24 Security Experts Reveal the Most Critical Components of Threat Intelligence and How to Take Action on Them
It's more imperative than ever that organizations gather information from a variety of sources that they can use to identify threats and take action to mitigate risks. Gathering raw data isn't sufficient; organizations must process information to gain an understanding of context and process it to derive actionable insights. The resulting information is known as threat intelligence.
The sources companies gather information from play a crucial role in the quality of threat intelligence. Intelligence sources must be relevant and up to date to provide the most value. When relevant, useful data is gathered, processed, analyzed, and disseminated to security practitioners and other key stakeholders involved in decision-making processes, companies can take swift action to respond to threats and mitigate data loss and other damages resulting from a breach.
Threat intelligence encompasses several steps and processes, and the quality and diligence involved in each step can have a significant impact on the resulting intelligence. To learn more about the key components of threat intelligence and what companies should be doing to act on them, we reached out to a panel of security experts and asked them to answer this question:
"What are the most critical components of threat intelligence and how do you take action on them?"
Meet Our Panel of Security Experts:
Read on to learn what our experts had to say about the most critical components of threat intelligence and what you should do to take action on them.
Maksym Babych
Maksym Babych is the CEO at SpdLoad with an MBA and Ph.D. candidate.
"The most critical components of threat intelligence are..."
1. Good resources. These are reliable streams of information about what sort of security events are happening throughout an industry, throughout a geographic region, or throughout a specific type of app or operating system. It helps to predict the real outcome. We use niche specialists like Statista or Daxx for creating our reports.
2. Experienced analysts. When an analyst is reading threat intelligence, he or she is asking him- or herself questions like 'Who are the actors behind the threat, and what are they looking for?,' 'Are our current systems adequately protected given what could be coming, and, if not, how should we direct resources?,' and so on. Without deep expertise it is impossible to build quality and predictable reports.
3. Productive processes. To avoid a case when investments in quality threat intelligence solutions and quality analysts are wasted and to make sure this kind of inefficiency doesn't hamstring a threat intelligence strategy, the analysts and the IT department should be empowered to act or to authorize action and should be treated as important advisors on setting, evaluating, and updating IT policies.
Charlie Wright
Charlie is an IT Consultant at Imprima with 20+ years of experience based in South East England.
"There are three main types of threat intelligence..."
1. Tactical. This is information from known attacks, a direct action. They are easy to spot, as normally they are malicious domains, email subjects, or links. They are short-term and can influence day-to-day operations and events.
2. Operational. Operational threat intelligence offers insight, motivations, and objectives. Their key components are TTP, techniques, and human behavior analysis. Some output data types will be TTP descriptions, triggers, and patterns.
3. Strategic. This is the most complicated form of cyber threat. It is related to global events and movements on the internet, which can damage the cybersecurity of an entire organization. These are atomic and machine-readable indicators, IPs, domains, IOC signatures, etc.
You can take action on them in several ways:
- Training your employees. They will be able to identify cyberattacks better and faster. The better employees can identify the risks, the better they can protect your business.
- Check your partners. Find out how they handle cyberattacks before sharing data with your partners.
- Keep yourself updated. It is key to keep an eye on new threats, as they vary very fast.
Abdul Rehman
Abdul Rehman is a senior Cyber-Sec editor at VPNRanks.com.
"The most important component of threat intelligence is having a knowledge source..."
If you have access to up to date info about the latest threats lurking in your industry, it makes it easier to adequately predict, assess, and respond to cyber threats.
It's like foreseeing the future and knowing exactly how any malicious entity will impact your organization. If you receive proper intelligence in a timely manner, then you can properly communicate what needs to be done among the relevant stakeholders.
Proper knowledge sharing is key here. If relevant knowledge is dispersed among the teams, proper tools and resources can be used to tackle any sort of cyber attack.
Nick Santora
Nick Santora is the CEO and Founder of Curricula. Nick spent nearly seven years working as a cybersecurity specialist for Critical Infrastructure Protection (CIP) for the North American Electric Reliability Corporation (NERC).
"Security awareness training to recognize warning signs from potential hackers is the most critical component of threat intelligence..."
Your employees are on the frontlines to help protect your organization. It's important to dedicate time to teach employees about how to be aware of threats, such as a data breach or phishing scam.
Each and every employee needs to develop the soft skills that are needed on the cyber side to really understand how to block the bad guys attempting to hack an organization.
Threat intelligence and security awareness go hand-in-hand. We have to teach people how to recognize and defend themselves against hackers. Constant communication helps, such as reiterating 'see something, say something' to alert management if someone receives a suspicious email.
Tricia Lewis
Tricia Lewis is the Executive VP of HackEDU, an online training platform for developers, coders, and cybersecurity professionals.
"The most critical components of threat intelligence are good data sources, credible threat analysts, and proper threat procedures..."
These three components allow companies to identify, validate, and prevent threats from happening. You can take action by hiring a qualified threat/cyber security analyst and working with them to come up with a threat prevention plan. A good analyst will then educate the rest of the employees on procedures and protocols they can implement to mitigate the risk of threats as it pertains to their jobs.
Will Ward
Will Ward is the founder and CEO of Assistive Listening HQ, an eCommerce company dealing with assistive listening equipment. Before being an entrepreneur, he was a consultant helping NGOs and international organizations purchase the right audio equipment for events.
"The most critical components of threat intelligence are reliable data, good analysts, and a sound policy so that the intelligence is acted upon..."
Reliable data is the foundation of threat intelligence. Good threat intelligence analysts are the pillars of threat intelligence. But everything is useless if no action is taken.
Here are some steps to take action:
1. All threat intelligence should be aggregated in one location and compared to each other. After comparison, the biggest threats should be given maximum priority.
2. Acting upon wrong intelligence/data can be costly. A system to double check is of utmost importance before taking action on threat intelligence.
3. Related data should be garnered. For example, if a particular host name is a threat, related data like IP addresses can be identified. Identifying these other connections will assist in tackling threats overall.
4. Figuring out the intentions of the attack is key. Good knowledge on the attack motive can lead to strategies that prevent future attacks.
Taylor McCarthy Hansen
Taylor McCarthy Hansen is the Co-Founder of The Ecomm Manager.
"The most critical component of threat intelligence is briefing your staff and ensuring they follow IT safety protocol..."
Like most businesses, my office is a BYOD (bring your own device) work environment. All it takes is a single penetration from a single employee's device to compromise the entire network. A staff member can fall for a phishing site, download a virus-laden attachment from a fake email, or have his/her email password hacked through brute force.
My staff must adhere to all IT safety protocols outlined in company guidelines. My company uses an enterprise cloud-based collaboration software; all staff need to use a strong password, verify email authenticity, use 2-factor authentication, etc. These practices apply both in and out of the office.
Mackenzie Fribance
Mackenzie Fribance is the VP of Business Development & Strategic Partnerships for Intensity Analytics.
"We approach threat intelligence with the perspective that it is important to..."
Utilize the best data sources and be able to take meaningful action with the information you're using. Our belief that identity is the new perimeter and, when combined with knowledge from studies like the Verizon Data Breach Report that confirms identity is the largest source of data breaches, makes it clear that information sources providing otherwise unavailable data regarding identity, credentials, and access are critical components of threat intelligence. When added to a threat intelligence solution, this information can help companies identify credential stuffing attacks, password breaches, and other risks to the organization.
An IBM study found that companies take on average 197 days to identity and 69 days to contain a data breach. Frictionless capture of behavioral authentication data can help a threat intelligence solution substantially reduce the breach vulnerability gap for identity related data breaches. The IBM study also found companies that can contain a breach within 30 days save more than $1 million compared to those who are unable to respond as quickly. On top of that, many regulations from FACTA, FCC Red Flags Rules, and others require companies to make efforts to guard against credentials theft, and specialized data like that provided by TickStream.PI can aid in compliance initiatives.
Reuben Yonatan
Reuben Yonatan is the Founder and CEO of GetVoIP.
"The most critical component of threat intelligence is a clear and well laid out strategy on how to react to intelligence..."
Intelligence is only beneficial if the relevant parties act on it within the right time frame. For example, say an employee who is not an analyst or in the IT department discovers an emerging phishing scam targeting his/her department.
Are there guidelines that outline how that information will get to the right person in the IT department as quickly as possible? Beyond that, is there a strategy in place the IT department can follow to ensure they react to threat immediately, implement defensive measures, and communicate the relevant information to all the employees in that department?
A lack of strategy will have the IT department reacting to an imminent threat after it has already caused damage.
Darren Deslatte
Darren Deslatte is the Vulnerability Operations Leader at Entrust Solutions, a technology solutions, IT managed services, and staff augmentation provider with offices in New Orleans and Norfolk.
"Most people know that cyberattacks can wreak havoc on an organization, but many remain unaware just how much damage even one hacker can do..."
Cybercriminals tend to either hold your sensitive data ransom or sell personally identifiable information, such as Social Security numbers. Both of these approaches are highly profitable for criminals and costly for the attacked organization. The average cyberattack costs a small business $380,000 in damages and repairs, a cost so steep that 60% of those businesses are forced to close their doors within six months.
So how can threat intelligence help keep your business or agency safe from malicious hackers? Threat intelligence is all about gathering detailed information about who has attacked, or who is most likely to attack, your business and how. Data pertaining to existing or potential vulnerabilities will be gathered and analyzed, usually through a combination of AI processing large amounts of data and humans providing context for those automated numbers. The threat intelligence process allows your business to then be able to take concrete actions in securing your organization's cyber realm.
There are three main types of threat intelligence, with one of the most important being operational threat intelligence. This branch of threat intelligence focuses on studying the attributes of cybercriminals who might attack or who have attacked your organization, such as their motivation or strategies.
It is relatively easy for cybercriminals to switch between tools, such as using different types of malware. Thus, understanding their long-term incentives is an important pillar of a good threat intelligence program. While vulnerability exploitation and tools can be altered quickly and on the fly, it is generally much harder for cybercriminals to change their overall tactics. Therefore, having a solid framework and grasp on operational threats is akin to winning the battle versus winning the war.
Operational threat intelligence deserves a large share of the attention within your threat intelligence program, as it helps security teams build defenses against hackers that last beyond one individual cyberattack.
Steve Tcherchian
Steve Tcherchian is the Chief Information Security Officer at XYPRO, a leading cybersecurity analytics company.
"For threat intelligence to work, data needs to be available..."
The more data that is available, the more intelligent the decision making process will become making the results more actionable.
Data's uses are limitless. Over the last decade, computing power has advanced to the point where generating and storing massive amounts of data has become highly cost efficient so that should no longer be a drawback.
Typical threat intelligence systems are configured to raise alarms when they encounter a defined binary event or a threshold being reached. For example, if three or more failed authentication attempts performed in succession are detected, the system is configured to generate an alert. Yet successful authentication attempts are mostly categorized as business as usual and ignored, even if they're occurring at off times or from unexpected locations The current mean time to detect a breach is over six months. Most organizations have all the data they need to identify a breach much faster than six months, yet they are still unable to detect and react to a breach in even a semi-reasonable amount of time. They key components to make threat detection intelligent and actionable are:
- The variety, volume, and velocity of the data
- Including new sources of data that aren't typically used for threat intelligence, such as system data, configuration data, policies, user behavior, and others
- Having proper context for the data and patterns
Oftentimes, correlation is misrepresented as context. Correlation is not context. For data to be intelligent, context is key. Correlation links two sources of data together that have a common element. Context applies a second level of evaluation to highlight what is important with the newly created (or correlated) data. For example, threat intelligence without environmental and industry context cannot detect what's business as usual vs. unusual but acceptable activity vs. what's a legitimate potential threat. The unavoidable alert overload means security personnel eventually tune out alerts, making it easy for malicious activity to slip by. When this happens, it obviously means you're too late.
Without these three critical components, your threat intelligence results are going to fall short of their potential.
Ilia Sotnikov
Ilia Sotnikov is an accomplished expert in cybersecurity and IT management and VP of Product Management at Netwrix, a vendor of information security and governance software.
"The core quality of effective threat intelligence solution is actually completeness of information..."
A threat intelligence solution should be able to provide 1) the evidence in order to demonstrate that the threat is valid, and 2) actionable data uncovering efficient mitigation methods. With the complete and actionable information at hand, IT security teams will be able to assess how each threat is critical to their organization and take steps necessary for prevention. Fragmented knowledge is not power, while complete and relevant knowledge is, for sure.
Deepu Prakash
Deepu Prakash is the SVP of Process & Technology Innovation at Fingent, a Custom Software Development Company.
"Threat intelligence is organizing the data that is gathered from electronic, internet, human, internal, and external sources..."
The data is then processed using different methods to check for its validity. The information generated provides the context and conditions necessary for a threat to thrive.
What are the most critical components of threat intelligence?
1. Specific to an Industry: For example, if you are into e-commerce, you need to receive data about cyberattacks focusing on e-commerce websites, the nature of the attack, the implementation, and so on from your threat intelligence reports.
2. Nature of the Risk: Good threat intelligence identifies the threats the company faces and how vigilant they should be and suggests the steps that need to be taken to mitigate the risks.
3. Qualified Experts: Threat intelligence requires highly qualified and skilled cybersecurity experts since it requires high analytical minds to process the information and assess the threat properly. Any small error could result in big losses.
How do you take action on them?
1. Prevent Data Loss: Regularly monitor attempts by malicious domains or IPs and collect the related intelligence inputs.
2. Breach Detection & Responsitivity: The sooner you detect the breaches, the better, since the impact can be mitigated. One scenario is simultaneously performing network monitoring and enabling deep data inspection, which empowers the team to detect any malware, virus, or intrusions. The responsitivity element is crucial to handle a breach in a short time, along with identifying the attacked systems.
3. Proper Analysis of Threat: Proper threat analysis is the ability to comprehend the tactics, attack patterns, techniques, and procedures. This is important to provide various insights for developing defense mechanisms.
Rameez Ghayas Usmani
Rameez is a digital marketing expert at PureVPN.
"The primary concept of threat intelligence is the idea of using a proactive approach..."
Mostly, cybersecurity methods are based around a reactive model. That means nothing changes until a threat makes it necessary. Although this does save some effort, it sacrifices some effectiveness in the process.
Instead of waiting for the attack to occur, you can choose to investigate every known cyber threat. The more you can learn, the better you can protect yourself and your systems from attacks that could do harm. Although the literature on this subject is kind of vague, it all comes down to the concept of good intelligence gathering.
Steven Solomon
Steven M. Solomon is a business leader with more than a decade experience in cybersecurity. He is currently the Healthcare Regional Sales Manager at CyberMaxx where he helps protect hospital systems and healthcare organizations from ransomware and advanced cyber attacks.
"Threat intelligence gathers information from a variety of sources that are publicly available or private..."
That information is valuable because it allows cybersecurity companies to alert their clients to new attacks. This in turn reduces the risks of a high impact security incident because organizations can bolster their defenses to mitigate the threats.
Cybersecurity companies that provide threat intel follow a generally accepted lifecycle that includes collecting, processing, analyzing, and broadcasting information. Ultimately, actionable information from threat intel leads an organization to assess a risk score and decide whether to prioritize their efforts to mitigate that risk.
Shagun Chauhan
Shagun Chauhan is a Business Consultant at iFour Technolab Pvt Ltd, a customized software development company.
"The term threat intelligence refers to the practice of collecting data, information, and knowledge that keeps an organization informed about potential cybersecurity threats..."
Threat intelligence can be used to gather data on cyberattacks that have happened in the past, are currently happening, or that the organization may be affected by in the future. Through threat intelligence, IT organizations gain a deeper understanding of their security vulnerabilities and can accurately organize and prioritize tasks to mitigate the known threats.
The most important components of threat tntelligence are:
1. Strategic Intelligence: It provides a high-level, risk-based viewpoint that is most relevant for executive decision-makers rather than being directly actionable by the IT security analysts.
2. Tactical Intelligence: It contains detailed information about the threat actor techniques, tactics, and procedures for giving a specific type of cyberattacks.
3. Operational Intelligence: It includes actionable information about the specific upcoming attacks. This component is less prevalent than the other type of threat intelligence but can serve as a timely warning against an upcoming security threat.
4. Technical Intelligence: It is mostly derived from the internal source and includes technical threats that are picked up through event logs in SIEM.
Xavier Morales, Esq.
Xavier Morales is the CEO & Founder of Secure Your Trademark.
"Two of the most critical components of threat intelligence are to..."
- Have good data sources. To have the best protection, you should use cloud-based anti-malware programs that update data in real-time. This way, you can automate some of the bulk of the threat analysis.
- Have good threat analysts. It won't matter if you have state-of-the-art data sources if you don't have a qualified analyst to read them. You need someone who's engaged in the work, tech-savvy, and very well informed. Only then will you have someone who can not only see threats in real-time but also better prepare for threats in the future.
Rex Freiberger
Rex Freiberger is the President of Superlativ.io and GadgetReview, a top technology and lifestyle publication with over 50,000 product reviews and ratings of the top electronics, software, and services.
"Good threat intelligence boils down to three things..."
Having good policies in place, hiring the right people, and collecting the right lead-in information.
There needs to be a solid plan for all departments and a chain of command to implement it. Isolating a threat in one area is useless if the proper procedures aren't followed and other departments aren't made aware of it.
Obviously, you need to hire people who can oversee threat intelligence, but you also need to hire managers and leads who have the ability to work within a tightly-organized system and who are very particular about following security protocols.
Finally, if you aren't collecting the right data, all the strategy in the world won't matter. You need people who are staying on top of primary sources, keeping abreast of the latest threats, and researching them thoroughly; otherwise, you'll be caught off guard.
Alexander M. Kehoe
Alexander M. Kehoe is the Co-Founder and Operations Director at Caveni.
"One of the most important factors in threat intelligence is having an effective organization to facilitate the more technical side..."
We often see companies that have ineffectively thrown money into a terrible system without proper management. An effective threat intelligence plan starts with having a quality team that is able to handle common problems and adapt to new ones. Once you have an effective team, there needs to be a process for that team to assess and act when any concerns come up. The process also needs to be quick with a clear chain of command. A common problem we've seen is when someone from another department is placed in the middle of a chain that needs to be completely gone through to properly move forward; this causes delays in an industry where time can be immensely important.
Mark Lee, Ph.D.
Mark Lee, Ph.D. is an Executive Vice President at iThreat, a provider of threat intelligence programs. Mark earned a Ph.D from the Georgia Institute of Technology and has held various positions in technology development for major Fortune 500 companies, such as Lockheed Martin, Pitney Bowes, AT&T, and NCR.
"The most critical components of a threat intelligence program are..."
The intelligence gathering objectives, data sources, the database used for collection, analysis of the data, the action plans related to specific threats, the distribution of that information, and feedback into the intelligence gathering objectives. This is often referred to as the intelligence cycle.
Threat intelligence objectives focus on potential threats to your organization and define how to monitor for those threats. For example, a pharma company that manufactures a drug with dangerous side effects may decide to monitor the Dark Web and online marketplaces for counterfeit products that would adversely affect patient safety. Gathering various types of data and managing that data efficiently requires technology to both store the data and to query and visualize that data in a way that leads to insight.
The meaning we put to that data in the context of our intelligence objectives transforms data into information. Knowing the owner of a newly registered domain name (the last few letters of an internet address like .com, .net, .biz) is not very interesting, but if you have a database that shows that the owner of that new domain owns several other domain names associated with phishing scams or counterfeit products, that is actionable information. You may choose to block that domain at your firewall.
To be useful, intelligence must be shared. Intelligence about geopolitical threats can be very useful to business travelers, but only if people traveling to that hotspot are informed. When we deliver that information to intelligence consumers, they often provide feedback that can be used to adjust the collection process. In this way, the intelligence cycle is complete, and we can continue this important activity that helps protect people, assets, and intellectual property.
LeeJay Stewart
LeeJay Stewart is the Founder & Managing Director at Stratus Communications.
"I hear from clients who are proactive as well as clients who are in a crisis...."
But either way, my plan of attack is usually pretty methodical: identify the threat, the attackers and their motives, identify weaknesses within the organization, and then get down to the attack behaviors. Identifying the threat actor is pretty much trying to find out who the bad guy is and how they operate. Their motives are usually clear, so it's important to know where the honey pot is within an organization when working to identify weaknesses in the current IT system. Since the attack groups are large criminal organizations throughout the world, there are some predictable behaviors that experienced security experts can identify to help them deal with ransomware or other demands after a data hijack.
It is important for companies to protect themselves in advance of an attack. One client, a large financial firm, is very proactive in their security. In fact, they built a perimeter around their firewall and have continuous monitoring for threats ranging from minor to heavy. They worked to identify their security posture as an organization, overturning all the stones and answering every question on the list: Why would anyone want to attack this company? Where are we vulnerable? What information could be maliciously hijacked?
I also highly advise all of my clients to consider insurance to cover malicious online behavior, ransomware, and outright theft. A small business owner called me in tears not long ago. With just three employees, her company's entire data platform was stolen and held for a cool $250,000. She didn't have the money to pay the ransom and had no insurance to cover the issue. My team was able to discover a backup that the hackers didn't find, which was a near duplication of her client list. Fortunately, she was spared but lost two and a half weeks of work.
I can't say enough about the importance of proactivity in threat intelligence. Consumers also need more education before it's too late.
Jonathon Wright
Jonathon Wright is the Co-Founder of The QA Lead.
"The most critical component of threat intelligence is the processing phase..."
This phase is where all the data that has been collected is sorted and enriched. All the seemingly random bits of data are identified and connections start to be made. These connections can be used to provide intelligence about possible threats to your system, and action can be taken to prevent any threats that are identified at this stage.
An example of this would be prioritizing patches for infrastructure groups using data about vulnerabilities. After the data is processed and sorted, you get detailed information that includes things like what could happen if the threat were exploited, how hard it is to exploit, and even whether there are tools available to exploit the vulnerability. This helps your team focus on higher-priority patches first.
Kevin Foster
Kevin Foster leads defensive security strategy and implementation projects for clients in financial services, telecom, aerospace, and healthcare. Kevin specializes in projects related to Threat Hunting, Endpoint Detection and Response (EDR), Analytics and Security Information and Event Management (SIEM), and Incident Response (IR) activities.
"The most critical components of threat intelligence are..."
1.Narrative of a real breach from start to finish
2. Specific TTPs of attacker behaviors.
The narrative helps make security real to the business by providing context that non-technical people can relate to. Being able to share stories like, "Not having multi-factor authentication (MFA) was the root cause why [a peer's] IP was stolen by an attacker," will have the C-Suite more interested in MFA than ever before. Threat Intel helps inform high-level policies, low-level controls, and everything in between.
The specific TTPs help identify which specific threats should matter most to an organization. Knowing that a peer was compromised by techniques X, Y, and Z allows for better prioritization of controls and should be used to strategically reduce the largest risks.
Ian Kelly
Ian Kelly is the VP of Operations for NuLeaf Naturals. He's helped launch two major cannabis brands in both Colorado and Massachusetts, apart from consulting many firms across the country.
"Threat Intelligence comprises three important aspects: tactical intelligence, operational intelligence, and strategic intelligence..."
Tactical threat intelligence is the most basic which is done by almost all companies. Information like malicious URLs, suspicious IP addresses, and file hashes fall under tactical threat intelligence. The only drawback of such intelligence is that it has short life spans and keeps on changing. It has minimal value in terms of countering threats in the future. Companies can make use of many open source and paid software applications to get tactical threat intelligence.
Operational threat intelligence digs deeper and analyzes who is behind an attack and what was the motivation behind it. A simple software alone cannot determine the nature of cyberattacks. Teams need to work along with machines to figure out the tactics, techniques, and procedures (TTPs) of cybercriminals. Operational intelligence is more valuable as it's harder for cyber criminals to change their TTPs. Companies need to invest in a security operations center which is a collective of people, technology, and processes set up with the sole intention of security of information.
Strategic threat intelligence keeps an eye on bigger global factors that result in cyber attacks. For example, geopolitical conditions like foreign policy, dissenting events, wars, etc. can open up avenues of threats that companies need to be ready for. This is the toughest intelligence to garner. Strategic threat intelligence is used to inform high-level decision-makers in a company. There are two ways to acquire this intelligence. One option is to rely on reports released by teams that assess geopolitical situations and threats. A more expensive option is to hire specialists with a background in military intelligence operations to do the job.