Threat intelligence, also known as cyber threat intelligence, refers to the process of collecting, analysing, and disseminating information about cyber threats and vulnerabilities. It is a proactive approach to security that involves continuously monitoring for threats, analysing the potential impact of those threats, and taking action to mitigate them.
Threat intelligence can come from a variety of sources, including government agencies, private sector organisations, and open-source information. It can be gathered through a variety of methods, including network monitoring, social media monitoring, and human intelligence gathering.
One of the key aspects in threat intelligence is the importance of contextualising threat data. Simply collecting data about threats is not enough. It is important to understand the context in which the threats are occurring in order to effectively classify, prioritise, and ultimately respond to them. This includes understanding the motivations of the threat actors, the tools, tactics and procedures (TTPs) they are using, and the potential impact on a target organisation.
Another key aspect of threat intelligence is its timeliness. In order to be effective, threat intelligence must be collected and analysed in real-time, so that organisations can take timely action to activate defences against specific threats. Artificial intelligence and machine learning can help organisations sift through large volumes of data to identify patterns and trends that may indicate a potential threat. They can also be used to automate the analysis process, allowing analysts to focus on more high-level tasks such as developing response plans and communicating with stakeholders.
Information sharing plays a crucial role in effective threat intelligence. In today's interconnected world, it is important for organisations to share information about threats with one another in order to better understand the broader cyber threat landscape. This can be done through a variety of channels as mentioned earlier on, typically facilitated through specialised open-source or proprietary threat intelligence sharing platforms.
One can summarise the key benefits to consuming threat intelligence as follows:
First, it helps organisations stay ahead of potential threats by providing them with advance warning of potential attacks. This allows organisations to take proactive measures to protect themselves, rather than simply reacting to attacks after they have occurred.
Threat intelligence helps organisations prioritise their cyber security efforts by providing them with insight into the most pressing threats facing their industry or region. This can help organisations allocate their resources more effectively, ensuring that they are able to address the most pressing threats first.
In addition to helping organisations protect themselves from cyber threats, threat intelligence can also be used to support law enforcement and national security efforts. By sharing information about threats and vulnerabilities with relevant authorities, organisations can help to disrupt and prevent cyber attacks before they occur.
It is important for organisations to carefully evaluate the potential risks and benefits of using threat intelligence and to ensure that they are in compliance with all relevant laws and regulations. The Digital Operational Resilience Act (DORA) regulation, which came into force on 16 January 2023, puts a lot of emphasis on the use of cyber threat intelligence by financial entities as part of their security operations. One core pillar of the regulation is dedicated to information sharing arrangements, with the main objective being that of encouraging voluntary collaboration among trusted parties within the financial services community. This collaboration aims to:
enhance the digital operational resilience of financial entities
raise awareness on ICT risks and cyber security threats
minimise ICT threats’ ability to spread
support entities’ defensive and detection techniques, mitigation strategies or response and recovery stages.
Threat intelligence is also a key aspect of Threat-Led Penetration Testing (TLPT) mandated by the DORA regulation. TLPT, also referred to as a red team assessment, is a form of an advanced security test where besides identifying exploitable vulnerabilities within an organisation, the detection and response capabilities are also put to the test. Very often, this test is run secretly, and specific attack scenarios are agreed upon upfront. The latter are defined via a dedicated threat intelligence exercise that is carried out prior to actually performing the red team assessment, with the outcome being a targeted threat intelligence (TTI) report that describes the local threat landscape as it applies to the organisation in question.