What Is Cyber Threat Intelligence , And Why You Need It

Your organization needs to be aware of the cyber- risks in order to build an efficient cyber-security strategy. Here’s how Threat Intelligence can help.

Published in

Passwordless Security | UNLOQ

6 min readJan 19, 2017

With this new age of cyber-security, solutions variety and expertise, it would be a shame not to use them to protect your company from a cyber-disaster.

How important is security to your business?

You might assume that your company is too small to become a target, but that would be wrong. About 43% of all cyber- attacks in 2015 targeted small businesses, with 25% more than in 2011.

Regardless of your company’s size, it’s important that you have an effective cyber-security strategy in place, and this is only possible after becoming aware of your strengths and weaknesses, as well as the threats out there.

What is a threat?

We informally describe a threat as “a person or organisation that intends to cause harm.” More formally, a threat is “a malevolent actor, whether an organisation or an individual, with a specific political, social, or personal goal and some level of capability and intention to oppose an established government, a private organisation, or an accepted social norm” *

The threat understanding is in fact called “Threat Intelligence”, and it allows organisations to go beyond just collecting data about these threats, but also understand how this data affects the organisation. It should be based on specific data points and past events in order for it to be conclusive.

The real challenge comes only when the data is analyzed. If the business is not able to extract actionable information on combating, response and mitigation, the Threat Intelligence was in vain.

What is Threat Intelligence (TI)?

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.**

Threat intelligence has been a buzz-term ever since 2013, as shown by the worldwide Google search volumes for the notion, and there is no sign of it stopping.

Worldwide Google volumes for the terms “Threat Intelligence” and “Cyber Threat Intelligence” for the past 5 years:

This is a beneficial trend for cyber-security, as it is advisable for companies of all sizes to be aware of the threats they are confronting with, and take actions towards an efficient TI strategy.

Executives’ perception on Cyber Threat Intelligence is shifting from a luxury addition to a necessity. They have come to realize that attackers often have a better understanding of their business’ networks than they do.

In 2016, Sans.org conducted a survey on businesses from different industries (the top 3 being Government, Banking and Finance and Information technology) and countries. One of their findings was that only 5.9% of the respondents said they don’t have a Threat Intelligence program in place. The majority stated that their CTI programs are in the process of maturing.

Maturity of CTI programs:

Unfortunately, only 13.2% of the companies have a fully mature system.

Regarding the TI implementation state, 34% of the survey respondents have a dedicated team for this purpose, 14% have a person in charge of CTI and 2.4% outsource this to a specialized consulting group.

Staffing Plans for Implementing and Using CTI

On the other end of the spectrum, 21.8% only have the intent of training a current security employee specifically for this purpose. Unfortunately, a total of 10.7% are not looking to develop such a program, or have not decided yet.

What can Threat Intel do for companies?

The supreme purpose of implementing a threat intelligence program is to help businesses gain awareness of the threats and maximize security before an unwanted event occurs.

Taken individually, there are 6 main actions that a CTI can perform for a company:

Prevent data loss

A well-functioning threat intelligence system can monitor attempts of communication with malicious IPs and domains and gather intelligence data.

Detect breaches

The sooner a breach is detected, the smaller the impact is on the business. For example, enabling deep packet inspection together with network monitoring allows security analysts to detect viruses, intrusions, and protocol non-compliance.

Incident response

The threat intelligence is able to provide the company with guidance in the event of a breach regarding its magnitude, and method of operation, and also help identify the compromised systems.

Threat analysis

It’s not enough for a business to be able to detect threats if it doesn’t come to understand the attack patterns, and the hackers’ Tactics, Techniques and Procedures (TTPs). A threat analysis offers insights into the necessary defense mechanisms and other measures that may be required.

Data analysis

A thorough analysis of the data collected helps the organisation discover additional information regarding the threat, such as the attacker’s motives and the assets which are persistently attacking.

Threat intelligence sharing

By sharing threat information with the other actors in the industry, the organisations can gain awareness about the existence of other threats and TTPs.

Which are the sources of Threat Intelligence?

After an organization has decided to implement a TI program, it must firstly choose the sources of intelligence. These are basically of 2 kinds:

Internal

Internal TI is composed of information and data gathered from the organisation itself, allowing businesses to build an environment profile through sorting the info into meaningful content.

By categorizing the incidents’ details, a security analyst or team is able to observe patterns and similarities among the attacks and malware families. This way the business can identify its weak points and set up the implementation priorities.

External

External threat intelligence is basically information that the company acquires from the outside environment. Some of the sources of external information are Feeds (or data subscriptions), Government, Crowdsourced platforms the Industry.

Sans.org’s survey revealed that the majority (39.7%) of the businesses questioned have already purchaed a tool that inlcludes TI.

Use of Threat Intelligence Feeds

On the other hand, 27.9% of respondents said that they are not currently using TI.

What are the steps in planning a CTI program?

The planning and preparation phase for establishing a Cyber Threat Intelligence program is crucial for its efficiency and relevance.

These are the initial steps in preparing a CTI program:

Establish what the purpose of the TI data is, and who will be in charge of planning the CTI.
After deciding upon the purpose of the TI, the organisation will then need to select the appropriate tools for data collection and aggregation. In addition to this, it will have to decide which data sources will be used (internal, external, both).
The last step in planning a CTI program is setting the goals, as well as the methods for progress measurement. They can be grouped into short and long term.

In the corporate environment, developing an efficient Cyber Threat Intelligence program is an important step towards ensuring a strong information security strategy.

CTI is most likely going to make its way into more organisations, despite their tight budgets and time consuming implementation process. There is no bullet-proof cyber-security strategy and risk management, but through continuous intelligence gathering and defense optimization, businesses can increase their protection.