respond to the event via other tools. This erodes analyst productivity. Platforms are introducing automated workflows and orchestration to help streamline the analyst workflow.
Leveraging Next-Gen SIEM to Put Threat Intelligence to Real Use
Next generation SIEM platforms, like Exabeam’s Security Management Platform, can help organizations effectively consume threat data, and put it to use.
Next generation SIEMs include several capabilities that can improve the effectiveness of your threat intelligence operation:
- Advanced analytics—using behavioral analytics to identify anomalous behavior that might indicate an attack, and correlating with threat analytics data to identify the type and source of the attack.
- Smart forensic analysis—collecting all relevant information about a security incident, across multiple users, IP addresses and IT systems, combining it with threat intelligence data, and laying it out on an incident timeline. This provides context that is sorely missing in traditional systems.
- Incident response automation—gathering data from hundreds of tools, automatically identifying incidents, referencing them with threat intelligence data, and even automatically orchestrating containment and mitigation steps.
- Threat hunting—using threat intelligence data, combined with free exploration of internal data, to identify new and unknown threats that might be affecting your organization.
Modern SIEMs that are designed to work with threat intelligence from the ground up, can provide data exactly where and when you need it. This dramatically improves productivity compared to most traditional intelligence tools, which require analysts to extract threat data and go to other tools to respond to the event or incident.
For more on threat intelligence, read our blog post about boosting the effectiveness of threat intelligence with next gen SIEM.
To learn more about Exabeam’s Threat Intelligence Service, read our blog about how to Enable Smarter Workflows Using Exabeam Threat Intelligence Service.