Updated: Apr 30, 2020
Warfare existed as long as humankind did, and in today's ruthlessly competitive, saturated and disrupted market, business threat landscape often resembles a battlefield.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." - Sun Tzu, The Art of War
Threat intelligence, or cyber threat intelligence (CTI), is information an organization uses to understand the threats that have, will, or are currently targeting the organization. This info is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources.
Operating a business in a world where any number of cyber threats could bring an organization to its knees, can be downright terrifying at times. Threat intelligence helps companies gain valuable knowledge about these threats, build effective defence mechanisms and mitigate the risks that could damage their bottom line and reputation. After all, targeted threats require targeted defence, and cyber threat intelligence delivers the capability to defend more proactively.
Why Is Cyber Threat Intelligence Important?
Cyber threat intelligence gathers key information about new and existing threat actors from many different sources. CTI teams then analyze the collected data to produce appropriate threat intelligence management and feeds reports full of only the most important information that can be utilized by automated security control solutions and management to make security decisions for the company. The fundamental purpose of this kind of security is that it helps to keep companies informed of the advanced persistent threats, exploits and zero-day threats that they are most vulnerable to and how to take action against them.
When implemented well, threat intelligence can help to achieve the following results:
Knowing where an attack is coming from, its timing and how well-equipped the adversary is allows you to quickly determine which defences are the most effective and implement them with near-perfect efficiency (i.e. the least amount of resources spent), thus prioritizing spending based on unique knowledge of threats. Cost savings across IT security teams can be very significant — $39,638 per team member per year, to be exact. Considering that the average starting salary of an IT security analyst is roughly twice that, in cost savings alone, that’s like hiring a free third analyst for every two your organization might already have.
Needless to say, having a detailed, relevant and up-to-date data about the attackers' tools, tactics and arsenal leads to a dramatically reduced level of risk for the entire enterprise.
Even when compromised, knowing where the attack is coming from and what approach the adversary is taking helps the business to improve not only detection speed, but incident response and triage efforts. According to research, organizations identified threats 10 times faster and resolved them 63% quicker when they started using cyber threat intelligence. It’s how these statistics break down that reveals the significant difference threat intelligence makes. Before using CTI, organizations identified threats only 0.4 days on average before they became impactful, and took 15.6 hours on average to resolve them. With CTI, the average time that threats were identified in before becoming impactful stretched to 4.1 days — 10 times faster — and the time it took security teams to resolve them was lowered to only 5.7 hours on average — 63% quicker.
In-depth Threat Analysis
Cyber threat intelligence helps the organization to analyze the often unique attributes or TTPs (techniques, tactics and procedures) of attackers specific to the industry sector and environment that the business finds itself in. Via careful analysis, threat researchers can accurately establish how the attacker ("threat actor") behaves and formulate an adequate mitigation/retaliation strategy.
Threat Intelligence Sharing
Threat intel sharing is an increasingly popular practice, especially among healthcare, nonprofit and educational sector organizations. This effectively means pooling intelligence, vulnerability and related security information between all the participants, which in turn creates a more holistic ecosystem with higher degrees of visibility. Even if one or more entities are compromised, sharing crucial cybersecurity information, such as how the adversary executed such an attack with the rest of the network might help others to prevent further breach from occurring.
Finally, an effective cyber threat intelligence pipeline keeps leaders, stakeholders and users informed about the latest threats and repercussions they could have on the business.
It can be tempting to consider CTI as an optional "nice-to-have" feature, but cybersecurity controls are at their peak efficiency when placed in an ecosystem across 3 interconnected levels - infrastructure (security configuration and controls), operations (people and processes) and threat intelligence feeds. Ignoring any one of these components does not do the organization any favours.
Ask yourself: is your business well protected at each of these levels?