Threat intelligence is information about potential attacks. It helps organizations take action to defend themselves against these attacks.
Threat intelligence is information about the potential attacks an organization may face and how to detect and stop those attacks. Law enforcement sometimes distributes “Wanted” posters with information about suspects; similarly, cyber threat intelligence contains information about current threats and where they come from.
In digital security terms, a “threat” is an action with malicious intent that could result in data being stolen, lost, or altered without permission. The term refers to both potential and actual attacks. Threat intelligence enables organizations to take action against threats, rather than merely providing data. Each piece of threat intelligence helps make it possible to detect and prevent attacks.
Some types of threat intelligence can be fed into firewalls, web application firewalls (WAFs), security information and event management (SIEM) systems, and other security products, enabling them to identify and block threats more effectively. Other types of threat intelligence are more general and help organizations make more significant strategic decisions.
What are the three main types of threat intelligence?
Most threat intelligence fits into one of these three categories:
- Strategic intelligence describes overall trends and long-term issues. It can also include known attackers’ motivations, goals, and methods.
- Operational intelligence describes the tactics, techniques, and procedures (TTP) used by attackers — for instance, which malware toolkits or exploit kits attackers use, where their attacks come from, or the steps they typically follow to carry out an attack.
- Tactical intelligence is specific on-the-ground details about threats; it enables organizations to identify threats on a case-by-case basis. Malware signatures and indicators of compromise (IoC) are examples of tactical intelligence. Both of these terms are explained further below.
What is a malware signature?
A signature is a unique pattern or sequence of bytes by which malware can be identified. In the same way, fingerprints are used to identify persons suspected of a crime; signatures help identify malicious software.
Signature detection is one of the most common forms of malware analysis. To be effective, signature detection must constantly be updated with the latest malware signatures identified in the wild.
What are indicators of compromise (IoC)?
An indicator of compromise (IoC) is a piece of data that helps identify whether an attack has occurred or is in progress. An IoC is like an item of physical evidence that a detective might collect to determine who was present at the crime scene. Similarly, specific digital evidence — unusual activity recorded in logs, network traffic to unauthorized servers, etc. — helps administrators determine when an attack has occurred (or is currently happening) and what kind of attack it was.
Without IoCs, it can sometimes be challenging to determine if an attack has occurred; it often benefits the attacker to remain undetected (for instance, if they want to use a compromised device in a botnet).
What is a threat intelligence feed?
A threat intelligence feed is an external stream of threat intelligence data. Like an RSS feed for blogs, organizations can subscribe to a threat intelligence feed to provide constant security updates to their systems.
Some threat intelligence feeds are free; others cost money and provide proprietary intelligence unavailable from open sources.
