Threat Intelligence Guide (2022)

Threat intelligence
Threat Intelligence – A game of Chess

What is Threat Intelligence?

Threat intelligence allows analysts to reduce research time, understand risks to their companies security posture, and take informative actions to protect their company assets from threat actors.

The typical Threat Intelligence vendor comes in two flavors: Two Categories. Enrichment feeds and Intelligence Provider.

Intelligence Provider

Intelligence provider’s collect information from multiple sources on threat actors and provides the information. Advanced intelligence providers employ machine learning to consolidate large amounts of data. Integrations into existing cyber security tools, and human analysis for detailed reports are both typical in advanced intelligence providers.

Enrichment Feeds

Enrichment feeds also collect information from multiple sources, however, these vendors don’t provide advance threat actor monitoring or reporting. With an enrichment feed, expect a list of IP addresses, domains, or hashes without much context on the indicators.

Threat Intelligence Platforms

Think of a Threat Intelligence Platform (TIP) as a bookshelf and the threat intelligence sources as the books. TIPs store, consolidate and curate multiple threat intelligence sources.

TIPs are like bookshelves where TI are the books
Think of a TIP as a bookshelf and TI as the books.

Do I need a TIP?

Good question. It depends.

If you have a large cyber threat intelligence (CTI) team that works independently from the security operations center (SOC), it can make sense to pay for a TIP. Often times, CTI teams will work to curate threat intelligence and provide high-fidelity indicators to the SOC for threat hunting.

Where a TIP comes in handy is tracking specific threat actors and building a repository of current and historical indicators of compromise (IOCs) use for strategic hunting.

What is strategic hunting?

If you’re familiar with sending threat intelligence feeds to your SIEM for correlation, you’re likely used to a lot of false-positives and noise. CTI teams can curate threat intelligence using their TIP to track threat actor campaigns. The CTI team use these indicators for high-fidelity correlation rules. This eliminates a lot of noise and false positives.

Who Benefits from Threat Intelligence?

Of course threat analysts benefit from threat intelligence but so does the rest of a cyber security team. Often times, risk assessments can be looked at with a different lens using intelligence. This allows security leadership to effectively prioritize, budget, and plan around different focus areas.

Threat intelligence is commonly used to correlate inbound and outbound traffic. However, Vulnerability teams can also incorporate threat intelligence to better triage and prioritize patching priority. This is accomplished by correlating vulnerability scan results with proprietary threat intelligence tailored to your protecting your assets.