Threat Intelligence is the gathering and analysis of multi-source cybersecurity data using advanced analytic algorithms. By collecting large amounts of data about current cybersecurity threats and trends and performing analytics on this data, threat intelligence providers can derive usable data and insights that help their customers to better detect and prepare for cyber threats.
Organizations have a wide range of intelligence needs, ranging from low-level information on the malware variants currently being used in attack campaigns to high-level information intended to inform strategic investments and policy creation. For this reason, threat intelligence can be classified into one of three different categories:
- Operational: Operational threat intelligence focuses on the tools (malware, infrastructure, etc.) and techniques that cyberattackers use to achieve their goals. This type of understanding helps analysts and threat hunters identify and understand attack campaigns.
- Strategic: Strategic threat intelligence is high-level and focuses on widespread trends within the cyber threat landscape. This type of threat intelligence is geared toward executives (often without a cybersecurity background) that need to understand their organization’s cyber risk as part of their strategic planning.
- Tactical: Tactical threat intelligence focuses on identifying particular types of malware or other cyberattacks using indicators of compromise (IoCs). This type of threat intelligence is ingested by cybersecurity solutions and used to detect and block incoming or ongoing attacks.
What Should Threat Intelligence Provide?
Threat intelligence is designed and intended to improve an organization’s ability to minimize cyber risk, manage cyber threats and feedback intelligence into all products that protect any of the attack surfaces. In order to effectively support an organization’s cybersecurity strategy, a threat intelligence platform should provide certain functionality:
- Multi-Source Data Correlation: Different points of view produce different data and insights. A threat intelligence platform should aggregate both internal and external data sources to provide an organization with comprehensive visibility into the cyber threats that it is likely to face.
- Automated Analysis and Triage: The data collected by the threat intelligence platform can easily overwhelm an organization’s security team, leaving it unable to use it effectively. A threat intelligence platform should perform automated analysis, triage, and prioritization of intelligence to ensure that analysts see the most important data first.
- Data Sharing: Having threat intelligence data on a single, centralized system (and relying on analysts to manually distribute it to their defensive solutions) limits its effectiveness. A threat intelligence platform should include integrations for the automatic dissemination of data across an organization’s security deployment.
- Automation: The cyber threat landscape evolves rapidly, and threat intelligence data rapidly grows stale as cyber threat actors start new campaigns and end others. The use of automation to speed analysis and use of threat intelligence is necessary if it is to provide value to the user.
- Actionable Insights: Knowledge that a particular threat exists is not the same as knowing how to respond to it. A threat intelligence platform should provide actionable advice and insights on how an organization can protect itself against the threats that the intelligence brings to their attention.
How To Select a Threat Intelligence Platform
A number of different threat intelligence platforms and feeds exist, and, with threat intelligence, more is not always better. Subscribing to multiple threat intelligence feeds and attempting to aggregate and analyze them in-house can result in a deluge of redundant and low-quality data. Instead, an organization should select a threat intelligence platform with the following qualities:
- Real-Time Data: Many cyberattack campaigns last only hours or minutes, meaning that threat intelligence which updates on a daily basis is essentially useless. An effective threat intelligence platform will provide insights based upon analysis of real-time data.
- Granular Threat Visibility: Different cyberattack campaigns are targeted based upon different factors (company size, location, industry, etc.). A threat intelligence platform should provide visibility into threats faced by the larger marketplace as well as those targeting an organization’s specific industry.
- Integrated Solutions: A threat intelligence platform that identifies potential threats but relies on analysts to respond does not provide its users with the full benefits of its automation. A threat intelligence platform should integrate with cybersecurity solutions and have the ability to automatically respond to identified threats.
Actionable Threat Intelligence with Check Point
Check Point‘s ThreatCloud acts as a single source of intelligence data that is accessible to users via a variety of different channels. The live Threat Map offers a high-level view of the current state of cyberattacks, while Check Point’s weekly Threat Intelligence Bulletins provide deeper insights into current attack trends. ThreatCloud is also integrated into Check Point’s Infinity SOC to provide support for threat detection and response and threat hunting activities.
Check Point’s threat intelligence offerings are continuously updated and improved by Check Point’s threat intelligence research team. The intelligence produced by Check Point Research is automatically disseminated to its products, enabling them to identify and protect against the latest cyber threats.
Check Point provides access to high-quality strategic, operational, and tactical threat intelligence. To learn more about Check Point’s threat intelligence offerings, check out our threat intelligence research page.