Discover LinuxSecurity Features
What Is Threat Intelligence?
Thank you to Oyelakin Timilehin Valentina and Duane Dunston for contributing this article.
Threat intelligence (or threat intell) is information used to understand past, present, and future threats targeting an organization. It is evidence-based knowledge about a previous, existing or emerging threat to organizational assets. Threat intelligence also includes settings, implications, mechanisms, context, and even action-oriented advice on the threat. Context mentioned here includes who the attackers are, what their motivation is, what their capabilities are, and what indicators of compromise are in your system. An Indicator of compromise (IOC) is forensic data in a system log file, for example, which identifies malicious activities on a system or network.
Also, threat intelligence can be defined as data analysis using tools and techniques to get information about an existing or emerging threat targeting the organization.
Notice that the definitions mentioned above include using knowledge (obtained from data) to achieve a common goal of mitigating cyber threats or cyberattacks.
In this series, we will define threat intelligence as collecting, processing, and analyzing data that gives us meaningful knowledge to understand the pattern of previous or present attacks and leads to the building of a stronger and better cyber defense to help mitigate or prevent future attack.
Importance of Threat Intelligence
Threat intelligence provides deep knowledge on the potential threats to an organization. It helps to know all that is happening outside of the network, because it helps to recognize threats and exploits that the organization is vulnerable to using data from various tools and threat event sources to build a risk management plan to prevent future threats.
Cyberattacks and data breaches lead to loss of data, but it also leads to costs like damage to the organization's reputation, market position, fines, lawsuits, expenses that come from investigation, and post-incident restoration and remediation. Practical threat intelligence that comes with effective defense strategies can also save an organization by cutting down or avoiding the cost of data breaches.
With vulnerabilities being actively exploited, practical threat intelligence can quickly identify and mitigate their impact and increase the security team's efficiency in handling security alerts. Also, threat intelligence helps gather IOCs like signatures of tools used by the attackers, malware characteristics, and behavior.
In this series, we will explore some tools that can be used for creating a threat intelligence program for an organization. The tools will be explained along with examples of how to run it and interpreting its output. While it cannot cover all possible implications to an organization, it can help provide a starting point for interpreting the output in context to your organization. We will begin with discussing how nmap can be used as one source to gather information to add to a threat intelligence program.
About the Authors
Oyelakin Timilehin Valentina is a self-taught cybersecurity professional. As someone who loves to contribute to social responsibility, she volunteers for Cybersafe Foundation with its initiative #NoGoFallMaga. She is also a volunteer for The Young Ciso Network and The Diana Initiative.
Duane Dunston is an Associate Professor of Information Security at Champlain College. He has been in information security since 1997, starting in the education sector, then to federal, and then into academia.