A Beginner’s Guide to Threat Intelligence

Threat intelligence collates data across a variety of sources to help organizations protect their assets by facilitating a targeted cybersecurity strategy.

We may receive compensation from partners and advertisers whose products appear here. Compensation may impact where products are placed on our site, but editorial opinions, scores, and reviews are independent from, and never influenced by, any advertiser or partner.

Updated November 20, 2020

Save as PDF

The words “threat intelligence” sound high-level, like an issue that might only concern the Department of Homeland Security or the security teams at Google or Amazon.

In truth, anyone who connects to the internet or saves data in the cloud or on a hard drive should give threat intelligence some thought. Small businesses, in particular, need to understand the concept to make sure that, in their efforts to prevent cyberattacks, they adequately protect their assets without bankrupting themselves through overkill.


Overview: What is threat intelligence?

Quite simply, threat intelligence is information about nefarious cyber activity that threatens your data and systems. You use this information to determine which of your assets are most at risk. It also helps you decide which tools to use and where to direct immediate action when a cyber threat is detected.

Think of your data and other cyber assets as your house and its contents. How do you protect your house? For very basic protection, you install locks and keep them locked. For a bit more security, you might keep an attack dog in case you leave a door unlocked.

If you live in a high-risk neighborhood, you might pay for an alarm system to monitor breaches and automatically call for help if there’s a break-in. If you’re lucky enough to live on a vast estate, you might have 24-hour guards posted at the perimeter.

The more valuable the possessions in your house, and the riskier your neighborhood, the more layers of protection you’ll put in place. Threat intelligence is the information that informs your decisions on what to protect and how to do it. The concept of threat intelligence is easy to understand, but it’s more challenging to collect and act upon.


Types of threat intelligence

Threat intelligence is an integral component of threat hunting. It provides information such as URLs, domain names, files, and IP addresses that were used to execute attacks. Organizations access this information through “intelligence feeds” that update detection capabilities.

Several feeds exist and can be vendor-based, community-based (like CERT, STIX, and OTX) or public-based (Illuminate, Binary Defense, MalwareDomainList, and Cymru). Threat feeds also can be generated internally and maintained in a proprietary fashion.

1. Strategic

According to Security Scorecard, strategic threat intelligence is high-level analysis meant for non-technical audiences. It focuses on security scores and the potential business impact of cybersecurity threats.

The majority of the data comes from sources most of us can access, such as local and national media, white papers and reports, online activity and articles, and security ratings.

Security ratings are a bit like a credit rating or a FICO score; they’re objective measurements determined by an independent third party that help you measure the amount of risk you carry based on current threats and your security practices.

There are a number of companies that provide security ratings services, including Security Scorecard, Panorays, BitSight, FortifyData, RiskRecon and UpGuard. The higher your rating, the better you are able to defend against threats.

2. Operational

Operational intelligence refers to specific cyberattacks. It provides information on the nature and timing of the attack, as well as background on the group carrying out the attack, which can be particularly helpful in guarding against unexpected advanced persistent threats. This information is highly valued because, once known, security teams can put proven controls in place to block the attack before it happens.

This type of intelligence is targeted toward technical audiences, such as the security operations team that can help prevent the attack.

Operational intelligence is difficult to obtain, however. It requires intercepting the hackers’ communications in advance of the attack or persuading a threat actor to reveal the plot. However, some actors do communicate in public forums, so this information is sometimes picked up in internet chat rooms, social media platforms, and forums on the open and dark web.

3. Tactical

Tactical intelligence shares information about known external threats so security teams can scan networks looking for unauthorized login attempts, a spike in file transfers, bad IP addresses, and other indicators of compromise (IOCs).

This information is openly shared in feeds and forums, as security teams pass on threats they’ve encountered and how they’ve defended against them, so other teams can do the same to protect their networks.


The 6 steps of the threat intelligence lifecycle

The threat intelligence process is well-defined and complex. As you’ll see as you read through the steps, collecting and leveraging threat intelligence is a challenging endeavor and probably out of reach for most small business owners.

If your data and systems do require this level of threat protection, it’s probably best to contract with outside security providers rather than hiring a security team to monitor, prioritize, and resolve threats and breaches.

1. Direction

In the direction phase, you decide where to focus security efforts and how you will do it. Essentially, you’re setting the goals for your threat intelligence initiative. This includes which assets and processes you need to protect, the impact on your business if those assets are compromised, the types of intelligence you need, and, most importantly, where to focus your efforts.

With the growing number of threats, no organization, no matter how small or large, can eradicate every threat. It’s more important to choose the assets you most need to protect (such as sensitive customer financial data or employee records), then focus your time and attention on guarding them.

2. Collection

In this phase, you collect the data about potential threats. This can be done through automated technology or by manual means. There are multiple sources for this stage, including metadata and logs from applications, network infrastructure, and security tools, monitoring human interactions (chat rooms, etc.), reading through threat data feeds, scanning media outlets, and many more.

3. Processing

In technical terms, processing the data means structuring, decryption, language translation, parsing, data reduction, filtering, data correlation, and data aggregation.

In layman’s terms, processing the data means collating it, exporting it, putting it into standardized formats, identifying duplicate information and anomalies, and creating reports that can be understood by stakeholders. This is the point where complex data becomes actionable intelligence.

4. Analysis

Processed data is objective, timely, accurate, and actionable, so you can extract intelligence from the collected information.

Analysis is the process of reviewing all data to identify evidence of compromise and determine the actions required. Data analysts use deduction, induction, abduction, and the scientific method to interpret the information and recommend actions to take.

Depending on the information presented, that decision might involve investigating a potential threat, immediately blocking an attack, or taking even more aggressive steps.

5. Dissemination

The next step is to send the information to the stakeholders who can act on the findings. This is done through threat indicators, security alerts, threat intelligence reports, and tool configuration information.

Strategic threat intelligence is sent to executives to help them plan business strategy around potential risk and compromise. Operational intelligence goes to the security and network managers and practitioners so they can focus on defending your network against specific, known threats.

Tactical intelligence goes to IT services and security operation center (SOC) managers and architects who focus on adversaries’ threat intelligence platforms.

6. Feedback

You should regularly solicit feedback from those who receive threat intelligence in your company. Make sure they’re getting the type of information they need and what could be done better. This should be an ongoing process because new threats arise every day, and their needs today may change significantly by tomorrow.


Leave it to the experts

Few small business owners have the time, expertise, or interest in being an integral part of their threat intelligence initiative.

The best solution may be finding a managed services provider (MSP) who can adeptly collect, analyze, and respond to threat intelligence. Most offer monthly subscription fees on a sliding scale based on the size of your organization, so they should be well within your budget.

Remember, as with most security measures, your efforts should scale with your business. If you don’t have highly sensitive data to protect, or you’re a sole proprietor who works off one laptop connected to the cloud, your best bet may simply be investing in a virtual private network (VPN). Let a professional evaluate your needs and follow their recommended best practices for network security. Also be sure to check out The Blueprint's reviews on the best endpoint security software for your business.

The Ultimate Guide to Building Virtual Teams

Knowing how to build a strong virtual team is more important today than ever -- and there are six critical things you must do to succeed. That's why we've created this ultra-timely 19-page report on what you should be doing now to set your virtual team up to win.

Enter your email below to access our (no-strings-attached) free report, "The Ultimate SMB Guide to Building High-Performing Virtual Teams."

The Motley Fool has a Disclosure Policy. The Author and/or The Motley Fool may have an interest in companies mentioned.