What Is Threat Intelligence?

Why Is Threat Intelligence Important?

In today’s growing, evolving threat landscape, threat intelligence serves a critical role in protecting organizations’ users, data, and reputations by helping them better understand and respond to potential threats. By understanding the IOCs and TTPs associated with emerging threats and vulnerabilities, organizations can put security alerts into context, enabling them to prioritize high-severity threats and prevent successful attacks.

Threat intelligence also helps organizations quantify risk in depth, which supports compliance, assessment, and reporting in line with GDPR, HIPAA, SEC rules, and other regulations. Moreover, it is a powerful tool for law enforcement and other threat hunters working to neutralize attacks or track down their perpetrators, contributing to a safer digital environment for everyone.

What Does Threat Intelligence Do?

With the right tools and expertise to aggregate, analyze, and correlate this data, organizations gain data-driven insights that can help them:

• Identify known and new threats and vulnerabilities that could put users, data, or infrastructure at risk
• Prioritize risks based on their severity and relevance to the organization
• Refine security measures to emphasize proactive defense based on warning signs of emerging threats
• Speed up incident response, remediation, and recovery to reduce the impact of a breach
• Attribute patterns of behavior and other IOC context to help identify threat actors and their motives
• Support regulatory compliance to protect organizations from fines and legal consequences

What Are the Types of Threat Intelligence?

Different types of threat intel help teams make different kinds of security decisions. Broadly speaking, you can categorize it by how it’s used:

• Strategic threat intelligence offers a high-level view of the threat landscape and threat actors’ motives and abilities to aid in long-term decision-making around a security program and spending. Example: Data about a nation-state actor targeting your industry.
• Tactical threat intelligence provides insight into specific attack vectors, IOCs, TTPs, and more to help incident response and security teams identify and mitigate present threats and ongoing attacks. Example: File hash of a new malware strain that spreads via phishing.
• Operational threat intelligence helps the security operations center (SOC) understand day-to-day risks—active threats, vulnerabilities, and ongoing attacks—to support real-time detection and response. Example: IP addresses involved in a DDoS attack on your organization.
• Technical threat intelligence constitutes detailed granular threat information to help security teams refine security policies and other countermeasures for more effective protection. Example: CVE and patch data for a specific software vulnerability.

Or you can categorize it by where it comes from:

• Open source intelligence is from public sources like threat feeds, blogs, forums, and repositories. Open source intel is often the “first on the scene,” but it’s important to validate that it comes from a trusted source.
• Closed source intelligence is from private or confidential sources (usually partners or service providers) and can be more thoroughly detailed than open source, but is often a paid product.
• Human intelligence is gathered from human sources through interviews, interrogations, or even surveillance and espionage. As such, it often includes the most direct insider details, but it can be difficult to obtain.

What Are Common Indicators of Compromise?

Collected from any number of intelligence sources, indicators of compromise (IOCs) are pieces of evidence that help identify and respond to potential breaches, giving analysts clues about the source of a cyberattack, its behavior, or its impact. Common IOCs include:

• IP addresses and domain names associated with known threat actors
• URLs associated with phishing or malware delivery
• Malware signatures and file hashes of malicious code
• Email addresses linked to phishing
• Registry keys added for storage and persistence
• Filenames and directories associated with malicious activity
• Anomalous or unauthorized login/access attempts
• Unusual network traffic patterns and spikes
• Deviations from typical user or system behavior
• Signs of data exfiltration or unusual data transfers
• Slow performance (e.g., unexpected CPU utilization and disk activity)
• Unusual running processes or services

Who Benefits from Threat Intelligence?

Threat intelligence benefits just about anybody who holds a stake in the protection of digital assets, sensitive data, or continuity of operations, giving them invaluable context to shore up security measures across:

• Organizations of all sizes across industries: Threat intel gives security teams actionable insight into how to build stronger defenses. Executives, board members, and other decision-makers can use it to help inform decisions about security investments, risk management, and compliance.
• Governments and law enforcement agencies: Threat information is vital in helping public sector organizations more efficiently respond to and halt threats to critical infrastructure, public safety, and national security.
• The cybersecurity industry and community: Cybersecurity vendors and practitioners—researchers, analysts, ethical hackers, and so on—can use threat intel to create more effective security solutions, study trends, refine countermeasures, and more, creating a feedback loop that strengthens the entire digital ecosystem.

What Is the Cyberthreat Intelligence Lifecycle?

The threat intelligence lifecycle is the epitome of the aforementioned feedback loop: a series of stages organizations must go through to make effective use of threat intelligence and—critically—to make more effective use of it in the future. The six stages are:

1. Direction: Stakeholders define the objectives, priorities, resource allocations, and overall scope of their threat intelligence program.
2. Data collection: The organization gathers data from paid or open source intelligence feeds, internal logs, human analysts, partners, etc.
3. Processing: Analysts and automated tools clean and normalize collected data, verify sources, and confirm its reliability to prepare it for analysis.
4. Analysis: Analysts and tools identify patterns, anomalies, and potential threats in the data, and then correlate the data to form actionable insights to help prioritize and mitigate critical risks.
5. Dissemination: Security teams report to stakeholders to share findings, alerts, and recommendations. Teams incorporate the threat intel into their tools and processes to improve real-time threat detection, prevention, and response.
6. Feedback: Organizations must continuously assess and refine their intelligence program, using feedback from incident response teams. Periodic reviews help keep objectives and priorities aligned with changes in the threat landscape and the organization itself.

What Are the Available Threat Intelligence Tools?

There are many tools on the market designed to help organizations collect, correlate, analyze, and execute on threat intelligence.

Collection and Aggregation

• Threat feed aggregators collect and consolidate data from open and/or closed source feeds
• Deception technologies (e.g., honeypots) bait attacks and collect data on how they behave
• Threat intelligence platforms (TIPs) collect, organize, and disseminate threat intel data from multiple sources to generate actionable insights

Correlation

• Threat intelligence feeds provide pre-correlated intelligence for quick consumption
• Security information and event management (SIEM) systems correlate threat data with network events
• Extended detection and response (XDR) platforms correlate data from disparate sources (e.g., network telemetry, endpoint events, IAM, email, productivity suites)
• Security orchestration, automation, and response (SOAR) platforms automate response actions based on correlated intel

Analysis

• Threat analysis tools, supported by AI and ML, analyze data to pinpoint patterns and trends
• Threat intelligence sharing platforms facilitate collaborative analysis among organizations
• Sandboxes analyze and execute suspicious files and URLs in isolated environments

Execution

• Intrusion detection and prevention systems (IDS/IPS) block or alert on malicious activities based on threat data
• Policy management tools update policies in firewalls, proxies, and more based on known malicious IP addresses, domains, signatures, etc.
• Endpoint detection and response (EDR) solutions quarantine or remediate compromised endpoints
• Threat hunting tools support proactive threat hunting based on gathered intelligence

How Does Machine Learning Improve Threat Intelligence?

For the most part, machine learning (ML) improves threat intelligence the same way it improves anything else: by operating at a speed, scale, and level of 24/7 availability that human operators can’t match. Today’s advanced ML models are trained on massive data sets that make them exceptional tools for finding patterns, behavioral anomalies, correlations, and other complexities with a very low rate of false positives.

Because ML tools readily take on the more burdensome, tedious work of threat intelligence, they leave human analysts more free to take on projects that require creative thinking and understanding of human behavior, context, and motivation. Ultimately, they’re better together

Threat Intelligence Use Cases

Threat intelligence is one of the most powerful, versatile tools in a security team’s toolbox, able to support better protection, response, and overall security posture.

Threat Detection, Prevention, and Response

Threat intel helps security teams proactively identify and mitigate threats, using IOCs to detect malicious activity, refine policies, and bolster defenses. It also strengthens incident response by giving investigation and threat hunting teams timely, accurate data to help identify signs of compromise, lateral movement, and hidden threats.

Vulnerability Management and Risk Assessment

Threat intel can help organizations prioritize vulnerability patching based on risk, as well as gain insight into their overall cyber risk posture to gauge the potential impact of emerging threats. It's also invaluable in assessing and monitoring the security posture of third-party vendors and suppliers to understand and mitigate security risks in the supply chain.

Threat Intelligence Sharing and Decision-Making

Collaboration among industries and governments is key to stay ahead of cyberthreats. Sharing intelligence about emerging threats, tactics, and vulnerabilities strengthens our collective defenses and helps stakeholders make the right strategic decisions for both security and their organizations’ objectives.

Zscaler's Role in Threat Intelligence

The Zscaler ThreatLabz threat intelligence and security research team analyzes 500 trillion data points from the world’s largest security cloud, and blocks 9 billion threats per day. The team tracks the most advanced nation-state and cybercrime threat actors and their TTPs to discern emerging attacks and trends.

ThreatLabz researchers have discovered dozens of zero-day vulnerabilities in popular applications and worked with the vendors to address the underlying issues. ThreatLabz has also developed a proprietary malware automation platform, integrated with the Zscaler cloud, that can identify and extract threat intelligence indicators to protect our customers at scale.