With cyber threats becoming more prolific and pernicious, detailed, actionable threat information has become more valuable. That type of threat information is better known as threat intelligence.
Where does threat intelligence come from, though? This article lays out the four most common sources of threat intelligence. Read on to find out.
What are the boundaries of threat intelligence?
Detailed, actionable threat information sounds good. But it’s a little vague.
And so, it’s worth clarifying what threat intelligence is and what threat intelligence isn’t.
According to the National Institute of Standards and Technology (NIST), threat intelligence is threat information that’s been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
What do others say?
For its part, analyst firm, Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Unlike mere threat information, threat intelligence isn’t just idle data.
What makes threat information “intelligent” is that’s actionable. In other words, threat intelligence can’t be any of the following:
- A list of indicators without additional context
- Dated information that fails to help an organization protect itself or understand its attackers
- An ignored data source
Internal and external threat intelligence
Beyond the broad category of threat intelligence, there are two subtypes of threat intelligence: internal threat intelligence and external threat intelligence.
What is each?
Internal threat intelligence, as the name suggests, includes data points and information collected from within the organization, then organized into meaningful content.
External threat intelligence, for its part, consists of intelligence acquired from outside the organization.
The sources of threat intelligence
Given the variety of information external threat intelligence can include, external threat intelligence can come from the following four sources:
1. Data subscriptions or feeds
Often vendor-provided information which comes from a delivery mechanism for specific types of data provided at pre-determined intervals. The value of this type of feed is usually only realized when the receiving organization implements the data into its own tools.
2. Commonality or communal information (by industry or geographic location)
Organizations with similar interests often create industry-specific groups that facilitate the sharing of threat information.
3. Relationships formed with government entities and law enforcement
This is threat intelligence that comes from relationships with government and law enforcement.
4. Crowdsourced platforms
Information that comes from platforms that have funneled information from a large group of people.
Comparing internal and external threat intelligence
Beyond sources, how do internal and threat intelligence differ?
Well, internal threat intelligence sources, by their very nature, tend to yield more relevant information. Meanwhile, external sources, even though they will force companies to assess relevance and applicability, point up information that organizations aren’t currently aware of.
How to make the best of each? Companies should understand what kind of threat intelligence they are dealing with before submitting the varying types to differing tests.
For external sources, companies should ask:
- What is the fidelity level of the information provided?
- Is the intelligence provided relevant to operations? To the industry?
- Can the intelligence be followed up on with the provider?
- How is the information provided?
And for internal sources, companies should ask:
- What we know?
- How have we been attacked?
- What are we/have we been protecting?
But why do companies need to ask so much of threat intelligence in the first place?
As you might have guessed, companies sit on a massive trove of information, with even more at their disposal.
Much of that information could become actionable threat intelligence. So, why doesn’t it? Any number of challenges stand in the way.
Learn about the challenges to making threat intelligence actionable in our Introductory Guide to Threat Intelligence.