What is Cyber Threat Intelligence?

What Cyber Threat Intelligence Includes

Cyber threat intelligence includes any information that can be used to help inform the business about potential cyber threats that they face and how to address them. The majority of threat intelligence deals with the current cyberattacks and active malware variants.

However, organizations may also have access to more targeted types of threat intelligence providing them with information about risks to their brand or data leaked due to past data breaches.

Attacker Tactics, Techniques, and Procedures (TTPs)

The bulk of technical threat intelligence data is related to the TTPs used by various threat actors. When new malware or cyberattack campaigns are detected, security researchers collect and disseminate indicators of attack (IoAs) and indicators of compromise (IoCs) that can be used to identify these threats.

For instance, a strategic threat intelligence feed could include file hashes for new malware variants and the IP addresses and domain names associated with known cyber attack campaigns.

Organizations can subscribe to tactical threat intelligence feeds to collect this information and feed it to their security solutions. This data can also be filtered or personalized to identify the relevant threats that an organization is most likely to face, such as:

• Malware or cyberattacks targeting other organizations in the same industry or geographic region.

By taking advantage of this more targeted threat intelligence, an organization can more accurately assess the types of threats that it is likely to face and how to best defend against them.

Brand Protection

Cybercriminals commonly use lookalike email addresses and websites in their phishing attacks. This is designed to make the potential attacks seem legitimate to their targets and takes advantage of the targets’ trust in the brand.

This practice has the potential to significantly harm an organization’s reputation with its customers, vendors, suppliers, and other partners.

The information below can be collected as actionable threat intelligence personalized to an organization:

• Suspicious domains
• Phishing websites
• Social media impersonation
• Unauthorized APKs

The organization can then take action to protect its brand against these threats.

Breach Monitoring

Often, it takes time for a breach to be detected, if the company notices it at all.

In the state of a data breach report, IBM and Ponemon differentiate between breaches identified within 200 days and those that took more than 200 days to detect when comparing the price and impact of faster breach detection.

In some cases, companies only learn of a breach when company, employee, or customer data is for sale on the dark web. Breach monitoring services can look for:

• Employee credentials
• Customer information
• Intellectual property
• Other data that have been posted or advertised for sale on the dark web

Who Benefits from Threat Intelligence?

Threat intelligence provides insight into potential cyber threats a company may face or breaches that it has not yet identified within its systems.

This diverse set of security information has numerous potential applications within an organization.

One of the most common applications of strategic threat intelligence is for identifying potential security incidents via persistent threat detection and threat hunting. Threat intelligence feeds commonly provide IoCs that organizations can look for in their systems to either identify and block an impending attack or detect the presence of an intruder within their systems.