This Threat Intelligence guide will provide you with a high-level understanding of the different types of threat intelligence.
There can be much to unpack, from threat intelligence feeds to enrichment providers to threat intelligence platforms.
Dive in and learn how to enhance your security operations with threat intelligence.
Contents
What is Threat Intelligence?
Threat intelligence is data collected and indexed from the dark web, open web, technical, and customer telemetry. It has been organized, analyzed, and delivered to understand the threat landscape, including threat actors, the malicious infrastructure they are building, their tactics, behaviors, and targets.
Threat intelligence gives the same external view of gaps and weaknesses that an attacker sees and may want to exploit.
The typical Threat Intelligence vendor comes in two flavors: Enrichment Feeds and Intelligence Providers.
Threat Intelligence Provider
Intelligence providers collect information from multiple sources on threat actors and provide the information. Advanced intelligence providers employ machine learning to consolidate large amounts of data.
Advanced intelligence providers typically integrate existing cyber security tools and human analysis for detailed reports.
A great use case involves integrating your threat intelligence into your SOAR tool. Automating threat hunting based on threat intelligence increases your analyst’s bandwidth.
We wrote a guide on setting up your automated threat-hunting workflows here.
Threat Intelligence Enrichment Feeds
Enrichment feeds also collect information from multiple sources. However, these vendors don’t provide advanced threat actor monitoring or reporting.
With an enrichment feed, expect a list of IP addresses, domains, or hashes without much context on the indicators.
Threat Intelligence Platforms
Think of a Threat Intelligence Platform (TIP) as a bookshelf and the threat intelligence sources as the books.
TIPs store, consolidate, and curate multiple threat intelligence sources.
Do I need a TIP?
Good question. It depends.
If you have a sizeable cyber threat intelligence (CTI) team that works independently from the security operations center (SOC), it can make sense to pay for a TIP. Often, CTI teams will work to curate threat intelligence and provide high-fidelity indicators to the SOC for threat hunting.
A TIP is helpful when tracking specific threat actors and building a repository of current and historical indicators of compromise (IOCs) used for strategic hunting. CTI teams need their own environment to store indicators that won’t interfere with SOC analysts in their SIEM.
What is Strategic Hunting?
If you’re familiar with sending threat intelligence feeds to your SIEM for correlation, you will experience a lot of false positives and noise.
CTI teams can curate threat intelligence using their TIP to track threat actor campaigns. The CTI team can use these indicators for high-fidelity correlation rules. This eliminates a lot of noise and false positives.
Often, CTI teams will work with a SOC. SOCs are typically responsible for building detection rules and triaging alerts from the SIEM. A CTI team needs to know what type of alerts are causing false positives to assist the SOC with tuning.
A typical SOC/CTI collaboration model will entail the threat intelligence analyst providing high-fidelity indicators to the SOC to increase the number of true positives.
Who Benefits from Threat Intelligence?
Of course, threat analysts benefit from threat intelligence, but so does the rest of the cyber security team. Often, risk assessments are seen with different lenses using threat intelligence. This allows security leadership to effectively prioritize, budget, and plan around other focus areas.
Threat intelligence is commonly used to correlate inbound and outbound traffic. However, Vulnerability teams can also incorporate threat intelligence to better triage and prioritize patching priority. This is accomplished by correlating vulnerability scan results with proprietary threat intelligence tailored to your protecting your assets.
The Best Threat Intelligence Vendors
A great threat intelligence provider will provide several aspects. You want to look for vendors that offer a web portal to perform advanced searches and verbose integrations with other security tools like EDR, SIEM, and SOAR.
Recorded Future
Recorded Future is the most comprehensive, independent threat intelligence cloud platform. It enables organizations to identify and mitigate threats across cyber, physical, supply-chain, and fraud domains. Its customers trust it to get real-time, unbiased, actionable intelligence.
Not only does Recorded Future provide a portal to manager alerts and perform advanced search queries, but it also provides a ton of integrations with SOAR, SIEM, EDR, and TIPs.
Mandiant
Mandiant was a part of FireEye but recently split. Since then, Google bought Mandiant on Sept 12, 2022. Google plans to combine Mandiant with their existing security portfolio including SIEMplify and Chronicle.
Anomali
Anomali isn’t a pure threat intelligence provider. It is a Threat Intelligence Platform with built-in SOAR actions. This allows Threat Intelligence Analysts to curate threat intelligence and act on it with automated actions like blocking indicators on their firewall or sending indicators to SIEMs like Splunk for correlation.