Threat Intelligence 101

Over the years cyber threat intelligence has become important for organizations to gather the intelligence on the intrusion organization faces and how to counter them.

High profile cyber intrusions or attacks like Moonlight Maze, Titan Rain, Operation Aurora, Stuxnet worm, Wannacry ransomware and many others have made industry realize why threat intelligence is important.

But what is threat intelligence?

It is a proactive approach that involves collecting, processing, and analyzing data and information to find intelligence around threat actor’s tactics, technique and motives.

The goal of threat intelligence is to enable organizations to make more informed, data-driven decisions to safeguard their assets.

Threat Intelligence Lifecycle

Threat intelligence lifecycle model depicts six stages of threat intelligence. These stages are

Image source — https://threat.media

Direction: A critical phase in threat intel lifecycle as goals are defined, gaps in intelligence are identified and methods to fill the gaps are prioritized.

Collection: The plan developed in direction phase is executed and data is collected to fill the intelligence gap. This may involve getting data from different data sources including open source intelligence, public media and private forums, network logs, threat feeds etc.

Processing: Data normalization process occurs in this phase to make data more meaningful. Activities may involve converting data to suitable format, decrypting files, mapping ip address against adversary IPs. This is the phase where data gets translated into meaningful information.

Analysis: Using various structured analytic techniques, analysts evaluates the information and reduce the impact of bias to discover meaningful intelligence. This involves identifying patterns, trends, adversary motives, potential indicator of compromise (IOCs) and recommended actions.

Dissemination: This phase requires the intelligence to be translated, distributed and presented to relevant teams and stakeholders. The identified intelligence needs to be consumed by various teams to perform actions and stakeholders to make decisions. Some examples include:

• VM team can consume threat intel data to prioritize vulnerability patching
• Email filtering team blocking suspicious IPs and domains
• Security operations team implementing additional detections and controls based on IOCs obtained.

Feedback: Threat intelligence lifecycle involves continuous feedback and improvement. The feedback can be on type of data, data format, existing tools and processes and anything else that improves the overall threat intelligence program.

It is important to understand the lifecycle of cyber threat intelligence as organization programs are driven on this process.

The systematic approach and real time intelligence in the program enables organizations to make informed decision to strengthen their cyber defense.

Stay updated with our articles and cybersecurity trends, tips and news, Join our newsletter (No spam ever! I promise)

info@beaconblade.com