Threat Intelligence
Threat intelligence involves acquiring actionable knowledge about threats to an environment. It provides information on the tactics, tools and techniques that attackers have previously used against other organizations. This intelligence can be anything from high level articles in mainstream media, through to very detailed reverse engineering of specific threats that has been undertaken by professional threat researchers.
Given the breadth and scope of threat intelligence, organizations inevitably obtain it from multiple sources.
Sources of Threat Intelligence
The cybersecurity industry generally recognizes the value of sharing threat intelligence, so much of it is openly available in the public domain.
In addition to industry media providing high level intelligence, there are a number of government sponsored organizations providing both business level and detailed technical intelligence, free to the public domain.
There are also a variety of organizations providing fee-based subscription services. In some cases, the intelligence these organizations provide may already be available in the public domain, but they add value by aggregating and collating it from multiple sources. Some paid services employ their own researchers, augmenting public domain intelligence with their own proprietary intelligence.
The Main Categories of Threat Intelligence
Open Distribution (available in the public domain)
- Government, e.g. OHS, AIS, FBI lnfoGard Portal, SANS Institute, Internet Storm Center.
- Not-for-profit organizations, e.g. RansomWare Tracker, The Spamhaus Project
- Industry media, e.g. cyberdefensemagazine.com, darkreading.com, grahamcluley.com, infosecurity-magazine.com, scmagazineuk.com, thehackernews.com.
- Anti-malware sites, e.g. malwr.com, virusshare.com, virustotal.com
- Vendor reports and blogs, e.g. Cisco, Gigamon, IBM, lxia, Microfocus, Palo Alto, Symantec
- Industry vertical organizations, e.g. Information Sharing and Analysis Centers (ISACs) in the USA.
Commercial Subscription Services
- e.g. Accenture, Anamoli, Cisco, IBM, Ixia, Fortinet, Microfocus, Palo Alto, Recorded Future.
Note: security vendor feeds often integrate with their products, but can also be available stand-alone
Internal
- Knowledge and experienced gained from within your own organization: e.g. from previous threat hunts and incident investigations
Dark Web Intelligence
- This is where hackers often hang out. The dark web is a potential source of intelligence, e.g. to see what exploit kits and associated capabilities are being offered, and to search for stolen assets being offered for sale
Due to the size, breadth and dynamic nature of the industry, there are a paucity of threat intelligence lists, but our useful links below should serve as a good starting point.
Threat Intelligence Platforms and Feeds
Because the cyber security industry generally recognizes the value of sharing threat intelligence, considerable effort has been put into developing standards for describing and communicating threat intelligence. Structured Threat Information eXpression (STIX) defines how threat intelligence is described, and is based on XML. Trusted Automated eXchange of Indicator Information (TAXII) defines how STIX threat intelligence is communicated, using a RESTful API over HTTPS. Considerable effort continues to go into further developing these standards.
Being machine readable, STIX and TAXII make it easier for threat intelligence to be shared via automated feeds. TAXII supports both consumers and publishers, with some organizations both subscribing to, and publishing, threat intelligence.
An increasing number of vendors are offering Threat Intelligence Platforms (TIPs) to help with ingesting, correlating, and prioritizing threat intelligence from multiple sources, presenting it in a human readable format, and making it available to other enterprise systems: for example, automated enrichment of trouble tickets with relevant threat intelligence. There is also a move towards developing the ability for Firewalls, IDS and SIEMs to directly ingest relevant TAXII feeds. Good threat intelligence platforms will support STIX/TAXII, and potentially other formats: e.g. blacklists described in text or csv.
Threat Hunting Resources on Endace.com
- Introduction to Threat Hunting
- Indicators of Attack and Indicators of Compromise
- Browse our extensive list of Threat Hunting Resources including a helpful Glossary of terms
Further reading on Threat Intelligence
- SANS - Threat Intelligence: What It Is, and How to Use It Effectively
- EY - A close look at cyber threat intelligence
- GitHub - A curated list of Awesome Threat Intelligence resources
- Future of Cyber Security Blog - Cyber Intelligence Sources
- InfoSec Institute - threat intelligence
- Anomali - "What are STIX/TAXIIā€¯
- STIX & TAXII on GitHub