Threat intelligence or cyber threat intelligence helps an organization better understand threats. In turn, better helps leaders make informed decisions. Most especially during attacks.
Threat Intelligence
Threat intelligence is a multidisciplinary field that aims to provide organizations with a better understanding of their adversaries’ tactics, techniques, and procedures, and ultimately their intentions.
To understand threat intelligence is to understand that all threats are not alike. They can be grouped into classes.
Threat intelligence products or services can be used in different ways depending on the organization’s preferences.
Why It is Important to Organizations
Organizations must be able to identify and understand cyber threats. One way is to obtain threat intelligence. This is important because it enables organizations to:
Many organizations do not have the resources to acquire and manage large pools of data. This is where external solutions can play a role. External solutions offer the ability to obtain, consolidate and analyze threat data from various sources. External solutions can also help organizations produce their threat offerings that can be used by other organizations as well as for their protection.
Security vendors, who are familiar with the security market, are often able to produce more accurate products. Their solutions can combine knowledge about security threats with market research about customer needs. Security vendors use this information to improve their products and services.
External Threat Intelligence Vendors
Vendors offering external services are typically divided into two groups: those that provide intelligence feeds or aggregated reports, and those that provide software or managed services based on these feeds or reports.
Aggregated Reports
The first group of vendors offers “threat intelligence as a service”, which means they collect data from public sources, then aggregate the data into reports before making them available for sale or rent on a subscription basis.
A typical vendor in this category might have analysts scouring the Internet for information on new viruses, hacker groups, phishing attacks, malware files, etc., then analyzing them and writing reports about them. The vendor then sells access to these reports for a monthly fee.
Added Value
Some vendors in this category will offer added value services or products on top of their report feeds. They might aggregate the same information into custom-made security briefings, which they sell for a higher price per report than they charge for access to their standard feeds; or they might also provide consulting services; they might also help customers integrate their products with their own; etc. Thus, it all depends on each vendor’s strategy and business model.
Database of Threats
The second group of vendors offers “threat intelligence as a service”, but differs from the previous group by providing customers with custom-made databases of threats instead of aggregated reports about threats. These vendors typically offer products based on open source intelligence APIs (e.g., VirusTotal) or commercial sources (e.g., information collected by honeypots).
Conclusion
Threat intelligence is a multidisciplinary field that aims to provide organizations with a better understanding of their adversaries’ tactics, techniques, and procedures, and ultimately their intentions. These products or services can also be useful in different ways depending on the organization’s preferences.