What is (Cyber) Threat Intelligence?
Threat Intelligence is a complex domain with multiple components and interrelated elements. It is often misunderstood and underestimated, despite its critical impact on organizational security and risk management.
From participating in discussions, listening to others, reading group chats, and commenting on social media, I’ve noticed that many people misunderstand the definition and purpose of Threat Intelligence as a domain and a process. This problem exists in C-level management and among security professionals from other blue team domains, such as IR, SOC, DFIR, etc. Please don’t take my thoughts as the only one single truth, there are multiple opinions on the impact of threat intelligence and what threat intelligence is, this blog post is just my view on the domain in general.
Understanding Intelligence
Let’s talk about Intelligence in general first. Intelligence is a supporting function; I suggest following this definition. You can’t produce Intelligence if no one can consume it for the greater good. Intelligence helps decision-makers make decisions. A decision-maker could be any person, organization, or entity that is able and willing to receive Intelligence.
For example, policymakers and political powers consume Intelligence related to foreign affairs or internal conflicts to take the proper steps and prepare for possible consequences. Military personnel plan offensive operations based on Intelligence provided by intelligence officers. One massive example of how the hard work and dedication of US Intelligence Community analysts—using SIGINT, HUMINT, and GEOINT—helped the US Government track down and eliminate the most significant terrorist threat ever, Osama bin Laden. For more details, I highly recommend the movie Zero Dark Thirty. For an in-depth look at how Operational Intelligence helped SpecialOps units execute ground operations, I recommend reading No Easy Day.
For C-level executives in big organizations, Business Intelligence helps with decision-making regarding business expansion, mergers, and other strategic-level matters. It’s crucial to understand that Intelligence analyzes the present and past to predict the future. The information flow is simple:
Data → Information→ Intelligence
Intelligence becomes Intelligence when we go beyond reporting events and provide meaningful analysis and insights. Intelligence is an essential function that contributes to an organization’s maturity and aids in making better decisions. With this in mind, let’s move forward and talk about the main subject: What is Threat Intelligence?
What is Threat Intelligence?
The definition is straightforward—Threat Intelligence revolves around threats, specifically in cyberspace. Threat Intelligence is responsible for detecting potential threats, providing insights into the current threat landscape, and answering critical questions for organizations. Threat Intelligence addresses problems that different teams encounter and need solutions for. Here are some examples:
- Vulnerability Management struggling with vulnerability prioritization?
Vulnerability Intelligence can identify which vulnerabilities are actively exploited, have publicly available proof-of-concept (POC) exploits, or are being sold or used by threat actors. - SOC needs context around hashes, URLs, and IPs?
A Threat Intelligence Platform integrates open-source and private feeds to provide the necessary context. - Incident Response requires assistance with attribution or direction for further investigation?
A comprehensive library populated by the CTI team with TTPs, motivations, and actor profiling can help. - Detection Engineering needs guidance on emerging threats?
Threat Intelligence can provide heatmaps and trend analysis.
The Strategic Role of Threat Intelligence
Beyond technical applications, Threat Intelligence supports C-level executives in acquisition and merger processes, expansion to new markets, and making strategic security investments. Threat Intelligence serves as a vital link between multiple teams, guiding operations and fostering innovation.
In an ideal world, Threat Intelligence should predict attacks, allowing organizations to take proactive measures based on Intelligence findings. However, this is not always feasible. The effectiveness of Threat Intelligence depends on multiple factors, including:
- CTI team expertise
- Leadership expectations
- Relevance of intelligence requirements
- Technologies and operational capabilities
- Security policy excellence
The efficiency of Threat Intelligence is also closely tied to an organization’s security maturity. Implementing a Threat Intelligence Program should begin with an audit of security functions—just as learning a programming language should start with mastering English for non-native speakers.
Final Thoughts
Threat Intelligence is complicated; it is not a silver bullet to solve all security problems. A proper approach to implementation consists of multiple steps and may take years to execute effectively.