The terms intelligence, cyber intelligence and cyber threat intelligence have been used extensively and interchangeably in the information security community. However, they have often been used inaccurately to describe automated data feed services or data which may be used to further identify and mitigate threats. Intelligence, for example, is very different from information – and organisations need to be aware of the key differentiators.
In fact, they can be described as follows:
An exploit for a zero-day Java vulnerability is publicly released on a security mailing list. Shortly thereafter, malware is identified using the vulnerability. Security vendors notify clients of this threat and provide recommendations for mitigation. This is threat information and, while useful, it is not, by definition, threat intelligence.
A security vendor monitoring exploitation of the Java vulnerability notices that infection rates in Asia are much higher than in the US. New strains of malware, which install code associated with a botnet command and control system on victim devices, are being observed in the wild. At the same time, a large financial institution has announced the acquisition of a number of smaller, regional banks initiating an increase in their non-sufficient funds fee from $20 to $35, thereby angering consumers. A number of hacktivist groups begin discussing a protest against the US banking system on social media sites, promising to halt online transactions for a day at major institutions. One hacktivist Twitter account posts instructions for using botnet command and control software, which appears to be related to the botnet client code installed by the Java malware.
Piecing these data points together leads to a clearer picture – US banks are likely going to be targeted with a DDoS attack by a hacktivist group using botnets based on the Java vulnerability. Based on what is known about infection profiles, banks can expect the attacks to originate from Asian source IP addresses. This is threat intelligence – information gathered from a number of disparate sources, synthesised by human analysts to identify a specific threat to a specific target.
The bottom line is that, while increased cyber threats have accelerated the need for threat intelligence services, businesses need to be aware of the different types of intelligence being delivered by the security industry. Seek trusted and reputable sources of threat intelligence to help manage risk. These include our own Global Threat Intelligence Platform (GTIP), which incorporates a broad range of information and intelligence sources that enables Global Threat Intelligence Center (GTIC) threat analysts to:
- Identify emerging threats for scope and impact
- Effect attribution to known actors, techniques, tactics, and procedures
- Curate known threats as they evolve
- Provide validated indicators of compromise (IOC) and threat intelligence to our managed services and consulting teams worldwide.
Finally, a special mention to ThreatQuotient’s threat intelligence platform, which we use at NTT Security to enhance the threat intelligence for our customers. ThreatQuotient continues to innovate and recently secured $30 million in a Series C funding round. Congratulations.