Threat Intelligence

What is Threat Intelligence?

Threat intelligence is information about the activity taking place inside an organisational environment that might result in attacks against that environment (presently or at some point in the future). Further, other forms of threat intelligence can provide visibility on external threats that may at some point in the future impact an organisation.

This intelligence information often includes context, mechanisms, indicators, implications and actionable advice, about existing and emerging threats and or hazards to IT or information assets.

As most readers would be aware, in the majority of cases, organisations have little or no control over threats. However, acquiring a level of awareness of the existing and emerging threats to a business provides organisations with fore-armed information to avoid threats in their entirety and/ or the opportunity to pro-actively develop defence and detection mechanisms (where avoidance or risk acceptance of the threats is not possible).

Internal Threat Intelligence Capabilities

The ability to gather advanced threat intelligence requires the use of human-sourced and technically sourced intelligence, gathered across multiple geographic regions, and sometimes through either covert activity or engagement with potentially malicious or secretive groups.

For the vast majority of organisations in-house threat intelligence capabilities are limited or not available at all (resourcing, budgets and overall operational team capabilities). However a lack of internal capability, naturally, doesn’t reduce an organisation’s overall risk to current or emerging threats. In these cases businesses can leverage Threat Intelligence supplied by third party providers and vendors.

Types of Threat Intelligence

Threat intelligence is available from a number of sources outside of the intelligence generated within an organisation. Although this is not an exhaustive list threat intelligence can be supplied by a number of parties including commercial providers, government bodies, open source threat intelligence and user led intelligence sharing platforms.

Government Bodies

Threat Intelligence is available from a number of Government bodies, such as Australian Cyber Emergency Response Team (AusCERT), U.S. Computer Emergency Readiness Team (US-CERT) and the SANS Internet Storm Center.

Open Source

Open source options have been developed such as the Open Threat Exchange and IBM’s X-Force platform provide publicly available feeds. These are often sponsored by a Vendor but made publicly available.

End User and Industry led sharing

A number of end-user (industry) led Threat Intelligence sharing platforms have arisen in recent years. One such example is the Financial Services Information Sharing and Analysis Center (FS-ISAC). These ISAC options can provide similar outcomes to commercial threat intelligence options with pricing at a cheaper or comparative price point. Such options fall into three generic categories:

Public — Open to any organization or individual that wants to join (and contribute).
Organisations and industry-led — ISACs are the best example of an industry, such as finance, that supports the creation of specialized capabilities that work to secure and reduce cyber risks in their industry verticals.
Private — Often invite-only and are not known to the public. These are private sharing platforms sharing information behind closed doors.

Consumption of Threat Intelligence

Threat Intelligence at present is used by most organisations via the integration of this information into detection-oriented security solutions, such as SIEM. The addition provides more contextual information to individual events and addresses ever increase alert fatigue.

Advanced intelligence programs deliver shared intelligence to firewalls, intrusion detection and prevention systems (IDPS), or endpoint detection and response (EDR) solutions to enhance network detection or blocking of potential indicators of compromise.

When looking to consume a Threat Intelligence platform be sure that your organisation is capable of acting upon the volume of intelligence supplied.

Threat intelligence can support an organisation in a number of facets, across Cybesecurity and risk; and support decision making functions across various roles including Security teams (SOC, Vulnerability Management personnel and the CISO), technology and infrastructure leaders as well as the Board.

Such intelligence can be utilised within a business to provide pro-active mitigation in the form of information on Threat actors and provide visibility on Digital risk trough the monitoring of open and dark web information.

How can Secure-ISS assist?

Secure-ISS assist and lead organisations to fully leverage and operationalise threat intelligence across their businesses.

For those looking at starting their journey with Threat Intelligence, Secure-ISS can assist your organisation in the assessment, implementation and integration of Threat Intelligence Platform (TIP).

For organisations that already have Threat Intelligence, Secure-ISS can assist in building out the maturity of your Threat Intelligence Practice.

If your internal capability is not resourced to make the most of a Threat Intelligence Platform or feed, Secure-ISS offer a number of Managed Security Services (which include various Threat Intelligence feeds and suppliers) to reduce your organisation’s threat surface and overall business risks.