Introduction to cyber threat intelligence
Cyber threat intelligence within the context of cybersecurity can appear to be somewhat difficult to pinpoint as a notion, particularly when you factor in the necessity of having to make strategic business decisions. Indeed, various sources view cyber threat intelligence in different ways, albeit with a number of shared characteristics.
The most commonly accepted definition of cyber threat intelligence, however, comes from Stamford-based technology research and consulting firm Gartner. The company defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard”.
As it is evident from the above excerpt, the definition is far from simple, packing a plethora of complex concepts and ideas, all of which contribute to the greater idea behind cyber threat intelligence. In the article below, we will closely examine the key concepts and principles behind threat intelligence, its role within your organisation’s cybersecurity defence strategy, and how a threat intelligence platform can be pivotal in your efforts to ensure that your data remains secure and your business objectives can be achieved without leaks, breaches and other such malicious events.
In addition, it is important to remember that threat intelligence does not rely on a static, one-time solution, but changes and evolves to meet both present and future needs.
According to US-based multinational technology company CISCO, cyber threat intelligence is a “dynamic, adaptive technology that leverages large-scale threat history data to proactively block and remediate future malicious attacks on a network”.
The company added that cyber threat intelligence itself is “not a solution, but it is a crucial security architecture component, because of evolving threats, security solutions are only as effective as the intelligence powering them”.
During our examination of the concept of cyber threat intelligence, we will first break down the notion of threats and risk, the concept of intelligence within the context of cybersecurity and organisational planning, as well as the different categories and types of threat intelligence, followed by a close look at what a threat intelligence platform is and how it can help your organisation’s ability to monitor and respond to threats.
What exactly is a cyber threat?
Before we proceed, we should examine the basics. What is the meaning of a cyber threat and what are we referencing when we speak about this topic? At its most basic level, a cybersecurity threat is any malicious action whose main objective is to steal or otherwise damage your organisation’s data, or create another form of disruption to your information technology system, regardless of what the motivation for that may be.
What are some types of cyber threats?
Cybersecurity threats include phishing attacks, malware attacks, computer viruses, password attacks, Distributed Denial of Service (DDoS) attacks, as well as threats within your own organisation who may engage in sabotage or industrial espionage, among other forms of threats and attack vectors.
In plain terms, malware is a piece of software crafted in such a way so that it either destroys, damages, disrupts or obtain illegal and unwanted access to a computer system.
Phishing attacks are one of the most common forms of cyber attack as they require minimal complexity and preparation.
Phishing involves the sending of email messages that pretend to be from a legitimate source, including official companies or individuals known to the victimised user and attempt to get their target to reveal crucial security information such as passwords, usernames, financial data, and more. Phishing can also be used to facilitate a secondary attack, such as the installation of malware.
Ransomware is a subdivision of malware and it essentially disrupts the normal running of your device or computer system (oftentimes by encrypting all data found on the device) until a monetary ransom is paid to the perpetrator within a fixed window of time.
Malicious entities who launch ransomware attacks will most likely permanently delete the encrypted data unless the aforementioned amount is paid to them before the deadline expires.
A password breach takes place each and every time a private and undisclosed password is utilised by a third party without prior authorisation to gain access to personal and private data.
Password breaches can take place in a number of ways, with two of the most common ways being dictionary attacks and brute force attacks.
Denial-of-Service Attacks (DoS)
Denial-of-service (DoS) attacks occur when a malicious actor or group targets a victim system by drowning it in immensely high volumes of traffic, with the ultimate aim of such an action being the crippling of the system and the disruption of its services for legitimate users.
The changing landscape of cyber threats
However, it is important to remember that the cyber threat landscape is fluid, and constantly changes and adapts to both evade newer forms of defence, as well as to exploit new technologies and platforms, especially ones that see wide-scale adoption, resulting in a sizeable pool of potential victims.
“Change brings opportunity – exciting technological advances have supported a remote workforce and enabled organizations to remain productive in a changing environment,” Microsoft’s Corporate Vice President, Security, Compliance, Identity, and Management Vasu Jakkal wrote.
“Unfortunately, increasingly complex digital environments have given cybercriminals new vulnerabilities to exploit,” Jakkal added, explaining that to “successfully detect and defend against security threats, we need to come together as a community and share our expertise, research, intelligence, and insights”.
Indeed, in the same piece, the Microsoft senior executive noted that between July 2020 and June 2021, there was a massive 1,070 per cent year-on-year increase in ransomware attacks, something which underlines the need to remain up to date with attack trends. This also highlights the importance of cyber threat intelligence, as it incorporates this knowledge-based risk monitoring and assessment aspect at its core.
How do we define intelligence in cybersecurity?
Admittedly, we have already covered the concept of threat intelligence, but it is worth revisiting the definition and thinking behind the meaning of intelligence in a cybersecurity context one more time with an additional level of focus.
Intelligence in such a framework is the result of a systematic process whereby we identify, collect and analyse a wide range of cyber threats. This allows the organisation and its security teams to better understand any potential looming dangers.
And here is the crux of the difference between threat data and intelligence. Threat data is just a list of potential threats, risks and sources of danger.
Whereas threat intelligence tries to produce an overview of the bigger picture by questioning the threat data, combine with the larger context, in order to create an informed, nuanced, three-dimensional, multi-layered, multi-scenario account of the threat landscape. This will in turn enable decision-making, executives, analysts and administrators to act in a more prudent, knowledge-based way.
“Threat intelligence involves sifting through data, examining it contextually to spot problems and deploying solutions specific to the problem found,” cybersecurity solutions and services company Kaspersky stated.
“Thanks to digital technology, today’s world is more interconnected than ever. But that increased connectedness has also brought an increased risk of cyberattacks, such as security breaches, data theft, and malware,” the company added, noting that cyber threat intelligence is a key aspect of an organisation’s cybersecurity strategy.
Characteristics of cyber threat intelligence
When organisations seek to identify and accurately define the proverbial enemy, be that any malicious actors or other sources of risk, during the proactive section of the cyber-attack lifecycle, they subsequently have the opportunity to take the necessary measures and actions to protect themselves, address any weaknesses and vulnerabilities, and prevent any attacks from achieving their desired objectives.
In addition, by being proactive, the organisation buys the necessary time it needs to craft an effective reaction and recovery strategy, boosting both its defensive capabilities, as well as its resilience to an attack.
For cyber threat intelligence to be effective, it needs to satisfy certain criteria. Firstly, it must be timely, being conveyed quickly to any relevant parties with minimal to zero time-wasting. It must be relevant and applicable to the environment in question. Threat intelligence should also be accurate, something which can only be achieved if the threat intelligence was produced using correct, complete and explicit information. Remember, when feeding data into a complex process, nothing should be assumed or inferred, since this makes things vague and liable to mistakes or inaccuracies.
Furthermore, cyber threat intelligence should be specific. The more detailed, targeted and specific the threat intelligence is, the more likely it will be for cybersecurity teams to select and implement the most appropriate actions and countermeasures.
Finally, and we will revisit this in more detail later in the article, cyber threat intelligence should be actionable. It should empower the people you have tasked with defending your organisation to use the information presented to them to proceed with constructive, robust actions.
What is a threat intelligence platform and how can it help you?
In this section, we will examine what constitutes a cyber threat intelligence platform and how
It can help your organisation’s security operations centre, boosting its monitoring and response capabilities, and ultimately enabling you to stay secure in a proactive manner.
“It is important for the SOC analyst to be able to quickly detect signs of an attack, investigate the associated activity, and start remediation to shut down the threat,” multinational technology solutions company Check Point wrote.
“The less time that cyber attackers have to poke around unrestricted on organizational systems, the less opportunity they have to break into high-value assets and steal sensitive information,” the company added.
The many features that comprise a threat intelligence platform
According to Gartner, threat intelligence products and services aim to deliver knowledge, information and data about cybersecurity threats and other cybersecurity-related issues.
“The output of these products and services aim to provide or assist in the curation of information about the identities, motivations, characteristics and methods of threats, commonly referred to as tactics, techniques and procedures (TTPs),” the company explained.
“The intent is to enable better decision-making and improve security technology capabilities to reduce risk and the chance of being compromised,” it added.
Indeed, to achieve these objectives, a well-configured and well-designed threat intelligence platform utilises a lot of core features that seek to enable an organisation to put into place a cybersecurity strategy that puts threats at its core, working from the probability of a risk and building from there.
This allows the organisation to better utilise any investments it has already made in terms of its cyber security infrastructure, including equipment, systems, as well as its human resources.
A threat intelligence platform can support the efforts of the company’s security teams, allowing them to quickly view the most pertinent threats that the organisation may encounter, enabling them to make more informed decisions and thus implement the most appropriate sequence of actions and counter-measures in a swifter fashion.
What is more, a cyber threat intelligence platform should utilise all of the infrastructure components and people that comprise it to achieve a number of functions, including aggregation, correlation, contextualisation, and integration, as well as performing the required and appropriate actions.
Aggregation refers to a cyber threat intelligence platform’s capacity to act as a central location for all data relating to possible threats, both from within the organisation, as well as from external sources.
The platform should be able to collect and aggregate data from a wide range of locations, including commercial sources, government websites, the information technology and cybersecurity industries, as well as current security vendors, into a single location, with one, consistent format, allowing the team using the platform to easily manage this information.
Added to this collection of data should be supplementary pieces of information, including all system log data, event management system data, internal ticketing system data, case management system data, as well as any other internal systems that produce pertinent information.
This is where correlation and contextualisation come into play, since the cyber threat intelligence platform will be able to take all of this centralised data and create a relationship map, or another equivalent, using events and other key threat indicators from both inside and outside the organisation’s environment, ultimately resulting in a comprehensive threat map.
This can be combined with possible malicious, cyber security threat actors and the techniques they utilise in order to create context, allowing the organisation to properly view and assess the basic information of a potential attack, including the parties, their motivations, and the way in which they may go about it.
In terms of integration, this refers to the cyber threat intelligence platform’s ability to connect with and seamlessly export relevant reports, prioritised according to the threat level, using the company’s existing set of tools. This includes the company’s security information and event management technologies, as well as any case and other event management systems. It should be noted that the prioritisation of possible risks and dangers can sometimes be referred to as strategic threat management.
Coupled with any data being fed back from the organisation’s defensive grid, including routers, web and email security solutions, endpoint protection, as well as its firewalls, among other things, the cyber threat intelligence platform should be capable of effectively delivering as few false positives as possible, allowing the people managing its security systems to focus on what actually matters.
Once the above steps have been taken, generating all the desired data and information, it’s time to act on it. Regarding any actions, the platform should be able to boost the ability of security operation centres (SOCs), as well as any administrators and analysts tasked with dealing with cyber threats, to respond to incidents, and manage risks and vulnerabilities, all with the appropriate, custom-designed threat intelligence needed to implement the required actions against the most pertinent sources of danger.
In addition, the cyber threat intelligence platform should facilitate a reduction in the time needed to identify and react to any threats, while allowing the organisation and the security teams to obtain precious insights, empowering them to foresee any threats, further boosting their capacity to remain vigilant and proactive.
Finally, the cyber threat intelligence platform is able to combine both operational intelligence and tactical intelligence, always within the framework of cybersecurity.
The importance of cyber threat intelligence to the security operations centre
In the previous section, we saw how the cyber threat intelligence platform can help the organisation’s security operation centre in its capacity to quickly identify and react to any threats and sources of danger. This is often referred to in the industry as extended detection and response (XDR).
According to, VMware, a virtualisation and cloud computing software provider based in the United States, extended detection and response (XDR) “is a consolidation of tools and data that provides extended visibility, analysis, and response across networks and clouds in addition to apps and endpoints,” noting that “XDR is a more sophisticated and advanced progression of endpoint detection and response (EDR) security”.
“Where EDR contains and removes threats on endpoints and workloads, XDR extends those capabilities beyond endpoint to multiple security control points (including email, networks, server, and cloud) to detect threats faster using data collected across domains,” the company added.
In essence, XDR is able to utilise all the raw data collected from the entirety of the organisation’s environment, which we broke down in detail earlier in the article, and identify any malicious actors that may be using a piece of software to gain access to the system without consent.
This is achieved in a more consistent and effective manner than other systems, including any other security information and event management systems, that may be unable to perform this action. As we will see below, XDR is the result of previous approaches and systems.
“The (XDR), extended detection and response, is an evolution of (EDR), endpoint detection, and response. XDR unites visibility as well as control across all endpoints, network connectivity, as well as cloud workloads. This enhanced visibility offers contextualization of such threats to help with remedial efforts. The data collected by extended detection and response (XDR) is automatically correlated across multiple security vectors, assisting quicker threat detection so as to ensure that security analysts can react quickly before the scope of the threat expands,” explained researchers Shaji George, Hovan George, T. Baskar and Digvijay Pandey in their paper titled ‘XDR: The Evolution of Endpoint Security Solutions’.
“In summary, XDR expands ahead of the endpoint to make choices based on data from additional products and can take the appropriate measures across the stack by working on email, identity, network, and beyond,” the authors added, noting that “XDR has been gaining traction and developing as vital next-generation security”.
With XDR evolving from endpoint detection and response (EDR), it also shares some of its core attributes, namely its objective to react to a threat in order to neutralise or contain it, before ultimately eliminating and removing it.
However, XDR is an improvement over EDR since it deploys upgraded data collection and integration with the organisational environment and all of the systems it contains.
Properly designed XDR platforms allow for the creation of a comprehensive, integrated, contextualised picture of the threat landscape, boosting the capacity of security analysts to implement an effective, bespoke response.
XDR, which does not necessarily invalidate EDR, but can rather act perfectly in tandem with the system from which it evolved, can be used to improve cybersecurity performance in a number of use cases.
XDR can be used in a wide variety of operational use cases, including device health checks, allowing them to be optimised and preemptively reconfigured; detecting configuration oversights, including devices that may pose security risks; detecting vulnerabilities that may be exploited by malicious actors or malware; helping the organisation to detect unwanted software that may cause compliance or productivity-related problems; help the organisation stay up to date with the latest compliance requirements; as well as checking whether new software or updates have been rolled out to all devices as planned.
What is more, XDR can assist the organisation to identify and ameliorate any lingering network issues across the entire environment; support the administrators in their efforts to manage all devices; and, finally, ensure that the organisation is capable of responding to unexpected scenarios, something for which cyber threat intelligence is crucial.
As London-based business management consultancy firm Capco explained, “a proactive defence posture is intelligence-led, based on comprehensive cyber security assessments; it uses cyber threat intelligence feeds in conjunction with real-time network monitoring to develop a detailed picture of the whole security landscape, and how threats can be manifested and exploited”.
“Active intrusion prevention, data protection, data loss prevention and encryption or dynamic distribution technologies can protect data at rest, in-motion and in-use,” the company added.
You can get in touch with us to find out exactly how Boltonshield can help you by clicking here.
If you want to get updated about our recent publications about cybersecurity topics, subscribe to our newsletter.