What is threat intelligence?

Threat intelligence, also known as "cyberthreat intelligence" (CTI) or "threat intel," consists of detailed, actionable information designed to prevent and combat cybersecurity threats targeting an organization. This intelligence aids security teams in adopting a proactive stance, allowing them to take effective, data-driven actions to thwart cyberattacks before they happen. Additionally, it helps organizations detect and respond to ongoing attacks more swiftly. Security analysts generate threat intelligence by collecting raw threat data and security-related information from various sources. They then correlate and analyze this data to identify trends, patterns, and relationships, providing a comprehensive understanding of current or potential threats. The resulting intelligence is

  • organization-specific, focusing not on generalities (such as lists of common malware strains) but on specific vulnerabilities within the organization’s attack surface, the attacks these vulnerabilities enable, and the assets they expose.

  • detailed and contextual, encompassing not only the threats targeting the organization but also the threat actors likely to carry out these attacks. It includes the tactics, techniques, and procedures (TTPs) employed by these threat actors, as well as the indicators of compromise (IoCs) that might signal a specific cyberattack.

  • actionable, offering information that security teams can use to address vulnerabilities, prioritize and remediate threats, and evaluate existing or new cybersecurity tools.

As per IBM’s Cost of a Data Breach 2022 report, the average data breach inflicts a financial toll of USD 4.35 million on its victims. Notably, detection and escalation expenses constitute the most substantial portion of this figure, totaling USD 1.44 million. Threat intelligence equips security teams with the necessary insights to identify attacks promptly, thereby curbing detection expenses and mitigating the ramifications of successful breaches.



Types of threat intelligence

The threat intelligence lifecycle generates various types of intelligence, contingent upon the stakeholders involved, established requirements, and the overarching objectives of each lifecycle instance. Generally, three broad categories of threat intelligence emerge.

Tactical threat intelligence

The type utilized by the security operations center (SOC) for detecting and responding to ongoing cyberattacks primarily concentrates on common indicators of compromise (IoCs). These may include IP addresses linked to command and control servers, file hashes associated with recognized malware and ransomware incidents, or email subject lines connected to phishing attempts. Moreover, tactical threat intelligence not only aids incident response teams in differentiating between false alarms and legitimate threats but also supports threat-hunting endeavors aimed at uncovering advanced persistent threats (APTs) and other covert attackers.

Operational threat intelligence

Operational threat intelligence assists organizations in anticipating and thwarting future attacks. Sometimes referred to as 'technical threat intelligence,' it delves into the tactics, techniques, and procedures (TTPs) employed by identified threat actors. This includes the attack vectors they employ, vulnerabilities they exploit, and assets they target. CISOs, CIOs, and other key decision-makers in information security utilize operational threat intelligence to pinpoint threat actors with a high likelihood of targeting their organizations. They then formulate strategic responses, implementing security controls and other measures specifically designed to counteract these anticipated attacks.

Strategic threat intelligence

Strategic threat intelligence provides a comprehensive view of the global threat landscape and how an organization fits into it. It offers decision-makers beyond the realm of IT, such as CEOs and other executives, insight into the cyberthreats confronting their organizations. Typically, strategic threat intelligence delves into geopolitical circumstances, industry-specific cyberthreat patterns, or the rationale behind targeting certain strategic assets of the organization. Stakeholders leverage this intelligence to align broader organizational risk management strategies and investments with the evolving cyberthreat landscape.

What is a malware signature?

A signature serves as a distinctive pattern or sequence of bytes used to identify malware. Similar to how fingerprints are employed in identifying individuals suspected of a crime, signatures aid in recognizing malicious software. Signature detection stands as one of the prevailing methods in malware analysis. For it to maintain efficacy, signature detection necessitates continual updates with the latest malware signatures observed in real-world scenarios.

What are indicators of compromise (IoC)?

An indicator of compromise (IoC) is a data fragment aiding in the identification of whether an attack has transpired or is ongoing. Much like physical evidence gathered by a detective to ascertain who was present at a crime scene, IoCs include certain digital clues such as abnormal activity logged, unauthorized server network traffic, etc.—enabling administrators to discern the occurrence and nature of an attack. In absence of IoCs, detecting whether an attack has unfolded can pose challenges. It frequently serves the attacker's interest to evade detection, particularly if they intend to utilize a compromised device within a botnet, for instance.

What is a threat intelligence feed?

A threat intelligence feed functions as an external conduit for threat intelligence data. Analogous to an RSS feed for blogs, organizations have the option to subscribe to a threat intelligence feed to receive ongoing security updates for their systems. These feeds vary in nature: some are freely accessible, while others entail a cost and furnish proprietary intelligence not accessible through open sources.


  • Malware disassemblers

These tools engage in reverse engineering of malware to comprehend its functionality and aid security engineers in devising defenses against potential future attacks of a similar nature.

  • Security information and event management (SIEM) tools

SIEM (Security Information and Event Management) tools empower security teams to monitor networks in real-time, collecting data on anomalous activities and potentially malicious traffic.

  • Network traffic analysis tools

Network traffic analysis tools gather and log network data to furnish insights that facilitate the detection of intrusions, simplifying the process of identifying unauthorized access or suspicious activities.

  • Threat intelligence communities and resource collections

Freely accessible websites that aggregate known indicators of compromise and community-generated threat data serve as valuable sources of threat intelligence. Certain communities facilitate collaborative research and offer actionable guidance on preventing or mitigating threats.

Organizations equipped with awareness of emerging threats and strategies for avoidance can proactively prevent attacks before they occur. Incorporating the gathering and review of threat intelligence into the enterprise security strategy is essential for every organization.