What is Threat Intelligence?

Threat intelligence has become a popular buzzword in the security industry, especially when it comes to cyber security. But, as with all buzzwords, its meaning has become somewhat diluted and, frankly, means whatever the listener wants it to mean at this point.

Threat intel can take many forms, from knowing when and where an negative event against your organization will take place, to cataloguing observed TTPs of a cyber attack. Indeed, there is so much “threat intelligence” out there that teams have been forced to dedicate entire sub-teams to make sense of it all.

But let’s take a step back and understand exactly what threat intelligence is and how your organization can harness this powerful tool.

Intelligence Answers a Question

In its most basic form, intelligence answers questions posed by an organization’s decision makers. Not every answer truly qualifies as “intelligence”, however. Rather, actionable intelligence is the distilled and analyzed information that the organization’s security team and decision makers can use right now to influence their decision-making processes. Everything else is merely reference material.

What are these questions that intelligence answers? Well, that varies based on the person asking the question and why. These questions of come in the form of Priority of Information Requirements (PIR) which lists out all of the things the decision makers want to know and, based on the list’s order, how to triage that information.

The points on a PIR can be as simple or complex as necessary. Much like the examples above, a PIR point may be a simple advance sweep of location-based intelligence in a given city, or can be as detailed as collecting the entire digital footprint for the full executive team or the organization itself (see our previous articles on the Mitre Pre-ATT&CK Framework and DNS auditing). The above linked articles describe how this information may fit into an organization’s PIR for countering cyber attacks.

But What About Cyber Threat Intelligence?

The newest buzzword in the security community, specifically among cyber security teams, is “cyber threat intelligence” (CTI), which tends to function as a catch-all term. In general, CTI is an attempt to develop and collect “attack signatures” from previous cyber attacks, theoretically allowing a security team to develop and deploy proactive countermeasures while enabling post-attack forensics and attribution easier and more robust.

CTI comes from myriad sources, some developed by team members and others crowd sourced. For example, threat hunting is a form of CTI collection which involves seeking out threats around the internet (as well as threats on one’s own system, depending on your specific definition for a threat hunter), whereas crowd sourced “solutions” may come packaged as JSON files in the form of STIX and TAXII feeds. These feeds are then fed into a SEIM or other data aggregation tool with the goal of identifying patterns in order to mitigate and/or prevent future attacks.

CTI solutions, much like common PIRs, are as unique as the organizations for which they are made – every organization is different, and there is no such thing as one-size-fits-all. Therefore, a robust, dynamic, and flexible platform is necessary to assist the analyst in collecting and analyzing open-source intelligence data.

How DigitalStakeout Fits into the Equation

The DigitalStakeout platform provides a robust solution to most common PIR questions and restrictions. With technical data from IoT devices, DNS and SSL Certificates, CTI analysts are able to develop organizational footprints and establish real-time monitoring and alerting for anything that appears online which may pose a threat, be it fraud, impersonation, or anything else.

A wide array of Content monitors such as Web Presence Monitor, Social Media Monitor and Dark Web Monitor enable analysts to develop baselines and establish real-time monitoring and alerting for emerging threats that require an immediate mitigating action from a physical security response to a take down of a digital asset.

What’s different about DigitalStakeout Scout is that we deliver the transparency, control and flexibility to answer questions that matter. What question, situation and challenge do you have that your current threat intelligence solution can’t answer? See a live demo how we solve common threat intelligence use cases.