What is Threat Intelligence?
threat news is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more inform, data-backed security decisions and change their behavior from reactive to proactive in the crusade against threat actors .
threat news is evidence-based cognition ( for example, context, mechanism, indicators, implications and action-oriented advice ) about existing or emerging menaces or hazards to assets. – Gartner
Why is Threat Intelligence Important?
In the global of cybersecurity, advanced dogged threats ( APTs ) and defenders are constantly trying to outmaneuver each early. Data on a threat actor ’ randomness future move is crucial to proactively tailoring your defenses and preempt future attacks.
Organizations are increasingly recognizing the value of terror intelligence, with 72 percentage planning to increase terror intelligence spending in upcoming quarters .
however, there is a dispute between recognizing respect and receiving value. Most organizations today are focusing their efforts on only the most basic use cases, such as integrating threat data feeds with existing network, IPS, firewalls, and SIEMs — without taking full moon advantage of the insights that intelligence can offer .
2022 CrowdStrike Global Threat Report
Download the 2022 Threat Intelligence Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ill threat landscape .Download Now Companies that stick to this basic level of threat intelligence are missing out on real advantages that could importantly strengthen their security system postures .
Threat intelligence is important for the following reasons:
- sheds light on the unknown, enabling security teams to make better decisions
- empowers cyber security stakeholders by revealing adversarial motives and their tactics, techniques, and procedures (TTPs)
- helps security professionals better understand the threat actor’s decision-making process
- empowers business stakeholders, such as executive boards, CISOs, CIOs and CTOs; to invest wisely, mitigate risk, become more efficient and make faster decisions
Want to stay up to date on holocene threat actor activities ? Stop by the Research and Threat Intel Blog for the latest research, trends, and insights on emerging cyber threats. research and Threat Intel Blog
Who Benefits from Threat Intelligence?
Threat intelligence benefits organizations of all shapes and sizes by helping process threat data to better understand their attackers, answer faster to incidents, and proactively get ahead of a menace actor ’ mho future move. For SMBs, this data helps them achieve a flat of protective covering that would otherwise be out of range. On the early hand, enterprises with large security teams can reduce the cost and required skills by leveraging external threat intel and make their analysts more effective .
From top to bottom, threat intelligence offers unique advantages to every member of a security team, including:
- Sec/IT Analyst
- Intel Analyst
- Executive Management
hera ’ s how it can benefit each position, and the specific use cases that apply to each :
|Sec/IT Analyst||Optimize prevention and detection capabilities and strengthen defenses|
|SOC||Prioritize incidents based on risk and impact to the organization|
|CSIRT||Accelerate incident investigations, management, and prioritization|
|Intel Analyst||Uncover and track threat actors targeting the organization|
|Executive Management||Understand the risks the organization faces and what the options are to address their impact|
Threat Intelligence Lifecycle
The intelligence lifecycle is a process to transform raw data into finished intelligence for decisiveness making and action. You will see many slenderly unlike versions of the intelligence cycle in your research, but the goal is the same, to guide a cybersecurity team through the development and murder of an effective terror intelligence plan .
terror intelligence is challenging because threats are constantly evolving – requiring businesses to promptly adapt and take critical legal action. The intelligence cycle provides a framework to enable teams to optimize their resources and effectively respond to the modern threat landscape. This cycle consists of six steps resulting in a feedback loop to encourage continuous improvement :
Let ’ s explore the 6 steps below :
The requirements stage is crucial to the terror intelligence lifecycle because it sets the roadmap for a specific menace news operation. During this planning stage, the team will agree on the goals and methodology of their intelligence program based on the needs of the stakeholders involved. The team may set out to discover :
- who the attackers are and their motivations
- what is the attack surface
- what specific actions should be taken to strengthen their defenses against a future attack
once the requirements are defined, the team then sets out to collect the information required to satisfy those objectives. Depending on the goals, the team will normally seek out traffic logs, publicly available data sources, relevant forums, social media, and industry or subject matter experts .
After the raw datum has been collected, it will have to be processed into a format suitable for psychoanalysis. Most of the fourth dimension, this entails organizing data points into spreadsheets, decrypting files, translating information from foreign sources, and evaluating the datum for relevance and dependability .
once the dataset has been processed, the team must then conduct a exhaustive analysis to find answers to the questions posed in the requirements phase. During the psychoanalysis phase, the team besides works to decipher the dataset into action items and valuable recommendations for the stakeholders .
The dissemination phase requires the terror intelligence team to translate their analysis into a digestible format and present the results to the stakeholders. How the analysis is presented depends on the audience. In most cases the recommendations should be presented concisely, without confusing technical jargon, either in a one-page report or a short slide deck .
The final stage of the threat intelligence lifecycle involves getting feedback on the put up report to determine whether adjustments need to be made for future terror intelligence operations. Stakeholders may have changes to their priorities, the cadence at which they wish to receive intelligence reports, or how data should be disseminated or presented .
Find this article informative ? then watch the Threat Intel episode of our Cybersecurity 101 Webinar Series :
Watch the Webcast
Threat Intelligence Use Cases
Below is a tilt of function cases by officiate :
|Sec/IT Analyst||– Integrate TI feeds with other security products |
– Block bad IPs, URLS, domains, files etc
|SOC||– Use TI to enrich alerts |
– Link alerts together into incidents
– Tune newly deployed security controls
|CSIRT||– Look for information on the who/what/why/when/how of an incident |
– Analyze root cause to determine scope of the incident
|Intel Analyst||– Look wider and deeper for intrusion evidence |
– Review reports on threat actors to better detect them
|Executive Management||– Assess overall threat level for the organization |
– Develop security roadmap
3 Types of Threat Intelligence
We discussed in the last section how threat intelligence can empower us with data about existing or potential threats. The information can be straightforward, such as a malicious sphere name, or complex, such as an in-depth profile of a known threat actor. Keep in mind that there is a maturity swerve when it comes to intelligence represented by the three levels listed below. With each level, the context and analysis of CTI becomes deeper and more sophisticated, caters to unlike audiences, and can get more dearly-won.
- Tactical intelligence
- Operational intelligence
- Strategic intelligence
Tactical Threat Intelligence
Challenge: Organizations often only focus on singular threats
Objective: Obtain a broader position of threats in orderliness to combat the underlying problem
Tactical intelligence is focused on the immediate future, is technical in nature, and identifies simple indicators of compromise (IOCs). IOCs are things such as bad IP addresses, URLs, file hashes and known malicious knowledge domain names. It can be machine-readable, which means that security products can ingest it through feeds or API consolidation .
tactical intelligence is the easiest character of intelligence to generate and is about always automated. As a result, it can be found via open source and complimentary data feeds, but it normally has a very short life because IOCs such as malicious IPs or domain names can become disused in days or even hours .
It ’ second important to note that plainly subscribing to intel feeds can result in enough of data, but offers fiddling means to digest and strategically analyze the threats relevant to you. besides, false positives can occur when the source is not timely or of high fidelity .
Questions to ask yourself:
- Do you have an IOC feed?
- Are IOCs timely and relevant?
- Is malware analysis automated?
Operational Threat Intelligence
Challenge: Threat actors favor techniques that are effective, opportunist, and low-risk
Objective: Engage in campaign track and actor profile to gain a better understand of the adversaries behind the attacks
In the same way that poker players study each early ’ mho quirks so they can predict their opponents ’ next act, cybersecurity professionals study their adversaries .
Behind every attack is a “who,” “why,” and “how.” The “ who ” is called attribution. The “ why ” is called motivation or purpose. The “ how ” is made up of the TTPs the threat actor employs. together, these factors provide context, and context provides insight into how adversary plan, conduct, and sustain campaigns and major operations. This insight is operational intelligence .
Machines alone cannot create operational threat intelligence. human analysis is needed to convert data into a format that is promptly useable by customers. While operational intelligence requires more resources than tactical intelligence, it has a longer utilitarian liveliness because adversaries can ’ triiodothyronine change their TTPs equally well as they can change their tools, such as a specific type of malware or infrastructure .
operational intelligence is most useful for those cybersecurity professionals who work in a SOC ( security operations center ) and are responsible for performing daily operations. Cybersecurity disciplines such as vulnerability management, incident reception and menace monitor are the biggest consumers of functional intelligence as it helps make them more technical and more effective at their put functions .
Questions to ask yourself:
- Is the SOC deriving use cases from threat actor TTPs?
- Is CTI being used to prioritize vulnerabilities?
- Are you leveraging CTI derived Yara/Snort rules to engage in hunting?
Watch the on-demand webcast on “ Cyber Threat Intelligence Demystified ” to learn how to proactively defend against adversaries targeting your business. Watch Crowdcast
Strategic Threat Intelligence
Challenge: Poor business and organizational decisions are made when the adversary is misunderstood
Objective: Threat intelligence should inform business decisions and the processes behind them
Adversaries don ’ thyroxine function in a vacuum — in fact, there are about always higher level factors that surround the execution of cyber attacks. For case, nation-state attacks are typically linked to geopolitical conditions, and geopolitical conditions are linked to risk. Furthermore, with the adoption of financially motivated big Game Hunting, cyber-crime groups are constantly evolving their techniques and should not be ignored .
Strategic intelligence shows how global events, foreign policies, and other long-term local and international movements can potentially impact the cyber security of an organization.
Strategic intelligence helps decision-makers understand the risks posed to their organizations by cyber threats. With this understanding, they can make cybersecurity investments that efficaciously protect their organizations and are aligned with its strategic priorities .
Strategic intelligence tends to be the hardest form to generate. Strategic intelligence requires homo data collection and psychoanalysis that demands an cozy understanding of both cybersecurity and the nuances of the world ’ s geopolitical situation. strategic intelligence normally comes in the form of reports .
2020 OverWatch Report
Want unique insights into adversaries that our terror hunters have encountered in the inaugural half of 2019 ? Download the 2019 Report from the OverWatch teamDownload Now CrowdStrike ’ s intel solution, Falcon X, helps organizations easily consume intelligence, take legal action, and maximize the impact of their intelligence investment .
Integrated Intelligence, Tailored to Your Organization
Falcon X™ automates the terror probe summons and delivers actionable intelligence report and customs IOCs specifically tailored for the threats encountered on your endpoints. With this charge of automation, you can stop picking and choosing which threats to analyze and start analyzing the most relevant threats to your organization.
Get Access to Falcon X Free Trial
Falcon X combines the tools used by first cyber terror investigators into a seamless solution and performs the investigations automatically. The incorporate tool set includes malware analysis, malware search, and CrowdStrike ’ south ball-shaped IOC tip. Falcon X enables all teams, regardless of size or sophism, to understand better, react faster and proactively get ahead of the attacker ’ second future move. CrowdStrike besides supports threat intelligence platforms ( TIPs ) by offering prebuilt integrations and API access to Falcon X.
Falcon X Premium: The Human Element
Falcon X Premium intelligence report enhances your organization with the expertness of CrowdStrike ’ south Global Intelligence team to better crusade against your adversaries. The CrowdStrike Intelligence team is a pioneer in adversary analysis, tracking more than 121 nation-state, cybercrime, and hacktivist groups, studying their captive and analyzing their tradecraft. This team of intel analysts, security researchers, cultural experts, and linguists uncover singular threats and provide groundbreaking research that fuels CrowdStrike ’ s ability to deliver proactive intelligence that can help dramatically improve your security pose and aid you get ahead of attackers
concern in learning more about Falcon X ? Check out the resources below :
Falcon X Platform Falcon X Data Sheet