What Is Threat Intelligence
Threat intelligence is the practice of collecting, organizing, and making actionable use of information about cyber threats. Commonly organized in feeds, threat intelligence consists of correlated data points about threats that can face an organization, which can range from technical Indicators of Compromise (IoC) to in-depth profiles of cyber threat actors.
A threat intelligence solution is composed of several layers, each of which brings the data one step closer to actionable use:
- Gathering data from open sources such as global threat databases, closed sources such as commercial cybersecurity research feeds, and hacker or hacktivist resources on the dark web.
- Processing and enriching data to classify threats, identify botnets and other macro structures, build profiles of threat actors and groups, and associate threats with specific malware.
- Packaging the data for threat intelligence consumers, typically as feeds that provide up-to-date information about new and existing threats.
- Making use of the data, either automatically by integrating it with security tools, or manually, by providing contextual threat intelligence to security staff as they analyze or prepare for security incidents.
Staying Informed of Threat Actors and Emerging Threats
The cybersecurity landscape is growing more complex. There are thousands of attack techniques, millions of malware variants and countless threat actors and hacker groups that can potentially threaten your organization.
Threat intelligence can help you:
- Stay up to date—know about new and emerging threats including methods, targets and identities of threat actors.
- Know your enemy—if you can connect a certain attack or malware to a specific threat actor, and understand their context and motivation, you are better equipped to defend against them.
- Share information—threat intelligence provides conveniently packaged information about threats that you can share across the security team, as well as with management and other stakeholders.
Indicators of Compromise
Indicators of Compromise (IoCs) provide evidence that an attack has taken place, and can help you understand the type of attack and its source. Threat intelligence solutions leverage IoCs to quickly connect cybersecurity incidents to known threat profiles.
For example, if a company has outbound traffic to an IP address known to be used for malicious activity, cyber threat intelligence can connect that IP address to a threat actor, and provide information about malware distributed by that attacker.
Here are a few common examples of Indicators of Compromise:
- Unusual outbound network traffic
- Web traffic exhibiting bot-like behavior
- Unusual HTML response sizes
- A large number of requests for the same resource
- Anomalous behavior or login activity by privileged accounts
- Traffic from unusual geographical regions
- Unusual frequency or data volume of database reads
- Changes to registry or system files
- Unusual DNS Requests or requests from an unusual port number
- Large volumes of traffic indicating a DDoS attack
The Threat Intelligence Lifecycle
Threat intelligence providers (either commercial providers that serve many organizations, or an internal threat intelligence body within an organization) collect security information using a structured process, borrowed from military and governmental intelligence agencies. The process has six stages: direction, collection, processing, analysis, dissemination, and feedback.
-
Direction
In the direction phase, the threat intelligence provider understands the information assets that need to be protected, and the types of intelligence that can help protect those assets. The provider must identify which are the most impactful threat categories and what types of information can help defend against them.
-
Collection
A provider can gather information for threat intelligence requirements from a variety of sources, including:
- Log data from IT systems being protected
- Existing threat data feeds
- Threat databases and datasets such as known vulnerabilities or malware signatures
- Interviews with people knowledgeable about attacks or attackers
- Openly available news and security research
- Hacker websites and closed forums in the dark web
-
Processing
Transforming collected information into a data format that can be used on an ongoing basis for cybersecurity. Qualitative information needs to be reviewed, ranked, and categorized. Quantitative information needs to be cleaned and converted to consistent formats.
For example, a cyber threat intelligence provider can collect bad IPs from security logs and package them into a CSV file that can be imported into security tools, which can then block these IPs.
-
Analysis
After threat intelligence is processed, it must be presented and packaged in a way that is actionable and useful for the end user.
If the data recipients are security professionals, threat intelligence should provide actionable data points that can be used in real time to investigate or defend against an attack. If they are non-technical, threat intelligence must be provided in the form of easy-to-read reports, or even presentations or videos that explain the threat at a higher level.
-
Dissemination
In the dissemination phase, threat intelligence is delivered to its end user, or to a security tool where it can be used to automatically detect or respond to threats. Threat intelligence is provided to humans in the form of written reports or alerts, and to machines in the form of data files in specific formats that are supported by security tools.
-
Feedback
An essential stage in the threat intelligence lifecycle is to obtain feedback about the impact and usefulness of the data. Was threat intelligence helpful in detecting security incidents? Did it help understand and defend against an attack? Are tools able to use the information to operate more effectively? Receiving this feedback on an ongoing basis can help a threat intelligence provider improve their information sources, processing and analysis.
Imperva Integrated Threat Intelligence Solution
Imperva provides threat intelligence solutions that integrate with other elements of its cybersecurity offering. Imperva provides threat insights based on visitor reputation, crowdsourced community intelligence, and behavioral analytics.
In addition to threat intelligence capabilities, Imperva offers multi-layered protection to ensure websites and applications remain available, accessible and safe. These include:
- DDoS Protection—maintain uptime in all situations. Prevent any type of DDoS attack, of any size, from preventing access to your website and network infrastructure.
- CDN—enhance website performance and reduce bandwidth costs with a CDN designed for developers. Cache static resources at the edge while accelerating APIs and dynamic websites.
- WAF—cloud-based solution permits legitimate traffic and prevents bad traffic, safeguarding applications at the edge. Gateway WAF keeps applications and APIs inside your network safe.
- Bot protection—analyzes your bot traffic to pinpoint anomalies, identifies bad bot behavior and validates it via challenge mechanisms that do not impact user traffic.
- API security—protects APIs by ensuring only desired traffic can access your API endpoint, as well as detecting and blocking exploits of vulnerabilities.
- Account takeover protection—uses an intent-based detection process to identify and defends against attempts to take over users’ accounts for malicious purposes.
- RASP—keep your applications safe from within against known and zero‑day attacks. Fast and accurate protection with no signature or learning mode.
- Attack analytics—mitigate and respond to real cyber security threats efficiently and accurately with actionable intelligence across all your layers of defense.