What is cyber threat intelligence?
Learn how threat intelligence gives you a comprehensive view of where threats are coming from, what tactics bad actors use, and how to respond.
Cyber threat intelligence defined
Digital transformation creates larger data estates, opening up new avenues of attack for cybercriminals. Bad actors’ tactics are sophisticated and constantly evolving, making it difficult for companies to stay ahead of emerging threats. Cyber threat intelligence gives businesses the information and capabilities they need to continually refine their defenses.
Cyber threat intelligence is information that helps organizations better protect against cyberattacks. It includes data and analysis that give security teams a comprehensive view of the threat landscape so they can make informed decisions about how to prepare for, detect, and respond to attacks. Having focused information about actor behaviors, their tools and techniques, their exploits, the vulnerabilities they target, and emerging threats can help your organization prioritize its security efforts.
How does threat intelligence work?
Threat intelligence platforms analyze large volumes of raw data about emerging or existing threats to help you make fast, informed cybersecurity decisions. A robust threat intelligence solution maps global signals every day, analyzing them to help you proactively respond to the ever-changing threat landscape.
A cyber threat intelligence platform uses data science to filter out false alarms and prioritize the risks that could cause real damage. That data comes from:
- Open-source threat intelligence (OSINT)
- Threat intelligence feeds
- In-house analysis
A simple threat data feed might provide you with information about recent threats, but it doesn’t make sense of that unstructured data to determine which threats you’re most vulnerable to or suggest a plan of action after a breach. That work would normally fall to human analysts.
A threat intelligence solution—ideally one with tools that use AI, machine learning, and advanced capabilities such as security orchestration, automation, and response (SOAR)—automates many security functions to help you preempt attacks, rather than merely react to them. Threat intelligence also enables security professionals to automate remediation actions when an attack is revealed, such as blocking malicious files and IP addresses.
Why is threat intelligence important?
Threat intelligence is important because it helps organizations prioritize the strategies and tactics that will better protect them against a dynamic threat landscape. It’s challenging to keep on top of the constant stream of information about emerging threats and decide what’s relevant and actionable.
Threat intelligence, when combined with tools enriched with machine learning and automation such as security information and event management (SIEM) and extended detection and response (XDR), can enhance your threat detection and response efforts by:
- Unmasking your likely adversaries and their motivations.
- Exposing an adversary’s tactics, techniques, and procedures (TTPs).
- Showing the different ways various attacks might affect your business.
- Identifying common indicators of compromise (IOCs) that signal an active breach.
- Suggesting a set of actions to take when you are attacked.
- Automatically blocking entire attacks.
- Informing your broader security strategies and workflows with rich threat data.
Benefits of threat intelligence for security teams
Any business can improve its security posture with threat intelligence. It provides small and medium-sized businesses with the information they need to strategically defend themselves from ransomware and other risks. But security teams and executives in enterprises also have much to gain from threat intelligence.
In addition to better use of human skills and a faster threat response, threat intelligence solutions offer new efficiencies for people in many roles:
Security and IT analysts: Achieve and maintain network security.
Cyber intelligence analysts: Analyze threats against the organization and develop insights that will help them inform others about what threats are relevant.
Security operations centers (SOCs): Get context to assess threats and correlate them against other activity to determine the best and most effective response.
Computer security incident response teams (CSIRTs): Gain a deeper understanding of vulnerabilities, exploits against those vulnerabilities, and methods attackers use to breach systems.
Executive managers: Understand what threats are relevant to their organization so they can make data-based budget recommendations to their CEO and board.
Types of threat intelligence
Threat intelligence can be broken down into four categories. Use them to help you decide who needs to receive what type of information:
Strategic
Strategic threat intelligence is high-level analysis for non-technical stakeholders concerned with the overall business, such as C-suite executives, IT management, and boards of directors. Communicate this type of information in a broad context with the long term in view. These audiences must manage overall risks, such as how the general threat landscape is evolving, how a business decision might introduce new vulnerabilities, how advanced technology is helping businesses mitigate threats at a lower cost, or what the potential financial and operational implications of a breach are.
Tactical
Tactical threat intelligence is information cybersecurity experts need to take immediate action to mitigate threats. It includes technical information about the most current TTP trends and IOCs, and is usually consumed by IT service managers, SOC center employees, and architects. Use this type of intelligence to make decisions about security controls and create proactive defense strategies. This type of information is always in flux and can be automated to help security teams maintain maximum agility.
Operational
Operational threat intelligence is knowledge about specific threats and campaigns. It provides specialized information for incident response teams about an attacker’s identity, motivations, and methods. Enable security professionals in your organization to receive this kind of intelligence more efficiently with a cyber threat intelligence platform that automates data collection, translating foreign-language sources when needed.
Technical
Closely aligned with operational intelligence, technical threat intelligence refers to signs that an attack is happening—such as IOCs. Use a threat intelligence platform with AI to automatically scan for these types of known indicators, which can include phishing email content, malicious IP addresses, or specific implementations of malware. SOC and incident response teams can respond rapidly to this information and prevent damage to your business.
Threat intelligence use cases
Deploy a cyber threat intelligence platform to make your security operations more efficient in a variety of ways.
-
Manage alerts
Alert fatigue is a serious problem for SOC teams. They deal with massive numbers of alerts each day, and many are false positives. It’s stressful and time-consuming to sort through all that data, and the sheer overwhelm can cause security team members to miss important threats. Alleviate those problems with a threat intelligence platform that helps burdened analysts prioritize alerts and incidents.
-
Accelerate incident response
Cyber threat intelligence tools allow incident response teams to make informed decisions about how to contain and remediate threats in the quickest and most complete way, and then get the organization back to a secure state.
-
Improve your security posture
Lean on a cyber threat intelligence platform to help you make short- and long-term decisions about your security investments based on your actual risk. A robust threat intelligence platform will help you create risk models and report to stakeholders throughout your organization about what your business’s unique vulnerabilities are. Get a complete picture of your security posture to help your business decide where to invest its time and resources.
-
Prevent fraud
Use threat intelligence tools to aggregate data from criminal communities and websites worldwide. Threat intelligence provides insights into the dark web and paste sites where criminals sell huge caches of compromised usernames, passwords, and banking data. A good cyber threat intelligence platform will monitor these sources around the clock and give you real-time alerts about the latest developments.
Find the right threat intelligence platform
Threat intelligence solutions can improve your security posture by offering relevant insights into the threat landscape. Choose a platform that:
- Integrates with your existing systems and offers multi-platform and multi-cloud support to ensure you are protecting your entire IT estate.
- Uses automation to improve the quality of alerts and recommendations security teams receive.
- Has tools that present data in an easily digestible, visual format so you can share and discuss your security posture with stakeholders across your company.
Shield your business against threats like ransomware by tapping into Microsoft threat intelligence, which encompasses over 65 trillion signals daily across unique telemetry, including its family of products and continuously updated map of the threat landscape. Microsoft Defender Threat Intelligence uses the latest AI and machine learning to provide direction to security teams when more context is needed.
Learn more about Microsoft Security
Microsoft Defender Threat Intelligence
Help protect your organization from modern adversaries with a comprehensive view of your threat exposure.
Assess your risks
Continuously evaluate and prioritize threats with risk-based vulnerability management tools.
Detect and respond to threats
Find and stop sophisticated threats with powerful security information and event management (SIEM).
Extend your security
Add expert threat hunters to your security team for proactive and efficient protection.
Frequently asked questions
-
Some examples of threat intelligence are attacker identifiers, TTPs, common IOCs, malicious IP addresses, and many other indicators of known and emerging cyber threats. Threat intelligence software can collect and analyze these indicators and automatically block attacks or alert security teams to take further action.
-
The key elements that make cyber threat intelligence platforms effective are threat data feeds that provide a complete view of the global threat landscape, advanced data analytics that automate risk prioritization, monitoring tools to identify common IOCs, and autogenerated alerts so security teams can remediate breaches quickly.
-
Threat intelligence is collected from large volumes of raw data about emerging or existing threats. It’s a result of scanning the internet and dark web for information about malicious actors and their tactics, as well as internal IOCs that signal a breach has already occurred. Trustworthy threat data feeds share information like attack signatures, bad IP addresses and domain names, and attacker TTPs. Threat intelligence platforms can make sense of all this raw data using AI and machine learning.
-
A threat intelligence platform analyzes trillions of signals from the internet and maps them to tell you which threats are a serious risk to your business. Its job is to reveal adversaries and their methods, show you the different ways threats could affect your company, automatically block entire attacks, identify common IOCs that signal an active breach, and suggest actions to take if you need to intervene.
-
Choose a threat intelligence platform that both hunts for issues and automatically suggests actions to take to strengthen your security posture. It’s best to choose software that works across clouds and platforms, integrates with your existing products, and has easy-to-use, visual tools.
Follow Microsoft