In April of 2024, the customers of data analytics company Sisense were warned by the Cybersecurity and Infrastructure Security Agency (CISA) to reset their credentials and be on the lookout for suspicious activity. The decision that there was an immediate threat, based on data and observation, as well as the subsequent analysis that supply-chain attacks are increasing, is threat intelligence in action.
Threat intelligence allows organizations and cybersecurity teams – in this instance a major organization and their hundreds of clients – to make vital decisions that both protect them from imminent threats as well as create long-term strategies to harden their security posture.
Robust protection starts with knowledge and, increasingly, that knowledge is coming in the form of vetted threat intelligence.
What Is Threat Intelligence in Cybersecurity?
Threat intelligence, also called cyber threat intelligence, is data that has been collected, analyzed, interpreted, and enriched to help organizations make short-term and long-term cybersecurity decisions.
Threat intelligence helps an organization understand the current risk landscape, how a specific risk applies to their environment, and provides security and operational insights.
Threat intelligence comes in three main forms:
- Strategic threat intelligence. Strategic threat intelligence focuses on broad trends and is most applicable to a non-technical audience. This kind of threat intelligence is high-level and informs long-term decision making. An example of strategic threat intelligence would be the annual cost of certain kinds of cyber attacks
- Tactical threat intelligence. Tactical threat intelligence is focused on threat actor tactics, techniques, and procedures (TTPs), and is geared toward a more technical audience, such as internal IT departments. An example of tactical threat intelligence would be when and how threat actors employ social engineering for initial access
- Operational threat intelligence. Operational threat intelligence focuses on technical details of specific threats and cyber attacks, and is ideal for making short-term decision making. Zero-day vulnerabilities or new vulnerabilities that are actively being exploited in the wild are examples of operational threat intelligence.
In practice, threat intelligence can take many shapes. It could be data showing how threat actors are targeting certain industries, such as the continued rise of business email compromise (BEC) attacks on the manufacturing industry, what TTPs threat actors are currently preferring, which vulnerabilities haven been exploited in the wild, or even behavioral changes over time by both cybercriminals and cybersecurity professionals.
Threat intelligence can be found in cybersecurity community forums, within organizations’ security logs, feeds from security teams, and through researchers who share information as it becomes available.
View threat intelligence in action with Arctic Wolf Labs.
The Dark Web and Threat Intelligence
The dark web, where threat actors share tips, release exfiltrate data, and operate cybercrime schemes such as ransomware-as-service (RaaS) networks, is vital for organizations and researchers gathering threat intelligence.
Through hidden forums, marketplaces, and ransomware group leak sites, researchers can uncover TTPs, trends, and attack data that can help organizations make security decisions and enhance their cybersecurity strategy.
For example, by analyzing which organizations and industries are showing up on ransomware group leak sites, Arctic Wolf was able to make interpretations about ransomware trends and share that information so specific organizations can harden their environment against that threat.
What Is the Threat Intelligence Lifecycle?
Moving from raw unfiltered threat data into actionable insights follows a steady lifecycle, consisting of four stages.
Those stages are:
- Set data requirements
- Gather data as needed
- Refine and analyze data into actionable threat intelligence reports
- Act upon threat intelligence reports and modify operations as needed
Those steps often act in parallel and repeat continuously as new data appears. Data requirements may change based on what data is gathered, and new data may be required as current data is analyzed. Because threat actors are always adapting, new threat intelligence is constantly required for organizations to stay one step ahead. The lifecycle, and how the raw data is approached also depends on what an organization needs to learn.
In the above example, Arctic Wolf wanted to know which industries were most targeted by ransomware. Following the lifecycle, Arctic Wolf set the data requirements as “industries that appear on top leak sites during 2023,” scoured the dark web for known leak sites and gathered as much information on recent ransomware attacks as possible, before taking that data and sorting it by industry, and finally presenting that information in the form of strategic threat intelligence, which can absorbed by both the C-suite and IT practitioners.
Why Is Threat Intelligence Important?
Without threat intelligence, even the most basic kind, organizations would have no idea how to protect themselves against imminent threats, or what those threats even look like. It’s threat intelligence that tells us how ransomware is evolving, which ransomware groups are most active, how common phishing is, and why threat actors are targeting credentials at an alarming rate.
In short, threat intelligence:
- Allows for collaboration and knowledge sharing
- Minimizes cyber risk for organizations
- Enhances cybersecurity efficiencies
- Allows for deeper analysis of specific events and wider trends
That knowledge, in all its shapes and forms, puts organizations in a position to take a proactive approach to their cybersecurity. Being stuck in a cycle of reacting to threats not only weakens your organization’s defenses over time but takes away vital resources that could be used to harden your environment against the threats of tomorrow.
Fully refined threat intelligence allows organizations to tailor their security efforts in ways that best serve their business and security needs while disrupting threat patterns and achieving their goals. For example, certain industries are prone to specific kinds of attacks, such as ransomware and manufacturing, or social engineering and government organizations. Knowing this offers insights that allow your organization to better direct budget, resources, and technology, and know what anomalies to look for within your environment on a day-to-day basis.
How Arctic Wolf Utilizes Threat Intelligence
Threat intelligence is a major factor allowing Arctic Wolf to better protect organizations around the globe. The Arctic Wolf® Security Operations Platform takes in and analyzes five trillion security events a week, and not only does it parse through that data, allowing individual customers to detect and respond to events faster and more accurately, our security engineers look for patterns within that data and apply it to all our customers, creating a network effect where every organization has access to enhanced intelligence. For example, if our security engineers see the same intrusion attempt spreading across organizations, they’ll use that intelligence to alert other organizations that this may be coming to them.
Additionally, because Arctic Wolf® Managed Risk helps organizations detect, prioritize, and remediate critical vulnerabilities, our internal teams are always gathering new data on vulnerabilities and sharing it with our customers and broader security community. These regular updates can be found in our Security Bulletins.
Because threat intelligence is at its best when it’s been refined and analyzed, our Arctic Wolf Labs team consistently takes an aerial view of what’s happening in the world of cybersecurity and cybercrime, offering up their insights in the form of reports. Our latest is the 2024 Arctic Wolf Labs Threat Report.
Learn how a Security Operations solution utilizes threat intelligence to better protect organizations.
Explore current security and cybercrime trends in-depth with our 2024 Trends Report.
