A Threat Intelligence Platform (TIP) is a solution that collects, analyzes, and distributes threat intelligence data. TIPs can help organizations to identify and mitigate cyber threats by providing them with insights into known and emerging threats.
There are Strategic, Tactical, and Operational types of threat intelligence. The Strategic type of intelligence provides high-level information about the threat landscape, such as the goals and capabilities of threat actors. The Tactical type of intelligence provides more specific information about threats, such as the techniques and tools that threat actors use. The Operational type of intelligence provides real-time information about threats, such as indicators of compromise (IOCs).
It is evidence-based and rooted in data, and includes context - like who the attacker is, their motivations and capabilities, and where your system vulnerabilities lie. This information is often discovered after a cyberattack has already occurred.
Threat intelligence is developed through what is known as the intelligence cycle.
Threat intelligence is generally delivered via a threat intelligence feed. This can take the form of a report or collection of reports focusing on the activities of specific threat actors and identifying the processes and tools they use. It can also be a list of domain addresses of IP addresses where suspicious activity has been detected. Lists are typically more popular because they are easier to automate into existing processes. An IDS or a firewall, for example, can be tuned to react to traffic going to or from any IP address on the threat intel list. These detailed lists or reports can help to identify trends, which can help to improve your overall security posture.
In addition to knowing who may be attacking what, threat intelligence also includes indicators, implications, and mechanisms to help you make informed decisions regarding your security. Threat intelligence needs to be actionable — that means it should be timely, provide context, and be able to be understood by the people who make decisions.
The cybersecurity industry faces a multitude of challenges - from increasingly devious and persistent threat actors to false alarms and extraneous information to a shortage of experts on the subject. A cyber threat intelligence solution can help with all of these issues, using machine learning to automate the collection and processing of data, integrate with existing solutions, gather data from various sources, and then provide you with context on IoCs (indicators of compromise) and the TTPs (tactics, techniques, and procedures) of threat actors.
Large enterprises are particularly vulnerable to cybersecurity attacks because of their size and the fact that it might take time for the IT team to discover that one of their departments has been compromised.
Well-implemented threat intelligence can help your organization to:
Threat intelligence platforms comprise various features that will help your security team to quickly understand what threats your organization is facing, to make better decisions, and to act upon them faster. Threat Intelligence Platforms can be deployed as an on-premise or SaaS solution and should be able to perform the following key functions:
There are three kinds of threat intelligence:
Analysts who have expertise outside of technical cybersecurity skills - such as an understanding of business and sociopolitical concepts - are required for producing strategic threat intelligence. They must conduct large amounts of research, some of which is difficult to perform manually. Threat intelligence solutions that automate data collection and processing are helpful in this process.
2. Tactical threat intelligence outlines the TTPs of threat actors in order to help you understand specifically how your organization might be attacked and how you can best defend against those attacks. Tactical threat intelligence is generally technical and is used by security staff, system architects, and administrators who are directly involved in cybersecurity.
Tactical threat intelligence can be found in reports produced by security vendors. It is important for informing improvements to your existing security controls and processes and to speeding up response time. Many tactical intelligence questions need to be answered on a short deadline, so it is important to have a threat intelligence solution that can integrate data from within your own network.
3. Operational threat intelligence is specific knowledge about cyber attacks, campaigns, or events that can help your incident response teams understand the nature, intent, and timing of specific attacks. This is also known as technical threat intelligence because it includes technical information such as what vulnerabilities are being exploited, what command and control domains are being employed, or what attack vector is being used. Threat data feeds are a common source of this technical information, as are closed sources such as the interception of threat group communications.
The following are barriers that can get in the way of gathering operational threat intelligence:
Many of these issues can be overcome with threat intelligence solutions that collect data through machine learning processes.
1. Social engineering. Almost one-third of security breaches in 2020 incorporated social engineering techniques. These include phishing (posing in an email or phone call as a legitimate institution to get personal details and passwords; scareware (manipulating users into believing they need to download malware), and quid pro quo (calling random people and pretending they are tech support int order to get access to the victims’ computers). At the core of all of these techniques is a manipulation of human psychology.
2. Ransomware. This is a program that encrypts data and then demands payment for its release. Ransomware is one of the most popular kinds of malware used for data breaches.
3. DDoS attacks. A distributed denial-of-service attack occurs when a system’s bandwidth or resources are flooded, causing a disruption in service. While the computers are down, hackers employ those that were previously compromised by malware to perform criminal activity. Criminals have also begun to employ AI (artificial intelligence) to perform DDoS attacks. Recent dependence on digital services and increased online traffic has created more vulnerability than ever.
4. Third-party software. If a program that was developed by a company other than the original developer is compromised, this opens a gateway for hackers to gain access to other domains. As many as 80% of organizations have experienced a cybersecurity breach caused by a vulnerability from one of their third-party vendors.
5. Cloud computing vulnerabilities. Criminals scan for cloud servers that are not password protected, exploit unpatched systems, and then perform brute-force attacks to access user accounts. Some also try to steal sensitive data, plant ransomware, or use the cloud systems for coordinated DDoS attacks or cryptojacking (mining cryptocurrency from victims’ accounts).
People often conflate threat intelligence and threat hunting, but they are not the same thing. Threat detection is a more passive approach to monitoring systems and data for potential security issues. Threat intelligence can be used to identify potential threats, aiding a threat hunter in his active pursuit of bad or threatening actors on the network that automated detection methods may have missed. It prioritizes the process over the matching of patterns.
Threat hunters develop hypotheses based on their knowledge of the behaviors of threat actors. They then validate those hypotheses when they actively search the environment for the threat actors. A threat hunter doesn’t necessarily start with an alert or an indicator of compromise (IoC), but rather with forensics and deeper reasoning. In many cases, the threat hunting is actually what creates and substantiates the alert or the IoC.
To be successful, a threat hunter must be able to use his or her toolset to find the most dangerous threats. He or she must also have knowledge of network protocols, exploits, and malware in order to navigate all of the data at hand.
Cyber threat hunting is often compared to real-life hunting. It requires patience, creativity, critical thinking, and a keen eye for spotting “prey.” The prey generally comes in the form of network behavior abnormalities, and a good hunter can detect it even before it has actually been spotted “in the wild.”
Threat intelligence is a part of the greater threat hunting process, but just because you have threat intelligence does not necessarily mean you have a threat hunting program.
Threat hunting is used to find threats that manage to slip through your perimeter-based security architectures. On average, it takes a company more than six months to identify when one or more of its internal systems have been compromised. And once an attacker has snuck into your network, they may stealthily remain, quietly collecting data, looking for confidential material, and obtaining login credentials so that they can move laterally across the environment.
Threat hunting is necessary in order to reduce the amount of time between when our protections fail and when a response to the incident can be initiated. Once an attacker has penetrated your organization’s defenses, you need to be able to find them and stop them. Cyber threat hunters gather as much information as possible about an attacker’s actions, methods and goals. They also analyze collected data to determine trends in an organization’s security environment, eliminate current vulnerabilities, and make predictions to enhance security in the future.
There are typically three steps in the threat hunting process:
Threat levels indicate the level of risk to your organization cyberattacks.