Dark Web 101-096525-edited.jpg

What is Threat Intelligence?

    Threat Intelligence Defined

    The practice of gathering intelligence is not a new concept. While the methods and motives may change, the main idea is to collect information that will help you stop some form of future damage or harm. Just like law enforcement and government agencies work to establish intelligence sources to prevent future crimes, organizations can collect intelligence to prevent future cyberattacks.

    This practice has become known as Cyber Threat Intelligence (CTI). There are lots of definitions that you can find for CTI, but the goal is to provide advanced warning and proactive detection of cyberattacks before they’re carried out. In other words, it’s trying to understand the Who, What, Where, When and Why behind a cyberattack. Think of it like PreCrime from the movie Minority Report, but instead of PreCogs with visions of future crimes, you’re leveraging a vast amount of digital activity and data to predict a cyberattack.


    Cyberattacks are hardly ever done in isolation. There’s an entire underground ecosystem of data exchange, collaboration tools, black markets and chat rooms that are used primarily by cybercriminals. As hackers plan their attacks, they often tip their hand about how they will attack. These “Digital Breadcrumbs” can be tracked and used to anticipate when and how an attack might take place. For example:

    • Scenario 1: To launch a phishing attack, hackers often register domain names. If a domain is registered that’s very similar to one of your company’s domain names, it could be intended for an upcoming phishing campaign.
    • Scenario 2: Black market vendors often sell data dumps of stolen credentials or financial information. If a vendor posts a new listing of leaked credentials that contains email addresses from your company, that list could be purchased and used to illegally access your corporate systems.

    In theory, threat intelligence is something that every company should be using. But going from raw data to finished intelligence is a challenging process, which has given rise to a variety of new tools and job functions.

    Download: Dark Web 101

    Data Vs. Information Vs. Intelligence

    Intelligence doesn’t just appear from thin air. Threat data needs to be collected, processed and analyzed for it to become threat intelligence. There’s no limit to the amount of threat and cybersecurity data out there, but the challenge is in turning this data into specific and actionable intelligence. Intelligence isn’t any good if it doesn’t help you take action.

    This process involves collecting millions of data points from various internal and external sources. This data must be processed and filtered, then lastly, and perhaps most importantly, context and relevancy need to be applied. This is what differentiates intelligence from information. To give you a basic example, you might find out that a bank robbery will happen next week, but if you don’t know if it’s your bank being targeted and don’t how the robbery will happen, that information doesn’t do you much good.

    You need to know how a threat relates your business and your customers. That’s why context and relevancy is critical in order for information to be turned into intelligence.

    Untitled design.png

    Components and Types of Threat Intelligence

    As you might imagine, there are lots of different forms of intelligence, and many different sources. It’s important to leverage these various sources because they all be used to help you uncover different tactics, tools and motives of your adversaries. Here are some of the key types of intelligence:
    • Open Source Intelligence (OSINT): Intelligence collected from publicly available or open sources. For example, web pages, open forums, intelligence feeds and any other sources that are openly accessible to users.
    • Signals Intelligence (SIGINT): Intelligence collected from intercepting signals from both communication and electronic sources. This is also referred to as Machine Intelligence, and is typically collected from devices like cell phones and computers.
    • Social Media Intelligence (SOCMINT): Intelligence collected from social media channels and networking sites. This can be considered a subset of OSINT, but given its specific use case to customer phishing and brand impersonation, some organizations consider this a unique source of intelligence.
    • Human Intelligence (HUMINT): Intelligence collected through interpersonal contact and engagement, rather than by technical processes, feed ingestion or automated monitoring. It’s typically a manual process, requiring a very specific set of skills and knowledge to remain undercover and not raise suspicion.
    • Dark Web Intelligence: Intelligence collected from monitoring dark web sources. These often include black markets, private chatrooms, dark web forums and other anonymized websites. 

    It’s important to note that these different types of intelligence are not mutually exclusive, but rather, a way of processing and interpreting data. For example, HUMINT and Dark Web Intelligence often overlap and involve similar activities, but the intent of the research and data collection may be different. 

    Anticipate & Prevent Cyber Attacks

    Threat Intelligence Use Cases

    Like we mention above, there’s no limit to the amount of data out there, but the challenge is in turning this data into specific and actionable intelligence. So what are some of the ways you can use this intelligence?

    • Phishing Detection: Phishing is popular among attackers because it’s simple and it works. There are, however, proactive measures organizations can take to cut off these attacks before they can cause damage.
    • Vulnerability Prioritization: Given how fast the threat landscape grows and changes, manually correlating threat and exploit data to vulnerabilities is no longer a viable strategy.
    • Dark Web Monitoring: Attackers often tip their hands by doing things on the surface and dark web like scouting targets, using suspicious tools, and collaborating with other hackers.
    • Brand Protection: It takes lots of time, effort, and money to create a brand and build brand equity. That’s what makes it so valuable – and so popular as targets for hackers.
    • Fraud Detection: Most organizations have a range of IT security tools in place, such as firewalls, gateways, IDS/IPS, and malware detection systems. With these tougher defense-in-depth measures to beat, many hackers now use fraud instead.
    • Rogue & Fake Mobile App Detection: With users handling more and more of their daily activities via their smartphones and tablets, devices have become prime targets of hackers, and rogue mobile applications are becoming a preferred attack strategy.
    • VIP Protection: Organizations need to worry about cybersecurity for other senior people associated with their businesses, including investors, board members, and advisors.
    • External Threat Mitigation: Enterprise organizations need a more efficient way to monitor the online places where these attacks are formulated, as well as more targeted and decisive ways to take down external threats once they’ve been identified.
    • Internal Risk Remediation: The challenge for security teams is the time it takes to update their existing security devices to protect employees from hackers targeted attempts to exploit them.
    • Credential Leakage: The easiest and most effective way for any criminal to succeed is with direct, credentialed access.  Stolen credentials may be used in order to infiltrate a company’s systems.
    • Cyber Risk Assessments: Your vendors, partners and investments are all part of your digital footprint and can be leverage for cyberattacks against you.

    Threat Intelligence Best Practices

    Just like with any process or solution, there are always best practices for making its use more effective. Here are some best practices to keep in mind when developing and optimizing your threat intelligence program.

    • Leverage Your Digital Footprint for Relevancy and Context. As we discuss above, “intelligence” is only intelligent if it is relevant and contains context. Your digital assets (e.g. domains, IP ranges, brand names, loyalty programs etc.) can be used to help you understand if a threat relates to your organization or not.
    • Focus on Action, Not Searching. Time is of the essence when it comes to identifying and mitigating threats. Make sure your team’s focus in on taking action, not sifting through data looking for where to act.
    • Leverage Automation and Integrations. A great way to speed up the time-to-mitigate is through automation and integrations. Make sure your threat intelligence platform has options to integrate with your existing systems and security devices.
    • Expand Protection to Customers and Brand Reputation. Hackers like to target your weakest link, which oftentimes is your customers. With a variety of web and social media tools available, many cybercriminals try to impersonate your brand online to phish your customers. Your threat intelligence solution should be able to identify these types of attacks.
    • Take Down Fraud Campaigns and Cyber Scams. With the amount of financial data available online, cyber fraud has increased dramatically. Identify and thwarting fraud attempts can help save your organization millions of dollars each year in costs.
    • Assess Cyber Risk for 3rd Party Organizations. Your vendors and partners can all be considered part of your cyber ecosystem, and can be exploited to access your data. It’s important to assess the cyber risk of your vendors, partners and strategic investments to minimize your risk of attack and data leakage.
    white logo.png
    Looking to better understand the Dark Web?
    Download Dark Web Glossary