Threat intelligence—also called ‘cyber threat intelligence’ (CTI) or ‘threat intel’—is data containing detailed knowledge about the cybersecurity threats targeting an organization. Threat intelligence helps security teams be more proactive, enabling them to take effective, data-driven actions to prevent cyber attacks before they occur. It can also help an organization better detect and respond to attacks in progress.
Security analysts create threat intelligence by gathering raw threat information and security-related from multiple sources, then correlating and analyzing the data to uncover trends, patterns and relationships that provide in-depth understand of the actual or potential threats. The resulting intelligence is
- Organization-specific, focused not on generalities (e.g., lists of common malware strains) but on specific vulnerabilities in the organization’s attack surface, the attacks they enable, and the assets they expose
- Detailed and contextual, covering not only the threats targeting the company but the threat actors who may carry out the attacks, the tactics, techniques and procedures (TTPs) those threat actors use, and the indicators of compromise (IoCs) that may signal a specific cyber attack
- Actionable, providing information security teams can use to address vulnerabilities, prioritize and remediate threats, and even evaluate existing or new cybersecurity tools.
According to IBM’s Cost of a Data Breach 2022 report, the average data breach costs its victims USD 4.35 million; detection and escalation costs account for the most significant portion of that price tag, USD 1.44 million. Threat intelligence can furnish security teams with the information they need to detect attacks sooner, reducing detection costs and limiting the impact of successful breaches.
The threat intelligence lifecycle is the iterative, ongoing process by which security teams produce, disseminate and continually improve their threat intelligence. While the particulars can vary from organization to organization, most follow some version of the same six-step process.
Step 1: Planning
Security analysts work with organizational stakeholders—executive leaders, department heads, IT and security team members, and others involved in cybersecurity decision-making—to set intelligence requirements. These typically include cybersecurity questions that stakeholders want or need to have answered. For example, the CISO may want to know whether a new, headline-making strain of ransomware is likely to affect the organization.
Step 2: Threat Data Collection
The security team collects any raw threat data that may hold—or contribute to—the answers stakeholders are looking for. Continuing the example above, if a security team is investigating a new ransomware strain, the team might gather information on the ransomware gang behind the attacks, the types of organizations they’ve targeted in the past, and the attack vectors they’ve exploited to infect previous victims.
This threat data can come from a variety of sources, including:
Threat intelligence feeds—streams of real-time threat information. The name is sometimes misleading: While some feeds include processed or analyzed threat intelligence, others consist of raw threat data. (The latter are sometimes called ‘threat data feeds.’)
Security teams typically subscribe to multiple open-source and commercial feeds. For example, one feed might track IoCs of common attacks, another feed might aggregate cybersecurity news, a another might provide detailed analyses of malware strains, and a fourth might scrape social media and the dark web for conversations surrounding emerging cyber threats. All of it can contribute to deeper understanding of threats.
Information-sharing communities—forums, professional associations, and other communities where analysts from share firsthand experiences, insights, and their own threat data.
In the U.S., many critical infrastructure sectors—such as the healthcare, financial services, and oil and gas industries—operate industry-specific Information Sharing and Analysis Centers (ISACs). These ISACs coordinate with one another via the National Council of ISACs (NSI) (link resides outside ibm.com). Internationally, the open-source MISP Threat Sharing intelligence platform (link resides outside ibm.com) supports a number of information-sharing communities organized around different locations, industries, and topics. MISP has received financial backing from both NATO and the European Union.
Internal security logs—internal security data from security and compliance systems such as SIEM (security information and response), SOAR (security orchestration, automation and response), EDR (endpoint detection and response), XDR (extended detection and response), and attack surface management (ASM) systems. This data provides a record of the threats and cyberattacks the organization has faced, and can help uncover previously unrecognized evidence of internal or external threats.
Information from these disparate sources is typically aggregated in a centralized dashboard, such as a SIEM or a threat intelligence platform, for easier management.
Step 3: Processing
At this stage, security analysts aggregate, standardize, and correlate the raw data they’ve gathered to make it easier to analyze the data for insights. This might include filtering out false positives, or applying a threat intelligence framework, such as MITRE ATT&CK, to data surrounding a previous security incident, to better
Many threat intelligence tools automate this processing, using artificial intelligence (AI) and machine learning to correlate threat information from multiple sources and identify initial trends or patterns in the data.
Step 4: Analysis
Analysis is the point at which raw threat data becomes true threat intelligence. At this stage, security analysts test and verify trends, patterns, and other insights they can use to answer stakeholders’ security requirements and make recommendations.
For example, if security analysts find that the gang connected with a new ransomware strain has targeted other businesses in the organizations industry, the team may identify specific vulnerabilities in the organization’s IT infrastructure that the gang is likely to exploit, as well as security controls or patches that might mitigate or eliminate those vulnerabilities.
Step 5. Dissemination
The security team shares its insights and recommendations with the appropriate stakeholders. Action may be taken based on these recommendations, such as establishing new SIEM detection rules to target newly identified IoCs or updating firewall blacklists to block traffic from newly identified suspicious IP addresses. Many threat intelligence tools integrate and share data with security tools such as SOARs or XDRs, to automatically generate alerts for active attacks, assign risk scores for threat prioritization, or trigger other actions.
Step 6. Feedback
At this stage, stakeholders and analysts reflect on the most recent threat intelligence cycle to determine if the requirements were met. Any new questions that arise or new intelligence gaps identified may inform the next round of the lifecycle.
The threat intelligence lifecycle produces different types of intelligence depending on the stakeholders involved, the requirements set, and the overall aims of a given instance of the lifecycle. There are three broad categories of threat intelligence:
Tactical threat intelligence is used by the security operations center (SOC) to detect and respond to cyberattacks in progress. It focuses typically on common IoCs—e.g., IP addresses associated with command and control servers, file hashes related to known malware and ransomware attacks, or email subject lines associated with phishing attacks.
In addition to helping incident response teams filter out false positives and intercept genuine attacks, tactical threat intelligence is also used by threat-hunting teams to track down advanced persistent threats (APTs) and other active but hidden attackers.
Operational threat intelligence helps organizations anticipate and prevent future attacks. It is sometimes called ‘technical threat intelligence’ because it details the TTPs and behaviors of known threat actors—e.g., the attack vectors they use, the vulnerabilities they exploit, and the assets they target. CISOs, CIOs, and other information security decision-makers use operational threat intelligence to identify threat actors who are likely to attack their organizations, and respond with security controls and other actions aimed specifically at thwart their attacks.
Strategic threat intelligence is high-level intelligence about the global threat landscape and an organization’s place within it. Strategic threat intelligence gives decision-makers outside of IT, such as CEOs and other executives, an understanding of the cyber threats their organizations face. Strategic threat intelligence usually focuses on issues such as geopolitical situations, cyber threat trends in a particular industry, or how or why certain of the organization’s strategic assets may be targeted. Stakeholders use strategic threat intelligence to align broader organizational risk management strategies and investments with the cyber threat landscape.
Global security intelligence experts with industry-leading analysis to simplify and automate your cyber threat platform.
Transform your business and manage risk with a global industry leader in cybersecurity consulting, cloud and managed security services.
X-Force offensive and defensive services are underpinned by threat research, intelligence and remediation services.
In a zero-trust security approach, all endpoints are distrusted by default and granted granted the least privileged access needed to support their jobs or functions.
Threat management is a process used by cybersecurity professionals to prevent cyberattacks, detect cyber threats and respond to security incidents
Threat hunting is a proactive approach to identifying unknown or ongoing non-remediated threats within an organization's network.