Threat Intelligence

As threats loom ever larger across all industries, threat intelligence platforms can also be a powerful tool for proactivity.

Rapid7 Threat Command

What is Threat Intelligence? 

Threat intelligence (TI) - or cyber threat intelligence - is information that a security organization gathers about potential and looming threats to its operations. Ideally, this should be a constant feed of information that informs automated prioritization of those threats and subsequent remediation efforts. 

TI practitioners should look at their responsibilities as an effort to ensure every part of the security organization effectively leverages threat data as part of its day-to-day mission of detection, response, and overall risk management. With regard to TI, Forrester recently noted how – in the face of an increasingly complex threat landscape – security teams must adopt internal processes to manage threat intelligence and protect the business.

As threats loom ever larger to every part of the globe across all industries, threat intelligence platforms can also be a powerful tool for proactivity. Sure, defense matters. But, threat intelligence is information that also points to trends that may not necessarily be low-hanging attacks on the doorstep of a security operation center (SOC). In that case, a SOC can proactively hunt and fortify security along those trend lines.

Why is Threat Intelligence Important? 

Threat intelligence platforms are important because a security organization needs to be able to learn of potential threats as far in advance as possible so they can fend them off and plug any vulnerabilities threat actors may be attempting to exploit. TI is also important because it can be a significant bottom-line savior. The more threats you stop, the more money you save on behalf of the business. Let’s take a look at some advantages that underscore the importance of a solid TI program:

  • The all-important audit: This might seem like a slow, elaborate process, but the advantage of knowing exactly what your security organization needs from a TI program can’t be overstated. Creating Prioritized Intelligence Requirements (PIRs) can help lead to an overall desired outcome.
  • Expanded access: Many TI vendors are now incorporating expanded access, helping to more overtly democratize TI and make it easier for security practitioners to access and action on. Actionable insights are now more seamlessly integrated into security devices and TI platforms.
  • Automated remediation: Democratizing the process doesn’t just mean human practitioners have increased access, it also denotes actual devices receiving actionable data and automatically shutting down an impending attack. Any worthwhile TI program or solution should make this a hallmark of the process.

Actionable threat intelligence has made leaps and bounds in recent years in terms of transitioning from a manual methodology to automating much of the process so that security organizations can actually use it – instead of just sitting on mountains of unanalyzed data and waiting for an attack.

Who Benefits From Threat Intelligence? 

Simply stated, everyone benefits from TI. It can make life easier for a SOC, can save money for the overall business, and bolster customer confidence in the company and its product(s). As this page is pointed firmly at security professionals, the primary beneficiaries of TI are analysts and personnel within the security organization, as it directly eases threat detection and response. What are those benefits?

  • Time savings: Time spent manually searching for potential threats has become a serious challenge for SOCs lacking a competent TI framework. Leveraging automation, a methodical TI solution can do most of that work, delivering time back to that SOC.
  • Reduced impacts of attacks: With attack surfaces expanding the world over, security organizations are overloaded in their efforts to defend themselves and customers from the sheer volume of threats. When a TI solution can lower the threat-to-noise ratio, overall security posture has room to improve.
  • Prioritization: Lowering threat-to-noise ratios means prioritization can become, well, a priority. Leveraging increasingly relevant technology like AI and machine learning (ML), SOCs can surface alerts that are valid and ready for immediate action.
  • Response efficiency: With prioritization comes more time to focus on other security business initiatives – if leveraged correctly. Being able to ignore the noise, respond to valid alerts, and more rapidly take down threats means significant time savings. To this point, stakeholders must stay in contact with practitioners to identify other security areas that need attention. 

Threat Intelligence Lifecycle 

It’s no easy task to turn TI into actionable information. A framework is required to take raw data and turn it into true intelligence. But, what sort of framework can keep pace in the evolving threat landscape? Let’s define a TI lifecycle that is adaptable now and into the future.

Set a direction

Using PIRs can help guide the approach to direction-setting. The process typically begins with outlining a specific PIR and then defining a desired outcome.

Prioritize data to collect

Which intelligence will best serve the direction your team has worked to define? Depending on the use case, intelligence can come from multiple sources on your network and beyond: endpoints, third-party vendors, the dark web, application security processes and platforms, and many more. Collect data from all relevant sources to gain the most apt insights. 

Set an analysis approach

Leveraging as much automated analysis as possible is key to speed in security at this level. There is a manual approach to analysis that a SOC could take - and it can't be overstated that human review could yield even more insights - however, this comes with the cost of time. If threats are automatically classified, it's more likely they can be automatically remediated.

Disseminate analysis

The ultimate goal of this lifecycle should be to come away with useful intelligence that - after thoroughly analyzed according to your framework - can be disseminated to security devices to automatically prevent an impending attack or threat. 

It's therefore critical to build a solution that draws intelligence from the right sources, automatically produces an alert with the contextual information, and finishes the process by automatically remediating the threat

What are the Types of Threat Intelligence? 

Cybersecurity threat intelligence direclty impacts the business. Will a potential threat be taken down quickly or will the intelligence be wasted due to the lack of a properly defined lifecycle? 

Forrester defines business intelligence as methodologies and processes that "transform raw data into meaningful and useful information used to enable more effective strategic, tactical, and operational insights and decision-making that contribute to improving overall enterprise performance." As it happens, those three areas of insight are the same for TI; let's dive deeper into each. 

Strategic TI 

Strategic intelligence focuses on long-term threats and their implications. Strategic TI also aids in evaluating attackers – focusing on their tactics and motivations rather than geographical location – to determine potential organizational impacts of those threats. Higher-level decision-makers are usually informed with this type of intelligence, so it’s important to keep reporting as clear as possible.

Operational TI 

Operational intelligence focuses on short-term threats that may require immediate mitigation, and thus fast re-prioritization of other initiatives. Operational TI also aids in evaluating who is actually being targeted and how. That helps stakeholders determine any immediate threat-response actions.

Tactical TI 

Tactical intelligence primarily focuses on exact behaviors of an attacker. Are they using particular methods or tooling to gain access or execute lateral movement? Tactical threat intelligence tools are used by personnel engaged in active monitoring and reporting, and requires spotting not-so-obvious red flags.

It’s always good to remember that what’s best for security is best for the business.

Threat intelligence Use Cases 

Use cases are varied and large in number. Security intelligence tools are useful in being proactive about any type of threat to the security and integrity of a business’ operations and cyber strength.

  • Credential leakage: TI can aid in identifying usernames and passwords that may have been exposed - or could be vulnerable to - exploitation by unauthorized personnel. 
  • Threat mapping: TI can aid in building a dynamic asset mapping framework to track an evolving digital footprint. It can identify potential attack vectors and understand where exposure may occur. Automatically correlating threat-actor intelligence to an organization’s unique digital footprint is central to threat mapping.
  • Brand and fraud protection: TI can aid in mitigating reputational damage (Learn about Digital Risk Protection), monitoring for domain spoofing and IP-address spoofing by cybercriminals that could be using your brand. TI can also monitor for valuable data being sold on the dark web, helping to defend against phishing scams as well as protect both IT systems and reputations.
  • Attack surface monitoring: TI can aid in identifying external-facing assets associated with known IP ranges or domain names (Learn about Project Sonar). Scans should be able to ensure complete discovery, interacting with exposed endpoint services, collecting additional metadata such as SSL certificates, HTML links in HTTP responses, service banners, and more.

Read More About Threat Intelligence

Learn More about Rapid7's Threat Intelligence Product

4 Simple Steps for an Effective Threat Intelligence Program

Evolution of Cyber Threat Intelligence (CTI)

Threat Intelligence News: Latest Rapid7 Blog Posts