Threat intelligence, or TI for short, is a set of detailed, actionable information about threats which is used to prevent and fight cyber-attacks. It is a crucial tool for security teams. TI helps security teams to be more proactive, allowing them to make data-driven decisions to block cyber-attacks before they have an adverse impact.
What does TI consist of and how is it built?
Being evidence-based, TI is derived from the analysis of attacks, attempted attacks, malware and other information about the activities of threat actors to give us knowledge that describes the mechanisms of an attack. TI is gathered from a variety of sources and requires collection of raw data from the logs from systems, security controls and cloud services and the analysis of artifacts, such as malware samples or tools left behind by threat actors during an attack. Research groups and government agencies sometimes also manage to gain access to or infiltrate the communications channels of threat actors, making it possible to gain an understanding of their activities and intentions.
The curation of TI involves the dissection of vast volumes of data and requires specialized analysis tools. Technologies such as machine learning and artificial intelligence are essential to derive actionable intelligence from raw data. The groups that develop and manage TI also need specialized tools to manage and organize the intelligence they gather and to share intelligence with other researchers and agencies. One of the most widely used tools for organizing and sharing TI is MISP, which is funded by the European Union and the Computer Incident Response Center Luxembourg.
At its core, MISP solves two major problems, namely information overload and how to deal with high volumes of unstructured data. By storing information in a consistent format, MISP makes it possible for like-minded organizations such as governments, banks, cyber-security companies and utilities to share information. One such group is NTT’s Global Threat Intelligence Center (GTIC) which is responsible for threat research and intelligence across the NTT group.
GTIC’s research targets the discovery of new threat actors, types of malware and campaigns. New findings result in the identification of Indicators of Compromise (IoCs) which include IP addresses, domains, hashes and other characteristics which uniquely identify a threat. To do this GTIC monitors and analyzes a variety of sources, including open source, the dark web, partners and alliances as well as NTT’s own Tier 1 Internet backbone.
Collaboration plays a critical role in the development of threat intelligence. GTIC maintains partnerships at many levels, including government, industry bodies and other companies involved in providing cybersecurity services. One of GTIC’s specialties is malware triage – a specialized research activity where malware samples are “detonated” in a protected sandbox environment where it is possible to analyze how they work and uncover their IoCs.
Types of Threat Intelligence
Threat Intelligence is used in different ways and in different areas of cyber-security. It logically follows that TI can be broken down into a few main categories, namely:
- Strategic intelligence summarizes possible attacks and their consequences. It is used to paint a high-level overview.
- Tactical intelligence provides information about the tactics, techniques and procedures (TTPs) used by threat actors and is used directly by security practitioners.
- Technical intelligence focuses on the IoCs that are used to identify that an attack is starting or in progress and which can also be used to attribute an attack to a specific threat actor.
- Operational intelligence seeks to understand the operations and intentions of threat actors by monitoring sources such as chat rooms, social media and security event logs. A unique source of operational intelligence is the information which GTIC gleans from NTT’s Tier 1 Internet backbone, which allows GTIC to observe the activities of threat actors before or during the early stages of a campaign.
How TI benefits the process of threat analysis and detection
A key characteristic of TI is that it is actionable. We can see the benefits of TI in several ways in which it is used:
- Improved Threat Detection: Threat intelligence provides current information on threats and attack methods, helping organizations quickly identify and respond to threats by recognizing specific IoCs.
- Proactive Threat Hunting: It offers detailed profiles of threat actors' tactics and behaviors, allowing security teams to proactively search for signs of these threats and identify abnormal activities.
- Enhanced Incident Response: Real-time threat intelligence enables faster response to incidents, helping contain attacks quickly and understand their context for effective remediation.
- Risk Management and Prioritization: It assists in assessing the impact and likelihood of threats, helping organizations prioritize their security efforts and allocate resources effectively.
- Strategic Decision Making: Threat intelligence informs security policies and justifies investments in security technologies, ensuring resources are used where they are most needed.
- Threat Intelligence Sharing: Sharing threat intelligence with peers and organizations fosters collective defense and standardizes how we deal with threat information.
- Enhanced Automation and Integration: Integrating threat intelligence with security platforms automates threat detection and response, reducing the manual workload for security analysts.
- Increased Situational Awareness: It offers a global view of the threat landscape and localized insights, helping organizations understand the impact of external factors and trends on their security.
- Predictive Capabilities: Analyzing threat data helps predict future attack trends and potential threats, enabling organizations to prepare in advance.
- Compliance and Reporting: Threat intelligence supports regulatory compliance by demonstrating an understanding of the threat landscape and proactive security measures.
Bringing the Benefits of TI to SMBs
The resources required to develop and curate TI are significant. Only large enterprises and specialist research teams typically have access to the skills and tools required to develop TI. Even the application of TI in security operations typically requires specialized tools and the skills of experienced practitioners.
Smaller organizations usually don’t have the resources to work with TI feeds directly. Instead, they need tools that have the capability to use TI built into them, under the hood, removing the need for specialist teams of security analysts. Even many mid to larger sized organizations still struggle to retain security specialists because of skills shortages. This is where XDR can plug a gap for small and resource constrained organizations. By providing a fully integrated toolset that manages all your security alerts, and applies integrated TI feeds across all incoming alerts, XDR removes the need to develop the capabilities required to use TI in your security operations processes.
The threat research performed by GTIC provides Samurai XDR with access to all the intelligence needed to analyze alerts from a wide selection of technologies across 150 vendor integrations. GTIC’s own research provides a unique set of proprietary intelligence which is gathered from NTT’s Tier 1 Internet backbone, leveraging the insights gained from 40% daily Internet coverage. In addition, through its intelligence sharing agreements with government agencies and private sector threat research groups GTIC rounds off a comprehensive threat intelligence capability for Samurai XDR. The intelligence developed and curated by GTIC is integrated seamlessly into Samurai XDR, providing even small to medium businesses with detection capabilities normally reserved for larger organizations with specialist security teams.
To see the benefits of Samurai XDR’s threat intelligence in action across all of your technology assets, both in the cloud and on your own premises, start your Free 30 Day Trial today.
Featured articles
How to Build a Resilient Cybersecurity Strategy for MSPs
26 September 2024 | Webinars
In today's rapidly evolving threat landscape, MSPs are on the front lines of cybersecurity. As threats become more sophisticated, MSPs...
MSP Blueprint: Proactive Threat Hunting with XDR for Enhanced Cybersecurity
12 September 2024 | Cybersecurity 101
This article explores how Managed Service Providers (MSPs) can leverage Extended Detection and Response (XDR) to enhance proactive cyber threat...
The Importance of XDR for Regulatory Compliance
5 September 2024 | XDR
The SEC's 2024 cybersecurity disclosure rules mandate public companies to disclose incidents and detail their risk management strategies. Even non-public...