What Is Threat Intelligence Management?
The rapid pace of digital transformation has created many opportunities for businesses to increase profits and grow, but it can also open them up to cyberattacks. Threat intelligence management enables organizations to better understand the global threat landscape, anticipate attackers’ next moves and take prompt action to stop attacks.
Threat intelligence, as defined by Gartner, is “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”
There is a significant difference between threat intelligence and threat intelligence management. While threat intelligence is data and information about threats, threat intelligence management is the collection, normalization, enrichment and actioning of data about potential attackers and their intentions, motivations and capabilities. This information can help organizations make faster, more informed security decisions, and thus be better prepared for cyberthreats.
Good threat intelligence management brings proactive defense mechanisms against any threats that emerge outside your environment before they affect you. That can only be achieved if the threat data is relevant, vast, trustworthy and actionable.
Threat Actors and Common Sources of Cyberthreats
When facing down a threat, it’s important to understand who the threat actor is as well as their common tactics, techniques and procedures (TTPs). Here are a few of the most common types of cyberthreats:
- State-sponsored actors: Cyberattacks by countries can disrupt communications, military activities and other services that citizens use daily.
- Terrorists: Terrorists may attack government or military targets, but at times they also target civilian websites, potentially disrupting services and causing permanent damage.
- Industrial spies: Where the motive is mostly financial, organized criminals and international corporate spies carry out industrial surveillance and monetary theft.
- Organized crime groups: Criminal groups penetrate systems for monetary gain. Organized crime groups use phishing, spam and malware to carry out identity theft and online fraud.
- Hackers: The large global population of hackers ranges from beginners using ready-made threat toolkits to highly skilled operators who can develop new threats and avoid sophisticated defenses.
- Hacktivists: This subset of hackers aims to penetrate or disrupt systems for political or ideological reasons rather than financial gain.
- Malicious insiders: Insiders represent a serious threat as they have existing access to corporate systems, with knowledge of target systems and sensitive data. These threats can be devastating and very difficult to detect.
- Cyberespionage: In these attacks, actors steal classified or sensitive intellectual property data to gain an advantage over a competing company or government entity.
Challenges with Threat Intelligence Today
Even though security teams and security operations centers (SOCs) have plenty of data coming in from their intelligence feeds, the overwhelming volume of alarms and tickets causes team “fire drills” and delays. Most threat intelligence management solutions in the market focus on threat feeds, but there is still a lot of manual work involved when it comes to analyzing and taking action on the information loads they provide.
A few challenges with existing threat intelligence tools are:
- Lack of control due to too much data
- Inability to prioritize and operationalize
- Lack of automation, leading to inability to take action
To create an intelligence-driven organization that is well-protected and ready for response, you need a threat intelligence management process that is contextualized, automated, priority-driven, evidence-based and actionable.
Who Will Benefit from a Robust Intel Management Process?
While threat intelligence platforms offer benefits for the entire organization and empower businesses to be secure and risk-free, security, IT and operations teams gain unique advantages in better understanding their attackers, responding more quickly to incidents, proactively learning the threats and taking action. Here are a few specific teams and roles that benefit from threat intelligence management:
- Security operations center
- Threat intelligence analyst
- Security analyst
- Security engineer/architect
- Chief information security officer
Types of Threat Intelligence
Depending on the requirements and criteria, there are four different types of threat intelligence.
Tactical Threat Intelligence
This type of threat intelligence helps IT, security operations and network operations center (NOC) teams in understanding the tactics threat actors and attackers use. This type of data provides day-to-day operational support by helping analysts assess various security incidents related to events, investigations and other activities. Reports produced by security vendors and industry players are an example of this type of intelligence.
Operational Threat Intelligence
Operational intelligence provides in-depth understanding of an attacker’s capabilities, past malicious activities and their impact on the organization. The information includes detailed analysis of the nature and purpose of the attacks and attackers, which helps in predicting future attacks and enhancing incident response plans. A report on a new phishing campaign targeting your industry vertical constitutes this type of intelligence.
Technical Threat Intelligence
Mostly helpful for incident response and security operations teams, technical threat intelligence specializes in the tools, techniques, resources, challenges and tactics of the attackers. This intelligence is also referred to as atomic indicators, observables or indicators of compromise (IOCs). Command-and-control IP addresses, malware file hashes and fast flux domains all fall under this category.
Strategic Threat Intelligence
This type of intelligence provides high-level information about cybersecurity posture, threats and attack trends. This information mostly deals with the big picture in the threat landscape and helps executives and management, such as IT managers and CISO teams, understand the financial impact of various cyber activities and the overall impact of high-level business decisions. An example of this type of intelligence would be a series of reports detailing threat actors and their associated attack techniques known to target your industry.
Unit 42® at Palo Alto Networks
Unit 42 brings together an elite group of cyber researchers and incident responders to protect our digital way of life. With a deeply rooted reputation for delivering industry-leading threat intelligence, Unit 42 has expanded its scope to provide state-of-the-art incident response and cyber risk management services. Our consultants will serve as trusted partners to rapidly respond to and contain threats so you can focus on your business. Visit unit42.paloaltonetworks.com.
Business Benefits of Threat Intelligence Management
Well-executed threat intelligence management provides:
- Improved operational efficiency: The average enterprise receives more than 11,000 security alerts per day and doesn’t have enough people to handle them. Instead of going after false positives, putting off fire drills, and dealing with a flood of alarms and alerts, your analysts can benefit from aggregated threat data from hundreds of sources in a single, cohesive set.
- Lower risk: Good threat intelligence will surface attacks more quickly and reduce the dwell time an attacker has in your organization, in turn reducing the impact and cost of a breach. With proper visibility and by identifying vulnerabilities, your organizations can reduce the risk of data loss and improve your security posture.
- Cost savings: The average cost of data breach in 2020 was $3.86 million. The more slowly you react to a threat, the more money your business can lose. Moreover, with a centralized threat intelligence management process in place, you can benefit from significant savings. A proactive approach and a robust central library of threat intelligence eliminate the need to purchase multiple platforms and integration resources.
Cortex XSOAR Threat Intelligence Management
Cortex® XSOAR Threat Intelligence Management introduces a completely new approach to embedding and taking action on threat intelligence across every aspect of the incident lifecycle. It enables you to attain unmatched visibility into the global threat landscape with automated connections between external threat intelligence and internal incidents. Threat Intelligence Management enables you to:
- Leverage the massive repository of Palo Alto Networks tactical threat intelligence (with tens of millions of unique malware samples and firewall sessions analyzed daily) as well as strategic intelligence from Unit 42.
- Surface connections between threat actors and attack techniques previously unknown in your environment.
- Use best-in-class security orchestration, automation and response (SOAR) capabilities to empower customization, modeling and automation of threat intelligence at scale.
- Shut down threats across more than 600 third-party products with purpose-built playbooks based on proven SOAR capabilities.
- Take advantage of native threat intelligence management, unifying aggregation, scoring, and sharing of threat intelligence with playbook-driven automation.
- Improve decision-making during investigations, better predict and prevent future attacks, get a global view of your threat landscape with a central intelligence library.
Watch this video to learn how Threat Intelligence Management can enable your organization to operationalize, take action and gain control over your security measures.