The ultimate guide to threat intelligence for corporate security

We’ll provide practical answers to the most asked questions surrounding threat intelligence for corporate security:

  • What is threat intelligence?
  • Why is threat intelligence important?
  • What’s the difference between information and intelligence?
  • What are the different types of threat intelligence?
  • Who is threat intelligence for?
  • What are some other threat intelligence use cases?
  • What threat intelligence solutions are available?
  • How do I know which is the best threat intelligence solution for me?

What is threat intelligence?

As explained by Gartner, threat intelligence is the information that an organisation uses to understand the threats they face now and threats that could face in the future. This information starts as data which is gathered by analysts before it is processed and analysed in order to provide context such as the impact, capability or intent of the threat.

Threat intelligence helps you to make more informed decisions that will help you to prepare, prevent and mitigate the impact of threats. Ultimately, threat intelligence provides you with the insight you need to better protect your people, assets, reputation and bottom line.

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”

- Gartner

Why is threat intelligence important?

Across the world, threats are constantly evolving and business security risks are increasing.

Whilst some businesses may not consider themselves to be operating in high-risk or dangerous areas of the world, profound social instability, failure in governance and deepening polarisation between opposing political and cultural views is constituting new threats, in new places. In just the past few years, globally, we have seen events and incidents unfold that would seem so far removed from reality in decades gone by.

This is why the need for high-quality threat intelligence in corporate security is growing rapidly. To keep abreast of the many dangers and risks that our international security landscape now presents, a constant stream of data and information can be the lifeline that keeps businesses, their people and their assets safe.

What’s the difference between information and intelligence?

Data is not the same as intelligence.

And with the overwhelming amount of data that can be found every day, a stream of raw information can be just that — overwhelming. To generate value from data, it should be subject to the intelligence cycle .

The intelligence cycle is a structured process, commonly applied in a military environment, and is used to gather information, convert it into relevant intelligence, and pass it to those who require it — the decision makers.

Implementing the intelligence cycle provides an order to the collection and information gathering process. It states exactly what needs to be collected, in what priority and when.

  1. Direction

The first stage of the cycle is to determine the intelligence requirements and plan the collection efforts — creating a clear focus and list of priorities for the intelligence team, and ensuring that all information gathered is geared towards a clear purpose.

2. Collection

The process of gathering raw data that fulfils the requirements set out in the Direction stage of the cycle. You need to include a wide range of sources as part of your collection efforts. Intelligence Fusion, as an example, uses over 11,000 open sources to identify information that will be processed through the next stages of the intelligence cycle.

3. Processing

This phase of the intelligence cycle is key to turning information into intelligence and consists of the data being collated, evaluated, analysed and interpreted by our team of analysts.

Information picked up as part of the collection process goes through several stages of collation, evaluation, analysis and interpretation to become actionable intelligence.

Collation groups related information together before being evaluated based on credibility and reliability of the original source. Information cannot simply be taken at face value, so it’s important to indicate how much confidence can be placed in each item of information.

The evaluated data is then analysed. Significant facts are identified, verified and accurately geo-located before finally being interpreted to understand how significant the information is, and how it relates to what is already known. This is judged via a process of comparison and deduction based on common sense, knowledge and experience.

4. Dissemination

The final stage of the intelligence cycle is the timely delivery of intelligence to those who need it.

Intelligence must be disseminated in a way that’s appropriate for the user, highlighting the key facts and our interpretation, comment or assessment.

What are the different types of threat intelligence?

Threat intelligence is often broken down into three subcategories:

  • Strategic
  • Operational
  • Tactical

Different information is required at different levels of the organisation, depending on the type of decisions they make. Ensuring that the right team has the right information can be key to protecting your organisation.

Strategic Threat Intelligence

Strategic intelligence focuses on broad issues which impact and direct strategy. It provides a high level of information on your organisation’s current security posture as well as the security landscape you operate in. It’ll explore the worst case scenarios from potential threats and their possible impact on your business.

It’s typically used to make decisions at a high level, and therefore should include evidence-based and informed projections regarding the security landscape of your industry. It should help you plan for the resources and tools you’ll need to mitigate future threats.

Operational Threat Intelligence

Operational intelligence requires real time, or near real-time data. This data is required at speed as it’s typically used to inform decisions that require a quick response. For example, operational intelligence in the military is used during combat by people on the battlefield, rather than in the planning phase.

For you, it may mean responding to an incident that has occurred close to where you have colleagues currently travelling. You’ll need timely information on what’s happening and the severity of the situation before making decisions that will ensure their safety.

Tactical Threat Intelligence

Tactical intelligence is intelligence that is required for planning and conducting tactical operations. It’s aimed at those making the day-to-day decisions, prioritising tasks and allocating resources in order to keep the business moving.

This means that they need regular updates, the latest in order to keep them on track and ensure that they’re achieving the objectives that are set with the help of strategic intelligence.

Who is threat intelligence for?

Every security role can benefit from threat intelligence. In fact, it’s increasingly common for intelligence to be shared with, and utilised by, the wider organisation but it’s essential to security departments.

It’s a key component that can empower your team and support multiple different security functions by providing a more clear understanding of the current threat landscape.

Threat intelligence can feed into your duty of care, and help you to protect your people as they conduct business across the globe. It can allow you to better advise them ahead of their trip so they too have an understanding of the place they’re visiting, as well as ensure they’re safe throughout their travels. Timely threat intelligence enables you to constantly monitor the security situation, quickly identify a change and respond to emergencies where necessary.

It can also help you to mitigate risks to your other mobile assets such as cargo, vessels and aircrafts — helping you to plan the safest and quickest route and notifying you of disruption so that you can divert your assets with minimal impact to your supply chain.

And it’s not just the assets that move either. You can better protect your static assets too by understanding what’s happening around them. The knowledge that threat intelligence provides you with will enable you to implement more stringent security measures following early identification of a string of commercial burglaries in your area, or justify an increase in security costs because the crime rate around one of your facilities is rising.

Beyond your security team, implementing a threat intelligence solution within your company can help to set investment priorities, understand your weaknesses and limit reputation damage.

What are some other threat intelligence use cases?

Because of our diverse client base, we know the use cases for threat intelligence can differ significantly. Each organisation has different objectives and priorities, and they need data that reflects that.

At Intelligence Fusion, we conduct an Intelligence Collection Plan (ICP) with every new client that comes on board. This allows us to better understand what they’re trying to achieve, which then helps to guide our collection efforts.

Taking a more tailored approach to our data gathering means that our clients get a more refined, highly valuable stream of intelligence. And most importantly, the impact of it on their business and operations.

Some use cases for threat intelligence include:

Incident Response

We work with operations centres across the world and typically, their main aim is to receive information that may have an impact on their business as quickly as possible. They rely on our alerting functionality to inform them of breaking news and developments so that they can quickly implement the appropriate procedures to ensure people are safe, assets are protected and that any disruption to their operations is minimised.

Risk Analysis

Analysing risk means looking at the likelihood of something happening, and understanding the impact if it does.

To do this effectively, you need data. The data will firstly allow you to identify what the biggest threats to your organisation are, then how likely they are to happen. Having a database of historical information will not only allow you to quickly identify what risks you’ve been exposed to in the past, but how many times they’ve occurred and hopefully, what the negative consequences were.

And this doesn’t have to be threats that your business has been subject to directly. Your competitors may have been affected, directly or indirectly, or even risks that impact the entire industry you operate in. Political risks such as a change in government policy or even foreign influence, whilst not directly targeting your business, can significantly impact your operations.

Threat intelligence can help you answer questions such as:

  1. What types of threats exist?
  2. Which threats have occurred?
  3. How often do they occur?
  4. How is this changing over time?
  5. What threats affect my competitors?
  6. Which threats could affect us?
  7. Have we already been targeted?
  8. Who is targeting us?
  9. Why would they target us?
  10. What are their tactics?

Identifying and understanding the risks, enables you to make more informed decision-making, develop proactive mitigation strategies and justify associated budget and staffing requirements.

What threat intelligence solutions are available?

In addition to the types of threat intelligence that is available, there are several different types of intelligence solutions too.

Depending on your current set up and budget, you may just require the data. For example, if you have an existing platform or interface that you can use to visualise the data, you can ingest threat intelligence API feeds into your software to enhance or improve your current dataset.

If this isn’t the case, your best option is to look into threat intelligence platforms. This solution will not only provide you with the data itself, but the best software solutions will help you better interpret the information and provide perspective through intuitive intelligence tools and powerful visualisation capability.

How do you know the best solution for you? Typically, you’ll find that the biggest difference in threat intelligence providers is the way in which they collect and gather the data.

Automated Collection

The meteoric rise of artificial intelligence and machine learning tools has changed the way many industries operate — security and intelligence being one of them.

In order to increase the speed of gathering data, and reduce the overheads of hiring a team of expert analysts, many intelligence providers have introduced automated collection.

Algorithms are built to comb through news articles and social media feeds from around the world to monitor trends, geopolitical developments, and potential crises in real-time. Tools such as natural language processing are utilised to assist machines to compute the meaning of words and provide context in the same way that humans do. The end product is large volumes of very fast data being fed to the users.

Threat intelligence solutions that solely rely on automated collection are usually configured so that the algorithms identify key words or phrases on social media. Any tweet or post containing that trigger word will activate an alert.

It goes without saying that there are many benefits to this kind of threat intelligence software, however, a purely automated solution can also have it’s drawbacks too.

Without any human involvement in the collection process, there’s very little analysis or context. The data is in its most raw format, so unless you have a team of analysts on your team who can weed out the most relevant alerts, it can be overwhelming.

Analyst-led Collection

With an analyst-led intelligence solution, the data collection is manual. There will be a team of analysts identifying and processing the data they gather, which is then disseminated via a threat intelligence platform.

The best intelligence providers will hire analysts who will likely have built up years worth of expertise in the region or specialism that they cover. They’ll be able to provide unparalleled context to incidents and provide additional insight into the ‘so what’ factor of intelligence — essentially, why is this incident important and what does it mean to you?

By helping you to answer these questions, you can save time, effort and resources interpreting the data on your end. Analyst-led collection can be particularly beneficial if you have a small team or if risk analysis is the main use case for your business.

If you’re looking at threat intelligence for incident response, an analyst-led solution may not provide you with the timeliness required to meet your objectives, unless the provider is focussed on one particular area.

Hybrid Collection

Both speed and context are important to provide the most accurate and actionable threat intelligence. At Intelligence Fusion, we’ve taken a hybrid approach.

We’ve built a team of military-trained analysts, who operate our 24/7 Operations Centre. Their job is to gather, evaluate and assess information, but they’re supported by data scraping tools which were designed to better identify incident details across the internet. By fusing automated collection with the expertise of our analysts, we balance speed and accuracy to provide the most valuable overview possible.

All of our data is verified, carefully geolocated as well as contextualised to provide you with practical, valuable intelligence that you can view in our award-winning platform.

How do I know which is the best threat intelligence solution for me?

Having access to threat intelligence is only useful when you use it effectively to provide you with a situational awareness that’s relevant to you.

All too often, security and intelligence teams will find themselves changing their internal processes to work around the threat intelligence they have in place. Off-the-shelf software always has limitations, because they’re built to cater for the needs of multiple sectors. You’ll often find yourself paying for tools you don’t necessarily need or buying into multiple solutions in order to solve the different challenges you and your team face.

Finding a threat intelligence solution that can be customised to reflect the way you operate, rather than the other way around, can be a gamechanger.

You can hand-pick the tools and features that best meet the needs of your team, and the price will therefore reflect that. So no matter the stage of your business, size of your team or the budget you’ve got, you can build the most valuable threat intelligence platform for you and your needs.

It also means that you’ve got a partner for the long-term too. Tailored solutions are more scalable so any changes in your internal situation, or even changes in the global security situation, and you can quickly adapt.

We always recommend that you assess all of your options before making a decision on a threat intelligence solution. It’s a big investment, and such an important piece of your security infrastructure.

Before speaking to providers, you should identify:

  1. What are the biggest challenges you face as a team?
  2. What do you need from a threat intelligence solution?
  3. Does your current solution have gaps? What do you wish it could do?
  4. What are our wider security goals and objectives?
  5. How much am I willing to invest in order to achieve this?

Understanding your current situation, and how you’d like that to improve, will make the evaluation phases much easier.

And when you’re ready to start that process, we’d love to hear from you. We offer free demonstrations of our product, with no obligation to take the conversation further. But if you’re interested, we can set up a 14-day free trial of our software too, to help you get to grips with the data we provide and the kind of tools available.

Schedule a demo online, or reach out to a member of the team on info@intelligencefusion.co.uk to get started.

Originally published at https://www.intelligencefusion.co.uk.

--

--

--

A threat intelligence data and software provider, helping security professionals across the globe better protest their people, assets and operations.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Earn IoTX token on CoinMarketCap

The Less Considered Perils of SMS Two-step Authentication

Testing Bluekeep CVE-2019–0708 Metasploit Module on Windows 7

Kioptrix #1

Digital Identity Management: 5 Ways to Win Customer Trust

{UPDATE} Jonkoman Hack Free Resources Generator

{UPDATE} Real Football Fever 2018 Pro Hack Free Resources Generator

Human Error or Cloud Failure?  Lesson Learned from the Capital One Breach

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Intelligence Fusion

Intelligence Fusion

A threat intelligence data and software provider, helping security professionals across the globe better protest their people, assets and operations.

More from Medium

Join us for Google Cloud Security Talks: Threat Detection & Response Edition

Launching a community-driven insider threat knowledge base

Automating Intelligence-Driven Threat Hunting without a SOAR

A sample rule https://www.anomali.com/images/uploads/blog/rules-engine-enhancements2.png

What is the difference between a STIX Domain and STIX Cyber-Observable Objects?