What Is Threat Intelligence?

Threat intelligence, or cyber threat intelligence (CTI), is a discipline that involves collecting, analyzing, and disseminating information about current and emerging threats to digital security for organizations and individuals. Threat intelligence provides insight into the entire cybersecurity threat landscape, including threats such as many types of ransomware, malware, phishing attacks, advanced persistent threats (APTs), denial-of-service attacks, software exploits and vulnerabilities, insider threats, zero-day exploits, supply chain attacks, and botnets.

Threat intelligence is a critical part of efforts to reduce the attack surface and deploy multilayered cybersecurity defenses. It helps organizations to understand the risks of threats and helps security teams anticipate, identify and mitigate cyberattacks before they occur.

Threat intelligence is based on information gathered from a variety of sources.

• Open-source intelligence (OSINT) is publicly available data that can be used to identify emerging threats.
• Dark web forums and sites are where threat actors buy and sell data, code, and tools for cyberattacks, and discuss upcoming exploits. Monitoring these sites can help organizations identify what threats they may face next.
• Social media sites on the surface web are also a fruitful source for monitoring the activity of threat actors.
• Indicators of compromise (IOCs) are things like malicious URLs, IP addresses, and malware signatures that can inform security solutions about what to look for when monitoring traffic and activity.
• Incident reports and logs provide insight into past attacks, potential vulnerabilities, and possible suspicious activity.

Once raw data collection for threat intelligence is completed, information is analyzed by cybersecurity experts who leverage machine learning and automation to make sure it’s both relevant and actionable. This process is critical to identifying actual threats and discarding false positives that can distract security teams and contribute to alert fatigue. After analyzing the context of threats and the credibility and reliability of information, threat intelligence is ready to be disseminated to organizations and security teams to inform decision-making and cybersecurity strategies.

Cyberattacks can cripple an organization’s operations, damage its reputation, hinder productivity, leak critical intellectual property, and result in the loss of business opportunities as well as millions of dollars. Threat intelligence plays a critical role in fending off cyberthreats.

• Proactive security posture: Threat intelligence helps organizations maintain strong threat management programs and a proactive security posture. Threat intelligence helps teams to improve DNS security, enhance ransomware protection, prepare for vulnerability exploits, and secure API endpoints. As cyberthreats evolve, threat intelligence enables security teams and their organizations to stay several steps ahead of emerging attack vectors rather than simply responding after attacks have occurred.
• Greater situational awareness: Threat intelligence tools give security teams a deeper understanding of the current cyberthreat landscape as well as the tactics, techniques, and procedures (TTPs) used by threat actors.
• Enhanced incident response: Because it’s impossible to fend off every attack, organizations must have a superior incident response plan that helps quickly identify threats, accelerate remediation, minimize the damage they can do, and bring data and systems back online as fast as possible.
• Improved risk management: Threat intel helps an organization’s leaders to develop smarter strategies around risk management.
• Improved regulatory compliance: Threat intelligence programs can help organizations ensure compliance with regulatory frameworks that mandate certain levels of security protections and preparedness.
• Smarter security programs: Threat intelligence services allow organizations to tailor their security measures to the threats that are most likely to impact their IT environments. Superior intelligence aids prioritization of security controls, guides incident response plans, and targets threat hunting activities.
• Informed investments: Stakeholders and decision-makers such as executives, boards, CISOs, and CIOs rely on threat intelligence to help guide investments in security solutions.

Dissemination of threat intelligence takes place over a variety of channels.

• Threat intelligence platforms aggregate and distribute intelligence to stakeholders and security operations centers (SOC) in real time. A threat intelligence platform can manage the lifecycle of intelligence and offer a unified view of threats, vulnerabilities, and IOCs that are important to the organization. Threat intelligence platforms usually offer tools for filtering and prioritizing intelligence to ensure that security teams get the most relevant data. Integrations with other security systems such as SIEM (security information and event management), EDR (endpoint detection and response), and firewalls ensure that everyone in the organization has access to timely and comprehensive threat information.
• Email alerts and bulletins published by cybersecurity experts provide helpful insights into the latest intelligence about critical vulnerabilities or ongoing attacks.
• Automated threat intelligence feeds can provide direct input into security tools and systems. Threat data feeds allow real-time updates to detection methods and responses to emerging threats.
• Web portals and dashboards provide interfaces for viewing real-time threat intelligence. Dashboards are typically customizable, allowing security teams to focus on the type of intelligence most aligned with the needs of the organization.
• Reports and white papers produced by security analysts provide in-depth intelligence that help security teams understand complex threats and develop long-term strategies.

Threat intelligence falls into four primary categories.

• Tactical threat intelligence focuses on the immediate, technical indicators of threats. Indicators like malware signatures and malicious IP addresses can help security teams configure firewalls, endpoint protection, and other security solutions.
• Operational threat intelligence informs incident response plans by uncovering the specifics of cyberattacks and malicious campaigns and the TTPs of threat actors.
• Strategic threat intelligence delivers a high-level understanding of the cyberthreat landscape, providing valuable insight for long-term decision-making and risk management.
• Technical threat intelligence provides specific evidence concerning attacks in progress. This may include email content and phishing campaigns, IP addresses of command and control servers, or code from known malware that is found on media within an IT environment.

Akamai Security Intelligence Group is a global team of world-class researchers, engineers, strategists, and data scientists with a broad range of expertise and security disciplines. Our data sources include the enormous Akamai Connected Cloud, open sources, collaboration with third parties, and dark web intelligence. We have also developed our own algorithms and tools that help us deliver our research and keep Akamai security solutions up to date.