A truly effective, comprehensive security protocol relies on a number of moving parts. However, at the heart of any security plan lies threat intelligence. In short, without it, it’s all but impossible to understand exactly what you are protecting against, and how to best secure your assets.
But what exactly is threat intelligence? It’s more than just understanding the threats that are out there. For example, when a major malware attack takes place, such as the WannaCry ransomware attack that occurred a few years ago, IT security learns about the attack, what it can do, and the best ways to prevent it from happening to their organizations. This is not threat intelligence however, as real threat intelligence goes beyond the obvious risks that any organization faces and their vulnerability to an attack.
Rather, threat intelligence is a deeper, more involved approach to security. Gartner Research defines it as “…evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” In other words, it’s a deep understanding of specific threats to an organization, including the attacker’s goals, what would happen if the threat were to become reality, and the best ways to respond to the threat.
Threat intelligence is much more than lists of data related to known risks. For instance, your organization’s internet security protocols may rely on lists of known malicious domains or IP addresses, or virus signatures. Although this is important information, it doesn’t constitute “intelligence” because it doesn’t provide any information about the context or relevancy of the danger. Effective security requires looking at the big picture, and without threat intelligence, it’s almost impossible to see the forest for the trees.
With that in mind, threat intelligence is usually broken down into three types: Strategic, tactical, and operational.
- Strategic threat intelligence is a broad overview of the threat landscape, which includes reports and research about trends, incidents, and new policies.
- Tactical threat intelligence refers to information about how cyber criminals are acting. It’s an understanding of the tools and techniques they’re using for attacks, and the vulnerabilities they seek. Tactical intelligence requires placing this information in the context of your own organization, to truly understand the potential effects it can have.
- Finally, operational intelligence is knowledge about specific attacks, including the indicators of attacks, when attacks occur, and the intent of the attack. This is the most difficult type of intelligence to gather, as it’s often hidden behind encryption and other forms of obfuscation, but it can provide some of the most valuable information for preventing breaches.
Why Does Threat Intelligence Matter?
Many IT security teams take a reactionary approach to security: When they learn of a threat, they take steps to stop it. Yet the threat landscape is evolving every day, and many adversaries are not going to let one thwarted attempt stop them from achieving their goal of breaching your network. In fact, many cyber criminals use the Advanced Persistent Threat approach, launching multiple targeted attacks, sometimes over the course of several years, in their attempts to gather your data.
While your security protocols may stop the majority of these attacks, without threat intelligence, there is no context to the attacks – and a lower chance that you’ll be able to stop all of them. Without a full understanding of the attacks and how they are all interconnected, including who is launching the attacks, you cannot develop an effective defense. Armed with the right threat intelligence, you can develop better policies and implement more effective security tools, like endpoint detection and response tools, mobile security tools, and more. Ultimately, threat intelligence can inform everything from incident detection and blocking, contextual alerts and signature blocking, and security planning for better incident response.
Gathering threat intelligence is no simple feat, and it requires collecting, processing, and analyzing reams of data from multiple sources. However, when used properly, it represents a more streamlined and effective security approach, as it relies on a more cohesive picture, rather than disjointed data collected from several different systems that needs to be interpreted by individuals who may not have all the necessary skills required to make the right decisions. Ultimately, threat intelligence helps security teams determine what’s the most important information, and how to use that for the most secure network.