Threat Intelligence: The CISO's Guide

Threat intelligence is an organisation’s best tool to move from a reactive to a proactive cybersecurity posture. By gathering and analysing information about potential and current threats, you can better understand the risks your organisation faces and take steps to mitigate them.

In this article, we’ll explain what threat intelligence is and how it can benefit your organisation. We'll also provide some tips on how to get started with a threat intelligence program and where to find quality intelligence sources.

By the end of this article, you should have a good understanding of how threat intelligence can help you to keep your organisation safe against emerging threats in your industry.

What is threat intelligence?

“Threat intelligence” or “Threat intel” describes the collection and analysis of information about potential or current threats to an organisation's security.

Threat intel can include details about the tactics, techniques, and procedures used by attackers, as well as information about the tools and infrastructure they use. It’s typically gathered from a variety of sources, including security researchers, government agencies, and private intelligence firms.

Why is threat intelligence important?

Threat intelligence can benefit organisations is by helping them to prioritise their cybersecurity efforts. By understanding the types of threats they are most likely to face, organisations can focus their resources on defending against the most critical threats first.

Threat intelligence can also help SOC teams to be more proactive. By staying up-to-date on the latest threats, organisations can anticipate potential attacks and take steps to prevent them before they happen. In some cases, threat intelligence can even be used to automatically prevent certain types of attacks, such as automatically blocklisting an IP address associated with phishing activity.

How to get started with threat intelligence?

According to John Hubbard of the SANS Institute, there are three main things your organisation need to get started with threat intelligence:

  1. You must know your threat intelligence requirements. For example, what questions is your organisation trying to answer with threat intelligence? Having clear requirements prevents your organisation from aimlessly collecting data. Good starting questions include: Which threat groups are most likely to target our organisation? What TTPs are they most likely to use against us?
  2. You must have a threat model. Threat modelling involves trying to predict what attackers might try to do to your organisation before an attack occurs. For example, if you have sensitive customer data secured behind an authenticated REST API endpoint, your REST API could be a potential high-value target for attackers. Having a threat model allows you to proactively defend against likely threats.
  3. You must have a threat intel platform you can use to manage your collected data. Data collection, correlation and analysis lies at the heart of an effective threat intelligence program. Luckily, there are sophisticated open source tools like MISP to help your SOC team collect, structure, store, correlate, and analyse this data. It’s important to note that threat intel involves a combination of automated and human efforts. It’s impossible to run an effective threat intel program without expert human analysts to translate threat intelligence into real-world actions.

What are the different types of threat intelligence?

Threat intelligence ranges from extremely broad to incredibly granular. The varying specificity of threat intel represents one of the main challenges involved with working in this space. Most threat intel falls into one of three categories:

  1. Strategic. Strategic threat intel includes broad strokes information about threat actors, geopolitical motives, types of attacks, and over-arching goals. An example of strategic threat intel could include an FBI report on a Russian state-sponsored APT targeting US government infrastructure. Strategic threat intel is of particular interest to high-level policy-makers and decision-makers such as CISOs.
  2. Operational. Operational threat intel delves into the Tactics, Techniques and Procedures (TTPs) used by threat actors. In the context of the Russian state-sponsored APT example above, operational threat intel might include compiled info on the specific techniques they’ve used across previous attacks. Operational threat intel is typically a focus at the SOC level, since it can be used drive team priorities and decision-making.
  3. Tactical. Tactical threat intel includes atomic bits of information like hash values, IPs, and domains (often referred to as “IOCs” or Indicators of Compromise). This type of threat intel is so granular that it’s typically of more use to machines than humans. Ideally, SOC teams will create machine-to-machine feeds to automatically push tactical threat intel into their security infrastructure, such as firewalls. In the context of the Russian state-sponsored APT example we’ve been using, tactical threat intel might include a domain associated with attacks by this group.

Threat Intelligence Examples

To bring these concepts to life, here are some examples of different types of threat intelligence.

The first example below is an example of threat intelligence at the highest, or “strategic” level. It provides a high-level overview of an emerging threat (in this case, a Russian state-sponsored APT).

A tell-tale sign that threat intel sits at the strategic level is that it focuses mainly on the “who” and “why” rather than the “how” and “what”.

STRATEGIC THREAT INTELLIGENCE EXAMPLE

This report from CISA is an example of strategic threat intelligence.

Operational Threat Intelligence Example

Operational threat intelligence dives into the “operations” of threat actors, such as the specific TTPs they’ve used.

An example of this kind of threat intelligence is leaked internal chat logs from a threat group. For example, in February 2022 a Ukrainian security researcher published leaked chat logs from the ransomware group Conti. In the logs, the group discusses victim bots infected with malware. Because this threat intelligence delves primarily into the “what” and the “how” of the threat group, it is operational threat intelligence.

Ransomware gang chat logs translated and shared by BleepingComputer, an example of operational threat intelligence.

Tactical Threat Intelligence Example

Tactical threat intelligence is the most fine-grained level of threat intelligence, consisting mainly of IOCs (Indicators of Compromise). This kind of intelligence is particularly useful for feeding into your automated systems using something like MISP.

Examples of tactical threat intelligence/IOCs are things hashes, IP addresses, domains and port numbers.

An example of tactical threat intelligence / IOCs shared by Avertium.