What is threat intelligence?

Threat intelligence, also called cyber threat intelligence (CTI), is curated data about existing or emerging cybersecurity threats such as ransomware. Based on the aggregation and analysis of security- and threat-related data gathered from multiple sources, cyber threat intelligence provides information about actual or possible threats to digital infrastructure and applications. With evidence and the ability to harness additional data insights, cybersecurity teams can effectively use threat-intelligence information to prepare for—and even prevent—potential threats and rapidly detect and respond to active threats in a proactive rather than reactive way.

Threat intelligence is a key pillar in modern cybersecurity strategies focused on boosting organizations’ cyber resilience. Over half (51%) of SANS 2023 CTI survey respondents said their organizations have a formal, dedicated threat intelligence team.

Why is threat intelligence important?

Threat intelligence is important because organizations are experiencing a trifecta of challenges related to data protection:

• The number and variety of cyberattacks—including ransomware, data exfiltration, double extortion, denial of service, phishing, and other schemes—facing organizations worldwide continues to grow exponentially.
• Enterprise attack surfaces—the hardware and software IT professionals must monitor and secure—are expanding.
• Threats to digital businesses are rapidly evolving as bad actors identify new vulnerabilities to exploit and new organizations to target.

Because individuals and groups of cybercriminals and nation-states see openings to both demand money and wreak political havoc, organizations must continually strengthen their data security posture management (DSPM) and threat intelligence capabilities to protect revenue, brand reputations, and operational capabilities.

Threat intelligence empowers enterprises to be better prepared for bad actors by gaining an understanding of threat trends and threat actors’ behaviors, techniques, motives, and capabilities. With near- and real-time visibility into potential, emerging, and ongoing threats, executives can speed decision-making and actions around protecting sensitive data and intellectual property (IP).

What are the types of threat intelligence?

Threat intelligence falls into three primary categories along a maturity spectrum: tactical, operational, and strategic.

Tactical – At the base level, tactical threat intelligence helps organizations focus on how threats are carried out and defended. It often only identifies simple indicators of compromise (IOCs), such as bad IP addresses, known malicious domain names, and email subject lines connected with phishing attacks. This type of information can be found online (even in free data feeds) but is useful for only a short time since these IOCs often disappear within hours or days. Tactical threat intelligence commonly equips three security teams: incident response, security operations center (SOC), and threat hunting. Incident response teams use cyber threat intelligence to separate false positives from true attacks, while SOC pros use it to detect and respond to active and in-progress threats. Threat-hunting teams call upon threat intelligence to identify advanced persistent threats (APTs) and other masked attack types.

Operational – Moving up a level, operational threat intelligence allows teams to examine the technical aspects of attacks and bad actors—such as motives, favored attack vectors, and preferred vulnerabilities to exploit. It can even provide insight into the nature and timing of a planned attack. By providing this context, operational threat intelligence empowers security executives and decision-makers to identify the most likely threats and establish security mechanisms designed to thwart specific attacks. This intelligence also positions SOC cybersecurity pros to better manage vulnerabilities, threat monitoring, and responses to incidents. Although tactical threat intelligence can be generated by a machine—often using machine learning and artificial intelligence (AI/ML) technologies—operational threat intelligence requires human analysis. As part of their approach, analysts use data classification to organize and assess attackers’ tactics, techniques, and procedures (TTPs). Operational threat intelligence is valuable for longer timeframes than tactical threat intelligence since it’s not as simple for threat actors to change their TTPs as it is a malicious domain name.

Strategic – At the highest level, strategic threat intelligence aids organizations in understanding their position in the global threat landscape. More specifically, strategic intelligence is a non-technical approach to providing context for an organization’s potential cybersecurity risks based on current global events, foreign policies, industry trends, and other prevailing influences. This understanding allows IT and non-IT leaders alike to strategically align cybersecurity and risk management investments. Because of the sophistication and nuances at this level, strategic intelligence is the hardest to generate. Human analysts must deeply understand the global cybersecurity landscape and geopolitics to produce timely, meaningful, and actionable reports.

Threat intelligence vs threat hunting?

Threat intelligence involves the collection, analysis, and application of data regarding potential or current cyber threats. Its primary goal is to provide actionable insights into attackers’ tactics, techniques, and procedures (TTPs) to enhance an organization’s defensive posture.

Threat hunting is a proactive approach that involves actively searching for signs of compromise or vulnerabilities within an organization’s network. Unlike traditional detection methods, it does not solely rely on known threats or alerts from security systems.

While the insights gained from threat intelligence guide organizations in preparing for potential attacks, the goal of threat hunting is to detect advanced persistent threats and unique malware before they can cause damage, thereby reducing the time from intrusion to discovery.

What are some potential shortcomings of threat intelligence?

Operationalizing threat intelligence in an enterprise can be challenging for several reasons:

• Lack of access to and coordination among top tools – Security professionals can easily be overwhelmed by all the threat intelligence feeds in their environments. The true threats can get buried amid many false positives and irrelevant alerts. Even if they can filter out the most important data, security experts can struggle to prioritize the top threats from the less-pressing ones. Integrating cyber threat intelligence feeds into their most commonly used data management security tools while aligning threat priorities to the organization’s threat profile can be a game-changer for taming alert chaos.
• Reliance only on free or open-source feeds – Because open-source or free threat intelligence feeds are often broad in nature, threat hunters can be pulled in too many directions. Enterprises should prioritize having the right threat intelligence feeds and skilled experts with the best technologies—including AI/ML—processes and strategies.

What is the threat intelligence lifecycle?

The threat intelligence lifecycle is a structured framework organizations use to manage and utilize threat intelligence effectively. It comprises six interconnected phases that guide teams in gathering, analyzing, and disseminating information about potential threats. This cyclical process helps organizations adapt to evolving threats and improve their cybersecurity posture. The phases are as follows:

1. Planning and direction
This initial phase involves defining the goals and scope of the threat intelligence program. Organizations assess their risk tolerance, identify key assets to protect, and determine specific intelligence needs based on their industry and threat landscape.

2. Data collection
This phase gathers relevant data from various sources, including open-source intelligence (OSINT), deep and dark web resources, internal logs, and threat intelligence platforms. The objective is to compile comprehensive information about potential threats.

3. Processing
Collected data undergoes processing to filter out irrelevant information and structure it for analysis. This step may involve cleaning data, removing duplicates, and enhancing it with additional context.

4. Analysis
Analysts examine the processed data to identify patterns, trends, and potential threats. This phase employs various analytical techniques, including data mining and machine learning, to convert raw data into actionable intelligence.

5. Dissemination
The analyzed intelligence is shared with relevant stakeholders in a timely manner. Effective dissemination ensures that decision-makers receive actionable insights to inform security measures and incident responses.

6. Feedback and improvement
This final phase involves gathering feedback from stakeholders to evaluate the effectiveness of the threat intelligence provided. Insights gained here refine the entire lifecycle process, ensuring continuous improvement in threat identification and response strategies.

The threat intelligence lifecycle enhances an organization’s ability to proactively detect and respond to potential cyber threats. By following this structured approach, organizations can better understand their vulnerabilities, allocate resources effectively, and strengthen their overall cybersecurity defenses.

Cohesity and threat intelligence

In the face of ransomware and other cyberattacks that use deceptive tactics, organizations need solutions that can detect threats, make it possible to analyze the impact of sensitive data exposure, and securely isolate data—all while seamlessly integrating with security operations practices and solutions that teams already trust.
Organizations seeking to boost their cyber threat intelligence can count on Cohesity DataHawk to:

• Leverage AI/ML for detecting user and data anomalies that may indicate an emerging attack.
• Ensure malware-free recovery data.
• Classify data to determine the exposure of sensitive and private information when an attack occurs.
• Provide point-and-click data isolation that provides an additional layer of security for recovery data.

Organizations can identify threats in their backup snapshots, helping reduce reinfection risk while streamlining recovery. Because DataHawk integrates with organizations’ security operations and existing incident response and remediation processes, it’s simpler to deploy and use.

Concurrently, Cohesity Threat Hunting uses AI/ML-driven threat detection to identify the latest ransomware variants and other cyberattacks. Organizations can create and import custom or existing YARA rules to find specific threats.