So, What is Threat Intelligence?
Gartner has defined Threat Intelligence as: “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Threat intelligence is often presented in the form of Indicators of Compromise (IoCs),Threat intelligence is usually in either the form of strategic or tactical intelligence. Strategic threat intelligence would be the broader and higher-level abstracts of the data to identify threats and how the organization needs to react to mitigate the threat. Tactical threat intelligence generally deals with attempting to collect the right type of network information, analyzing it, identifying the threats and responding. This process is usually best presented in Network Security Monitoring, where threat intelligence gives analysts IoCs to use in the search for evidence of an intrusion.
Gartner has defined Threat Intelligence as: “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
THREAT
Threat is often an abused term, especially when a threat to one organization may not be a threat to another. Many organizations fail to identify threats and thus, usually appropriate security resources to the wrong areas or spend too long on processes, such as risk and vulnerability analysis, instead of mitigating and fixing issues.
In order for threat to exist, there must be a combination of
- Intent is a malicious actor’s desire to target your organization
- Capability is their means to do so (such as specific types of malware)
- Opportunity is the opening the actor needs (such as vulnerabilities, whether it be in software, hardware, or personnel).
Threat intelligence is often presented in the form of Indicators of Compromise (IoCs),Threat intelligence is usually in either the form of strategic or tactical intelligence. Strategic threat intelligence would be the broader and higher-level abstracts of the data to identify threats and how the organization needs to react to mitigate the threat. Tactical threat intelligence generally deals with attempting to collect the right type of network information, analyzing it, identifying the threats and responding. This process is usually best presented in Network Security Monitoring, where threat intelligence gives analysts IoCs to use in the search for evidence of an intrusion.
Tools do not provide intelligence. Data feeds do not give threat intelligence. There are no “intelligent” data feeds. Intelligence of any type requires analysis. Analysis is performed by humans. Automation, analytics and various tools can drastically increase the effectiveness of analysts but there must always be analysts involved in the process.
No matter how much access you have to intelligence it will be nearly worthless without your ability to identify what is applicable to you or your organization. Knowing your organization from the business processes to the assets and services on the network are required.
A strong approach towards the basics and a critical eye to discern hype from fact can make cyberspace based intelligence extremely powerful for an organization.
As security professionals, we need to understand the scope and technologies required to secure important data within an organization. What are the importance of threat intelligence in a Cyber World ?
ReplyDeleteThis comment has been removed by the author.
DeleteIn a simpler way, CTI works for Cyber world as the way immune system works for the human body. CTI detects the attacks faster and response to those attacks before they happen.
DeleteAs we know, Cyber world is vulnerable to security threats as intruders can easily access data on web if security measures are not enforced. So threat intelligence helps Organizations proactively secure their data before being attacked.
DeleteAs security professionals, we need to understand the scope and technologies required to secure important data within an organization. What are the importance of threat intelligence in a Cyber World ?
ReplyDeleteIt changes the security model from reactive to proactive which develops tactics to tackle current attacks and plan better for future threats
ReplyDeleteIt changes the security model from reactive to proactive which develops tactics to tackle current attacks and plan better for future threats
ReplyDeleteI like the post,
ReplyDeleteIn simple terms can we say that, intelligence is about analyzing the past, getting some pattern and predicting the future ? acting proactively, will it be after attack or can proactive measure be taken without considering previous attack ?
Interesting post!
ReplyDeleteCyber threat intelligence sounds like a vital role of any large company. I wonder about how smaller businesses like high school websites and mom and pop shops could use this information. Is fully automated security measures like firewalls and configuration files enough to protect these smaller targets? Should these establishments also have a cyber intelligence analyst or is it only appropriate at the enterprise level?
-Brett
Schools are responsible to secure Students personal data from security threats. Information security team in medium to large school systems can use threat intelligence to mitigate security risks and take measures proactively to secure their data.
DeleteWhen it comes to cyber security,cyber threat intelligence, every security professional should know these 3 magical words.... 'KNOW YOUR ENEMY'
ReplyDeleteGood point. What makes threats and attacks possible is the combination the three factors you cited. Opportunity is what we need our attention because the other two factors are out of our control. Opportunity is given to attackers by individuals, corporates and nations.
ReplyDeleteI agree with the post, until you analyze data one cannot find the cause of the issue. And once you find the issue you should be able to resolve the issue. But i think it would be a step forward if we can use intelligence to defect future attacks and prevent them before they can happen.
ReplyDeleteI agree with your point that intelligence is worthless unless you have ability to identify what is applicable for your organization.
ReplyDelete