Cyber Threat Intelligence, or threat intelligence, acts as your organisation's primary defence against threat actors and security risks that may target your data, infrastructure, assets, employees or stakeholders. Understanding the importance of this information and working to improve the quality of information collected about potential threats is critical to maximizing your organization's defense capabilities and security posture.
In this blog post we will:
- Define different types of threat intelligence
- Discuss the key concepts and roles that threat intelligence plays in your organization's cyber security
- Outline the steps to create a high-quality threat intelligence that creates value for your organization and its security teams
What is threat intelligence (cyber threat intelligence)?
Threat intelligence refers to the information, data and context used to detect, assess, prioritise and respond to cyber threats to prevent potential attacks against an organisation.
In addition, threat intelligence can also be analysed by organisations to improve decision-making on how to build long-term plans that more effectively deter potential future cyber attacks.
Why threat intelligence is so important
As threat actors become more sophisticated in their ability to exploit attacks against specific companies or industries, it is critical for organizations to further develop their own threat intelligence capabilities to protect their data and infrastructure. A thorough understanding of one's organization's security risks is essential to knowing what tools and technologies are needed to identify, prioritize and combat risks.
A big part of threat intelligence is knowing where to look for information. This has become more challenging as the channels through which threat actors operate change and expand. Often the dark web is used to exchange information or trade in illicit goods, which means your security teams need to be familiar with this part of the internet.
Knowing how your organization can become a target for cyber criminals is also necessary to proactively fend off attacks. Cybercriminals can use a variety of methods to carry out their attacks, such as brute force attacks and credential stuffing, so it's important that your security teams are prepared for all types of attacks.
Five phases of threat intelligence
While threat intelligence encompasses the entire process of dealing with threats, from data collection to information dissemination, it can be broken down into five phases that define each step of the process.
- Planning and direction: Determine the scope and objectives of core roles and processes
- Collection: Implement data collection and processing techniques
- Analysis: Translate raw data into meaningful information
- Production: Assess the importance and seriousness of information based on business and environmental context
- Dissemination and feedback: Report on completed threat intelligence
Applications of threat intelligence phases
The stages of threat intelligence are an important part of any organisation to get the most out of security efforts. Understanding the types of threats you deal with allows you to more specifically optimise the prevention of the risks your organisation faces.
While the general process is the same, applying it to insider threats versus external security threats may look different, as each requires different considerations. A tailored process is required to properly assess the risks an organization faces and effectively prevent them.
The three types of threat alerts
There are three types of threat alert, each with its own function in combating emerging threats and cyber attacks. Strategic, operational and tactical threat intelligence all play complementary roles in building a comprehensive cyber security plan to address the risks your organisation faces.
1) Strategic Threat Intelligence Strategic threat intelligence provides a high-level view of potential threats and an overview of how they evolve over time. Historical trends and contextual data are both very important for strategic threat intelligence, as characteristics and information associated with past threats often influence potential future attacks.
Because of its broader nature, strategic threat intelligence is usually used by C-suite executives or other senior individuals who benefit most from a summary of security threat trends. One does not need to have a strong technical background to understand strategic threat intelligence.
2) Operational Threat Assessment. Operational threat intelligence is more actionable and focuses on specific attacks to which an organisation may be exposed. It spells out how your security team should understand a security breach or attack and the processes that would be most effective to contain or deter it. Operational threat intelligence provides more insight into a threat actor's motivations, capabilities and timing, while applying your organization's strategic threat intelligence to planning how to handle an attack
Operational threat intelligence requires a strong technical background and is most often used by security teams and their associated departments. Analysts, incident personnel and other staff benefit greatly from high-quality operational threat intelligence as a way to contextualise and prioritise risks and understand their strategic implications.
3) Tactical threat intelligence Tactical threat intelligence deals with information about the tactics, techniques and procedures needed to build a cyber security plan.
It is the most basic level of threat intelligence and is built on the documentation of past and present threats and attacks, which are then transformed into Indicator Of Compromise (IOCs) that act as a guide for analysts assessing future or ongoing incidents. Tactical threat intelligence contextualises isolated events to help security teams decide how serious a threat really is.
Technical teams are most often the ones dealing with tactical threat intelligence. This type of threat intelligence is constantly changing and relates differently to each threat.
What is threat intelligence?
While gathering information related to threats is a critical part of your threat intelligence, it is possible to overlook some of the risks or threat actors that threaten your organization. To minimise this risk, it is useful to include active threat intelligence in your threat intelligence.
Threat scanning is a more proactive approach to data collection, as it is an active search for threats or cyber criminals that have accessed or may access your business. If undetected, they can collect confidential information over a long period of time and prepare for a major attack.
Many organisations lack an action plan to detect and remove threats from their systems. Threat scanning can eliminate threats before they can develop into serious attacks or data breaches.
The use of threat intelligence
Strengthen your organisation's security posture
The ways in which threat intelligence can benefit your team or organisation depend on your role and objectives. Perhaps most importantly, robust threat intelligence gives you the opportunity to strengthen the security posture of your entire organisation. The better you understand the potential threats, the better prepared you can be to respond to them.
Contextual insight and analysis
Threat intelligence also helps prioritise threats and provides valuable insight into how a particular risk might play out for your organisation. If an attack does occur, analysis of its status and impact is also enhanced by the information your teams have about the who, what and how of the situation.
Proactive threat intelligence
Use threat intelligence to detect previously undetected data breaches or cybercriminals and proactively stop attacks that target your data and infrastructure.
What is a threat actor?
In broad terms, a threat actor is any party that engages in illegal activities. Physical threat actors are those who use physical methods, such as a terrorist attack, while cyber threat actors operate online and carry out cyber threats, such as ransomware attacks and DDoS attacks.
The actions of these threat actors depend on their tactics, group, motivation and other factors. Many are part of a larger illicit community, often online-based, on the dark web. They may disclose the data or information they access on the dark web, which can make data breaches difficult to trace and lead to more cyber attacks.
By understanding threat actors and their tactics, techniques and procedures, organizations that leverage threat intelligence can make more informed decisions about how best to proactively protect themselves.
Motivation for cyber criminals
While ransomware groups are clear examples of threat actors with financial motives, sometimes it's more complicated than that. Motivations can generally be divided between economic and ideological, but the subcategories of these are nuanced.
Motivated by money
Financial profit is one of the main drivers behind cybercrime. From organized ransomware attacks to insider threats, these attacksis often carried out with the intention of converting the stolen data into something of monetary value, most often cryptocurrency, as quickly as possible.
Types of financial threat actors include:
- Ransomware actors: working individually or as a group, ransomware actors carry out attacks that either encrypt data to force victims to pay for the decryption key or threaten to release sensitive information if a significant ransom is not paid
- Insider threat actors: Insider threats represent a significant proportion of all data breaches and involve employees of a company or organisation exploiting confidential information or network access to harm a company for personal gain. Poor security hygiene can also lead to accidental breaches and also counts as insider threats.
- Organised groups: Organised cybercrime groups make up a large proportion of the actors behind cybercrime. They work in professional and structured networks that enable them to carry out large and sophisticated attacks.
- "Carders: Carders often have a low level of technical knowledge and steal credit cards which they can then exploit or resell.
- Scammers: Scammers are involved in various types of fraud, such as identity theft, online dating scams, pyramid schemes and phishing.
- "Script kiddies: Also known as skiddies, they use scripts or programs designed by others to attack computer systems. They are not able to perform sophisticated attacks, but can still force their way into confidential information or systems
Motivated by socio-political factors
Ideological threat actors are driven by political and social factors, and attacks are often carried out by a large group to highlight a larger issue or to harm a group with a different ideology.
These attacks usually aim to create chaos and raise awareness about the cybercriminals behind them or the problems they face. This is very much the opposite of financially motivated cybercriminals who want to carry out their attacks as anonymously as possible.
Types of ideological threat actors include:
- APT groups: "Advanced Persistent Threat (APT)" groups are usually politically or financially motivated and their attacks target government institutions, critical infrastructure and large corporations. They often use spear phishing or social engineering to carry out their attacks. Once they gain access to a system's infrastructure, they steal confidential information and store it.
- State-sponsored groups: Government or state-sponsored groups are threat actors that are supported by a nation state, either directly or indirectly. Their goals and tactics are usually similar to those of APT groups, and their government support enables them to use sophisticated resources.
- Hacktivists: Hacktivists support their own political or social agenda, and their goal is often to damage the reputation of a company or government and raise awareness of their cause.
- FUD (Fear, Uncertainty, and Doubt): FUD-motivated threat actors distribute false or misleading information (misrepresentation) and often attempt to influence public perception of political parties, other nations, or the like.
What is the purpose of a cyber threat analyst?
Using the data collected during the threat intelligence gathering phase, a cyber threat analyst is responsible for identifying and assessing risks and threats. As the lead for many different teams that rely on the threat intelligence, this analyst must be able to assess different types of information from a variety of sources, including those of a technical nature, and communicate them to individuals who come from different backgrounds and have different levels of technical expertise
Cyber threat analysts have general experience in cyber security and computer networks and may have previously worked as network engineers. Being at the forefront requires a strong knowledge and ability to keep up with potential threats that are constantly evolving, which means there is a correlation between the quality of your threat intelligence and how effective an analyst you have.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.