The phrase Threat Intelligence has slowly gained significance in the information security community and their discussions. With the decision makers considering it as a high priority requirement, vendors have launched an array of products which are indeed confusing for an executive with the managerial background. This is an introductory post in our series of detailed discussion on threat intelligence.
Defining Threat Intelligence
The concept of threat intelligence is quite alluring as it presents itself as an efficient and better method to manage the security risks for a business. Essentially, on the basis of previously acquired data, it turns unknown threats into known threats so that the internal security team can effectively mitigate the identified risks before they are exploited by the attackers.
At present, there is no consensus on the definition of threat intelligence. For traditional purposes, threat intelligence is defined as an information which can assist and support in the decision-making process along with reducing the time taken to discover or prevent an attack. With threat intelligence in cyber security is still in its youth and high variations in the products offered by the vendors and their prices, there is always a chance that a business might end up paying a large amount of money to a product marketed as based on threat intelligence and at the end, it does not deliver the expected results.
In order to define threat intelligence, it is important to understand the intelligence. The concept of knowns and unknowns became popular after a press conference organized by Donald H. Rumsfeld, the then US Defence Secretary on February 12, 2002. The concept can be represented as given below in the context of security threats –
Threat Intelligence can be considered as the process of moving from Unknown Unknowns to Known Unknowns by discovering the previously unknown threats. Hence, it is clear that the goal of this concept is to keep the most number of threats in the Known Knowns category and a minimum number of threats in the Unknown Unknowns category. If this concept is understood in its essence, it is imperative to have targeted defence strategy for the targeted attacks.
Types of Threat Intelligence
From a broader perspective, any type of information which assists in decision making can be called as threat intelligence. The categorisation of threat intelligence is who is going to utilise it and what are the aims to be achieved. It is categorised as follows –
- Strategic Threat Intelligence: It is high-level information aimed at the board members and the decision makers of the company. It is a rare possibility that this information will contain technical details. It focusses on budget allocation, capacity building, defence mechanisms, etc. and it is generally presented in the form of presentations, reports, conversationally or via briefings.
- Operational Threat Intelligence: This information is about possible attacks against the business and is consumed by the higher-level security staff of the company. Open Source Intelligence (OSINT) plays a vital role here.
- Tactical Threat Intelligence: It is about TTP – Tactics, Techniques, and Procedures adopted by the attackers while carrying out attacks. This information is primarily consumed by the defenders of a business and the designated incident response team. Research papers, white papers, conferences and seminars are some of the ways of learning prevalent TTPs in the industry.
- Technical Threat Intelligence: Out of all types of threat intelligence, Technical Threat Intelligence has the shortest lifespan. It is the information generated by the tools and techniques employed by a business to improve its security. It can include blocked IP addresses, the source of attacks, MD5 sums, etc. This type of information helps a business in successfully completing internal monitoring and investigative functions.