Audio version of the article
Threat intelligence is information gathered from a range of sources about current or potential attacks against an organization.The purpose is to ensure that organisations are aware of their threat environment so that they can put in place a mechanism to collect and analyse these threats and determine the proper actions that can be taken to protect their information security. The information is analyzed, refined and organized and then used to minimize and mitigate Information security risks.Organizations embrace threat intelligence to ensure that a) they are properly prepared to deal with today’s threat landscape and b) their controls and other investments are well selected and performing as planned. Data is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.The main purpose of threat intelligence is to show organizations the various risks they face from external threats. Threat intelligence includes in-depth information and context about specific threats, such as who is attacking, their capabilities and motivation, and the indicators of compromise . With this information, organizations can make informed decisions about how to defend against the most damaging attacks. In a security context, intelligence is information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a part of a bigger security intelligence strategy. It includes information related to protecting an organization from external and inside threats, as well as the processes, policies and tools used to gather and analyze that information. Threat intelligence provides better insight into the threat landscape and threat actors, along with their latest tactics, techniques and procedures. It enables organizations to be proactive in configuring its security controls to detect and prevent advanced attacks and zero-day threats. Many of these adjustments can be automated so security stays aligned with the latest intelligence in real time.
Information relating to information security threats should be collected and analysed to produce threat intelligence.
To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken.
ISO 27002 Implementation Guidance
Information about existing or emerging threats is collected and analysed in order to:
- facilitate informed actions to prevent the threats from causing harm to the organization;
- reduce the impact of such threats.
Threat intelligence can be divided into three layers, which should all be considered:
- strategic threat intelligence: exchange of high-level information about the changing threat landscape (e.g. types of attackers or types of attacks);
- tactical threat intelligence: information about attacker methodologies, tools and technologies involved;
- operational threat intelligence: details about specific attacks, including technical indicators.
Threat intelligence should be:
- relevant (i.e. related to the protection of the organization);
- insightful (i.e. providing the organization with an accurate and detailed understanding of the threat landscape);
- contextual, to provide situational awareness (i.e. adding context to the information based on the time of events, where they occur, previous experiences and prevalence in similar organizations);
- actionable (i.e. the organization can act on information quickly and effectively).
Threat intelligence activities should include:
- establishing objectives for threat intelligence production;
- identifying, vetting and selecting internal and external information sources that are necessary and appropriate to provide information required for the production of threat intelligence;
- collecting information from selected sources, which can be internal and external;
- processing information collected to prepare it for analysis (e.g. by translating, formatting or corroborating information);
- analyzing information to understand how it relates and is meaningful to the organization;
- communicating and sharing it to relevant individuals in a format that can be understood.
Threat intelligence should be analysed and later used:
- by implementing processes to include information gathered from threat intelligence sources into the organization’s information security risk management processes;
- as additional input to technical preventive and detective controls like firewalls, intrusion detection system, or anti malware solutions;
- as input to the information security test processes and techniques.
The organization should share threat intelligence with other organizations on a mutual basis in order to improve overall threat intelligence.
Organizations can use threat intelligence to prevent, detect, or respond to threats. Organizations can produce threat intelligence, but more typically receive and make use of threat intelligence produced by other sources. Threat intelligence is often provided by independent providers or advisors, government agencies or collaborative threat intelligence groups. The effectiveness of controls such as 5.25, 8.7, 8.16 or 8.23, depends on the quality of available threat intelligence.
Threat intelligence is used to inform decisions and actions to present these threats causing harm to the organisation and reduce the impact of such threats. It requires an organisation to collect and analyse information relating to information security threats and use that information take mitigation action. Threat intelligence is used to prevent, detect or respond to threats. Organization can either produce their own threat intelligence or make use of threat intelligence produced by others. It is often provided by independent providers and advisors which can include government sources and more than likely products and services will spring up around this new control to offer it as a service, at a cost . The organization have to ensure that:
- objectives for threat intelligence production are established
- internal and external sources of information are identified, selected and vetted where necessary and appropriate
- information is collected from selected sources
- information is then prepared for analysis for example by formatting or translating it
- information is analysed to understand how it relates to you
- communication and sharing of information is done to relevant in people in a way they will understand it
When implementing threat intelligence they are analyzing and using information and including it in the risk management process. It can be used as input to inform how ti implement and configure technical controls and adapting information security tests and techniques based on it. An organisation must know what its threat environment is in order to ensure that it has the right controls in place; that it is able to respond and recover appropriately if something adverse were to happen; and that its security posture (controls, policies, etc.) is appropriate for its threat environment.
The main objective is to ensure that organisations have the ability to collect and analyse information about existing and emerging threats, so that the organisation can identify which threats are applicable to the organisation, and then develop appropriate defences for those identified threats. To meet the requirements organisations must:
- Establish and document objectives for threat intelligence production
- Identify, vet, list and document internal and external sources of information
- Collect the information
- Prepare the information for analysis for example by formatting or translating it
- Communicate and share information to relevant people in a way they will understand it
- Conduct periodic reviews of your threat environment (e.g., by reviewing reports from government agencies, other organisations and/or industry associations).
- Analyse current events and past incidents to determine possible new attack vectors and trends.
- And most of all, create defenses that can be used to mitigate the effect of threat to the organisation’s information security.
There are four varieties of threat intelligence: strategic, tactical, technical and operational. All four are essential to build a comprehensive threat assessment.
- Strategic threat intelligence. This analysis summarizes potential Security attacks and the possible consequences for nontechnical audiences and stakeholders, as well as decision-makers. It is presented in the form of white papers, reports and presentations, and is based on detailed analysis of emerging risks and trends from around the world. It is used to paint a high-level overview of an industry’s or organization’s threat landscape.
- Tactical threat intelligence. Tactical intelligence provides information about the tactics, techniques and procedures (TTPs) that threat actors use. It is intended for those directly involved with protecting IT and data resources. It provides details on how an organization might be attacked based on the latest methods being used and the best ways to defend against or mitigate the attacks.
- Technical threat intelligence. This information focuses on signs that indicate an attack is starting. These signs include reconnaissance, weaponization and delivery, such as spear phishing, baiting and social engineering. Technical intelligence plays an important role in blocking social engineering attacks. This type of intelligence is often grouped with operational threat intelligence; however, it adjusts quickly as hackers update their tactics to take advantage of new events and ruses
- Operational threat intelligence. With this approach, information is collected from a variety of sources, including chat rooms, social media, antivirus logs and past events. It is used to anticipate the nature and timing of future attacks. Data mining and machine learning are often used to automate the processing of hundreds of thousands of data points across multiple languages. Security and incident response teams use operational intelligence to change the configuration of certain controls, such as firewall rules, event detection rules and access controls. It can also improve response times as the information provides a clearer idea of what to look for.
Focusing on strategic, tactical, technical and operational threat intelligence will help organizations improve their awareness and visibility of the threat environment looming outside their organization. In doing so, it looks to encourage better collection and analysis of information surrounding outsider threats as it enables organizations to better understand what they are up against and take the appropriate steps to protect from and mitigate such threats.Threat intelligence is also used as an input for other controls, including 5.25, 8.7, 8.16 and 8.23, and will formulate how organizations respond to events, malware threats, networking monitoring and web filtering. The organizations should demonstrate that how they are:
- Collecting and analyzing threat intelligence
- Actioning insights derived from that analysis
- Incorporating threat intelligence into their ISMS
Combined, these actions determine how effectively organizations are using threat intelligence while encouraging them to reach a certain standard that requires them to be more informed, better protected, and better equipped to adjust their security posture in line with threat insights.For example, when choosing a new intrusion detection system, organizations should consider how threats against them are likely to manifest. All implemented protections should detect and target those threats, including the tactics used by their likely adversaries. This way, threat intelligence adds to the risk understanding and allows businesses to choose solutions that actually resolve the problems they are likely to encounter.
There are numerous tools that can help organizations collect data and apply threat intelligence within existing security operations. Threat intelligence services also provide organizations with information related to potential attack sources relevant to their businesses; some also offer consultation services.