Threat intelligence—also called "cyberthreat intelligence" (CTI) or "threat intel"—is detailed, actionable threat information for preventing and fighting cybersecurity threats targeting an organization.
Threat intelligence helps security teams be more proactive, enabling them to take effective, data-driven actions to prevent cyberattacks before they occur. It can also help an organization detect and respond to attacks in progress faster.
Security analysts create threat intelligence by gathering raw threat information and security-related information from multiple sources, then correlating and analyzing the data to uncover trends, patterns and relationships that provide an in-depth understanding of the actual or potential threats. The resulting intelligence is
- Organization-specific, focused not on generalities (for example, lists of common malware strains) but on specific vulnerabilities in the organization’s attack surface, the attacks they enable, and the assets they expose.
- Detailed and contextual, covering not only the threats targeting the company but the threat actors who might carry out the attacks, the tactics, techniques and procedures (TTPs) those threat actors use and the indicators of compromise (IoCs) that might signal a specific cyberattack.
- Actionable, providing information security teams can use to address vulnerabilities, prioritize and remediate threats and even evaluate existing or new cybersecurity tools.
According to IBM’s Cost of a Data Breach 2022 report, the average data breach costs its victims USD 4.35 million; detection and escalation costs account for the most significant portion of that price tag, USD 1.44 million. Threat intelligence can furnish security teams with the information they need to detect attacks sooner, reducing detection costs and limiting the impact of successful breaches.
Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.
Register for insights on SAP
The threat intelligence lifecycle is the iterative, ongoing process by which security teams produce, disseminate and continually improve their threat intelligence. While the particulars can vary from organization to organization, most follow some version of the same six-step process.
Step 1: Planning
Security analysts work with organizational stakeholders—executive leaders, department heads, IT and security team members and others involved in cybersecurity decision-making—to set intelligence requirements. These typically include cybersecurity questions that stakeholders want or need to have answered. For example, the CISO might want to know whether a new, headline-making strain of ransomware is likely to affect the organization.
Step 2: Threat data collection
The security team collects any raw threat data that can hold—or contribute to—the answers stakeholders are looking for. Continuing the example above, if a security team is investigating a new ransomware strain, the team might gather information on the ransomware gang behind the attacks, the types of organizations they’ve targeted in the past and the attack vectors they’ve exploited to infect previous victims.
This threat data can come from various sources, including:
Threat intelligence feeds—streams of real-time threat information. The name is sometimes misleading: While some feeds include processed or analyzed threat intelligence, others consist of raw threat data. (The latter are sometimes called ‘threat data feeds’.)
Security teams typically subscribe to multiple open source and commercial feeds. For example, different feeds might
- track IoCs of common attacks,
- aggregate cybersecurity news,
- provide detailed analyses of malware strains,
- and scrape social media and the dark web for conversations surrounding emerging cyberthreats.
All of these feeds can contribute to a deeper understanding of threats.
Information-sharing communities—forums, professional associations and other communities where analysts from all over the world share firsthand experiences, insights and their own threat data.
In the US, many critical infrastructure sectors—such as the healthcare, financial services and oil and gas industries—operate industry-specific Information Sharing and Analysis Centers (ISACs). These ISACs coordinate with one another via the National Council of ISACs (NSI) (link resides outside ibm.com).
Internationally, the open source MISP Threat Sharing intelligence platform (link resides outside ibm.com) supports several information-sharing communities organized around different locations, industries and topics. MISP has received financial backing from both NATO and the European Union.
Internal security logs—internal security data from security and compliance systems such as
- SIEM (security information and response)
- SOAR (security orchestration, automation and response)
- EDR (endpoint detection and response)
- XDR (extended detection and response)
- attack surface management (ASM) systems
This data provides a record of the threats and cyberattacks the organization has faced and can help uncover previously unrecognized evidence of internal or external threats.
Information from these disparate sources is typically aggregated in a centralized dashboard, such as a SIEM or a threat intelligence platform, for easier management.
Step 3: Processing
At this stage, security analysts aggregate, standardize and correlate the raw data they’ve gathered to make analysis easier. This might include filtering out false positives or applying a threat intelligence framework, such as MITRE ATT&CK, to data surrounding a previous security incident.
Many threat intelligence tools automate this processing, by using artificial intelligence (AI) and machine learning to correlate threat information from multiple sources and identify initial trends or patterns in the data.
Step 4: Analysis
Analysis is the point at which raw threat data becomes true threat intelligence. At this stage, security analysts test and verify the trends, patterns and other insights they can use to answer stakeholders’ security requirements and make recommendations.
For example, security analysts might find that the gang connected with a new ransomware strain has targeted other businesses in the organization's industry. The team will then identify specific vulnerabilities in the organization’s IT infrastructure that the gang is likely to exploit, as well as security controls or patches that might mitigate or eliminate those vulnerabilities.
Step 5. Dissemination
The security team shares its insights and recommendations with the appropriate stakeholders. Action may be taken based on these recommendations, such as establishing new SIEM detection rules to target newly identified IoCs or updating firewall blacklists to block traffic from newly identified suspicious IP addresses.
Many threat intelligence tools integrate and share data with security tools such as SOARs or XDRs to automatically generate alerts for active attacks, assign risk scores for threat prioritization or trigger other actions.
Step 6. Feedback
At this stage, stakeholders and analysts reflect on the most recent threat intelligence cycle to determine whether the requirements were met. Any new questions that arise or new intelligence gaps identified will inform the next round of the lifecycle.
The threat intelligence lifecycle produces different types of intelligence depending on the stakeholders involved, the requirements set and the overall aims of a given instance of the lifecycle. There are three broad categories of threat intelligence:
Tactical threat intelligence is used by the security operations center (SOC) to detect and respond to cyberattacks in progress. It typically focuses on common IoCs—for example, IP addresses associated with command and control servers, file hashes related to known malware and ransomware attacks or email subject lines associated with phishing attacks.
In addition to helping incident response teams filter out false positives and intercept genuine attacks, tactical threat intelligence is also used by threat-hunting teams to track down advanced persistent threats (APTs) and other active but hidden attackers.
Operational threat intelligence helps organizations anticipate and prevent future attacks. It is sometimes called ‘technical threat intelligence’ because it details the TTPs and behaviors of known threat actors—for example, the attack vectors they use, the vulnerabilities they exploit and the assets they target.
CISOs, CIOs and other information security decision-makers use operational threat intelligence to identify threat actors who are likely to attack their organizations and respond with security controls and other actions aimed specifically at thwarting their attacks.
Strategic threat intelligence is high-level intelligence about the global threat landscape and an organization’s place within it. Strategic threat intelligence gives decision-makers outside of IT, such as CEOs and other executives, an understanding of the cyberthreats their organizations face.
Strategic threat intelligence usually focuses on issues such as geopolitical situations, cyberthreat trends in a particular industry, or how or why certain of the organization’s strategic assets may be targeted. Stakeholders use strategic threat intelligence to align broader organizational risk management strategies and investments with the cyberthreat landscape.
Simplify and automate your cyberthreat platform with global security intelligence experts and industry-leading analysis.
Transform your business and manage risk with a global industry leader in cybersecurity consulting, cloud and managed security services.
Get X-Force offensive and defensive services that are underpinned by threat research, intelligence and remediation services.
Accelerate business recovery in response to cyberattack events by using AI-powered threat detection methods developed by IBM Research®.
In a zero-trust security approach, all endpoints are distrusted by default and granted the least-privileged access needed to support their jobs or functions.
Threat management is a process used by cybersecurity professionals to prevent cyberattacks, detect cyber threats and respond to security incidents.
Threat hunting is a proactive approach to identifying unknown or ongoing non-remediated threats within an organization's network.