Threat Intelligence is evidence-based information about cyber attacks that cyber security experts organize and analyze. This information may include:
- Mechanisms of an attack
- How to identify that an attack is happening
- Ways different types of attacks might affect the business
- Action-oriented advice about how to defend against attacks
Many forms of cyber attacks are common today, including zero-day exploits, malware, phishing, man-in-the-middle attacks, and denial of service attacks. Different ways of attacking computer systems and networks constantly evolve as cybercriminals find new vulnerabilities to exploit. Cyber Threat Intelligence (CTI) helps organizations stay informed about new threats so that they can protect themselves. Cyber security experts organize, analyze, and refine the information they gather about attacks to learn from and use it to protect businesses better.
Threat intelligence (or security intelligence) also helps stop or mitigate an attack that is in progress. The more an IT team understands about an attack, the better they will be able to make an informed decision about how to combat it.
There are different types of threat intelligence, from high-level, and non-technical information to technical details about specific attacks. Here are a few different kinds of threat intelligence:
- Strategic: Strategic threat intelligence is high-level information that puts the threat in context. It is non-technical information that an organization could present to a board of directors. An example of strategic threat intelligence is the risk analysis of how a business decision might make the organization vulnerable to cyber attacks.
- Tactical: Tactical threat intelligence includes the details of how threats are being carried out and defended against, including attack vectors, tools, and infrastructures attackers are using, types of businesses or technologies that are targeted, and avoidance strategies. It also helps an organization understand how likely they are to be a target for different types of attacks. Cybersecurity experts use tactical information to make informed decisions about security controls and managing defenses.
- Operational: Operational threat intelligence is information that an IT department can use as part of active threat management to take action against a specific attack. It is information about the intent behind the attack, as well as the nature and timing of the attack. Ideally, this information is gathered directly from the attackers, which makes it difficult to obtain.
- Technical: Technical threat intelligence is specific evidence that an attack is happening or indicators of compromise (IOCs). Some threat intelligence tools use artificial intelligence to scan for these indicators, which might include email content from phishing campaigns, IP addresses of C2 infrastructures, or artifacts from known malware samples.
Threat intelligence and cyber threat tools help organizations understand the risks of different types of attacks, and how best to defend against them. Cyber threat intelligence also helps mitigate attacks that are already happening. An organization’s IT department may gather its own threat intelligence, or they may rely on a threat intelligence service to gather information and advise on best security practices. Organizations that employ software defined networking (SDN) can use threat intelligence to quickly reconfigure their network to defend against specific types of cyber attacks.
Threat intelligence allows organizations to be proactive instead of reactive when it comes to cyber attacks. Without understanding security vulnerabilities, threat indicators, and how threats are carried out, it is impossible to defend against cyber attacks effectively. Threat intelligence can prevent and contain attacks faster, potentially saving businesses hundreds of thousands of dollars. Threat intelligence can augment enterprise security controls at every level, including network security.
Security personnel can often find indications that an attack is happening or has happened if they are looking in the right places for unusual behavior. Artificial intelligence can help tremendously with this effort. Some commons IOCs include:
- Unusual privileged user account activity: Attackers often try to gain higher account privileges or move from a compromised account to another account that has higher privileges.
- Login anomalies: After-hours logins that attempt to access unauthorized files, logins in quick succession to the same account from different IPs around the world, and failed logins from user accounts that do not exist are all good indicators that something is amiss.
- Increases in database read volume: Seeing a large increase in database read volume could indicate that someone is extracting an unusually large amount of data, such as all of the credit card numbers in a database.
- Unusual domain name system (DNS) requests: Large spikes in DNS requests from a specific host and patterns of DNS requests to external hosts are both red flags because they could mean someone from outside the organization is sending command and control traffic.
- Large numbers of requests for the same file: A large part of cybercriminal activity involves repeated attacks, which can indicate that someone is searching for a vulnerability. Seeing 500 requests for the same file could indicate that someone is trying different ways to find a weakness.
- Unexplained configuration or system file changes: While it is difficult to find a credit card harvesting tool, it is easier to find system file changes that happen from the tool being installed.
A variety of threat intelligence tools are for sale or available at no cost through the open-source community. They all have slightly different approaches to threat intelligence gathering:
- Malware disassemblers: These tools reverse engineer malware to learn how it works and help security engineers decide how to defend against future, similar attacks.
- Security information and event management (SIEM) tools: SIEM tools allow security teams to monitor the network in real-time, gathering information about unusual behavior and suspicious traffic.
- Network traffic analysis tools: Network traffic analysis tools collect network information and record network activity to provide information that makes detecting an intrusion easier.
- Threat intelligence communities and resource collections: Freely accessible websites that aggregate known indicators of compromise and community-generated data about threats can be a valuable source of threat intelligence. Some of these communities support collaborative research and provide actionable advice on how to prevent or combat threats.
Organizations that are aware of emerging threats and know how to avoid them can take action to prevent an attack before it happens. Gathering and reviewing threat intelligence should be part of the enterprise security strategy for every organization.