The term “threat intelligence” has become somewhat of a buzzword in the infosec industry, but for good reason. Threat intelligence, when applied properly, is a game-changer for businesses as they move from chasing the bad guys to learning who they are and how they’re operating before disaster strikes.
Threat intelligence as a practice is not new—it has been used in military operations for quite some time—but within the confines of information security, it’s a new way of thinking and operating. Security and operations teams have been collecting data and information for many years and using it to track incidents, anomalies, vulnerabilities, etc. Information and data, however, should not be confused with “intelligence.”
“Intelligence” is more than simply collecting and identifying technical details. For information to evolve to intelligence, a combination of automated and human processing must take place, giving the information context, making is useful to the business, and enabling decision-making. In addition, the information must be accurate and timely so organizations can act swiftly and appropriately to protect systems and individuals before they are the victims of a cyber attack.
A threat intelligence program operates independently from an infosec program but informs it, as well as other areas of the business. For this reason, threat analysts should not double as other security functions. A threat analyst will be experienced in data analysis and have the ability to draw conclusions from the aggregation of seemingly disparate pieces of information taken from multiple sources. He or she can look across datasets and indicators and identify when threats are imminent, what types of actors may be at play, the techniques that may be used during an attack, motivations behind an attack, the origination of an attack or how it might pivot, and much more. A threat analyst also needs to be able to communicate clearly and in the terms of his/her consumer (i.e., lines of business) so that the business can make timely decisions on proactive measures.
The need for threat intelligence and threat analysts is becoming even more critical as organizations are forced to defend against a greater number of threats; as technology and organizational use of consumer-developed technology grows; as more and more critical information is created, stored, and Internet-connected; and as dissident individuals or standalone groups are less of the problem than organized, funded, and skilled threat actors.