Submitted by on
Home> Guides> File Sharing> What Is Threat Intelligence Sharing?

Home > What Is Threat Intelligence Sharing? 

What Is Threat Intelligence Sharing? 

Share this Page

What Is Threat Intelligence?

Threat intelligence, also referred to as cyber threat intelligence, is a combination of internal and third-party data about known attacks to help organizations take proactive steps to protect digital assets. 

Threat intel also focuses on threats specific to an organization, such as threats targeting vulnerabilities in their attack surface and exposed digital assets.

Understanding how threat intelligence works is critical to selecting the right mix of solutions and services to support security programs.

Cyber threat intelligence is developed by security analysts who collect, aggregate, process, and analyze raw cyber intelligence and security-related data to provide organizations with actionable insights (e.g., patterns, relationships, and trends). Threat intelligence also gives security teams details about the attackers, including the tactics, techniques, and procedures (TTPs) those threat actors use and the indicators of compromise (IoCs) for their attack vectors. In addition, threat intelligence includes contextual information, such as attack vectors used to target industry verticals, device types, and geographic regions.

The raw data used to curate cyber threat intelligence comes from internal and external sources.

  • Internal sources of threat intel:
    • Data from threat intelligence tools (e.g., anti-virus systems, SIEMs (Security information and event management), endpoint and network detection, intrusion detection systems, intrusion prevention systems, and UEBA)
    • Incident response reports, including artifacts collected after an event
    • Log files (e.g., applications, DNS, firewalls, and networks) 
    • Security alerts (e.g., compromised credentials, exfiltration, lateral movement, and reconnaissance)
  • External  sources of threat intel also referred to as open-source intelligence (OSINT):
    • Dark web
    • News reports
    • Organizations, such as:
      • CISA Automated Indicator Sharing
      • Computer Emergency Response Teams (CERTs)
      • Cybersecurity and Infrastructure Security Agency (CISA)
      • Information Sharing and Analysis Centers (ISACs)
      • MITRE ATT&CK 
      • SANS Internet Storm Center
      • The Federal Bureau of Investigation (FBI) InfraGuard
      • Virus Total
    • Private or commercial threat intelligence feeds 
    • Publicly available threat indicator block lists
    • Security researchers
    • Social media
    • Vendor blogs

Why Is Threat Intelligence Important?

There are many reasons that threat intelligence, such as 

  • Allows leaders to make more efficient and informed decisions
  • Details indicators of compromise (IOCs) and attackers’ behavioral patterns
  • Directs investments in risk management and cybersecurity systems and programs
  • Helps tailor security defenses to preempt future attacks
  • Informs leaders, stakeholders, and users about the latest threats and impacts they could have  
  • Keeps organizations informed about the risks of and responses to advanced persistent threats, zero-day threats 
  • Optimizes cyber incident responses (e.g., containment, eradication, and recovery) 
  • Prioritizes risk and threat mitigation and remediation measures
  • Provides contextual information about emerging or existing threat actors and threats from a number of sources
  • Reveals attackers’ motives and their tactics, techniques, and procedures (TTPs)
  • Collaborative threat intel ensures compliance and strengthens defense through shared insights

Who Can Benefit from Threat Intelligence?

Almost every organization uses threat intelligence in one form or the other. It is included in many widely used security solutions and services, such as anti-virus and anti-malware. Larger-scale cyber threat intelligence programs combine data sources to support systems run by in-house security teams. In most enterprise environments, the following are examples of who uses threat intel and how they benefit from it.

Tactical Users
Security and IT analysts
Vulnerability Management
Identify and remediate gaps

Leverage IOCs, content, and context to prevent attacks proactively

Manage and optimize threat prevention and detection 

Prioritize updates and patches

Use to augment other security systems (e.g., block malicious IPs, messages, and URLs)
Technical Users
Security operations centers (SOCs)
Augment alerts

Block suspicious activity at firewalls or other security devices

Correlate alerts with incidents

Create rules or signatures for indicators of compromise (IOCs) 

Feed threat intel into security systems, such as endpoint detection and response (EDR), firewall, and intrusion detection and intrusion prevention systems (IDS/IPS)

Leverage cyber threat intelligence for security monitoring and alerting

Optimize security controls

Reduce false positives   

Triage incidents based on risk  

Triage of alerts that are generated from network monitoring
Operational Users
Computer incident response teams (CIRTs)
Forensic analysts
Host analysts
Incident responders and teams
Malware analysts
Network security teams 
Threat intelligence analysts
Assess incidents to determine the full scope 

Consume cyber threat intelligence for technical context

Determine the who, what, why, when, and how of an incident

Enriching alerts with context

Facilitate investigations, management, and prioritization of cyber incidents

Focus on the IOCs and links in the environment 

Identify and monitor threat actors  

Identify the root cause Review threat intel to better understand threats

Triage and prioritization of ongoing investigations  

Understand the context of threats  
Strategic Users
Chief executive officers
Chief financial officers
Chief information officers
Chief operations officers
Chief risk officers
Security executives
Other high-level executives, leaders, and managers 
Assess options for prevention and remediation

Inform budgeting for security solutions and support

Provide valuable insight into attack trends by geography, industry, software, and hardware 

Understand the overall cyber risks and their impact

Utilize cyber threat intelligence to support their needs when making risk-based decisions  

Assists in meeting cybersecurity compliance standards and legal obligations. 

The Cyber Threat Intelligence Cycle

The cyber threat lifecycle provides a framework for the ongoing process of collecting raw data and turning it into actionable intelligence. The threat intelligence framework detailed below can be used as guidance for developing a customized process that fits an organization’s unique needs. Regardless of how the phases are implemented, it is important to note that this is not a one-and-done exercise. It is meant to be repeated continuously to stay on top of evolving threats and changing requirements.

Step one: Define threat intelligence requirements
During the planning phase, security analysts work with key cybersecurity stakeholders and decision-makers (e.g., C-suite, managers, and representatives from IT and security teams). Key objectives during the planning phase are to establish a roadmap for a targeted threat intelligence program and align stakeholders on the objectives, strategy, tactics, and KPIs.

Step two: Gather the threat intel
Based on the established objectives for cyber intelligence, the next step is to collect the raw data needed to meet them. A detailed list of raw data types is below, but a few examples are log files, SIEMs, publicly available data, and threat intelligence feeds.

Step three: Process raw threat intelligence data
Once raw data has been collected, security analysts aggregate, standardize, and enrich it to prepare it for analysis. This step includes organizing the information, decrypting as needed, translating information, and assessing information for accuracy and relevance so as not to skew the analysis or lead to false positives. This phase is often automated using machine learning, artificial intelligence, and natural language processing.

Step four: Create cyber threat intelligence through analysis
Raw threat intelligence data is inert information without analysis. Applying advanced analytics to the data is how valuable insights are derived. The analysis phase teases out the deliverables that were identified and defined in the requirements phase of the cyber intelligence cycle. Again, leveraging machine learning and artificial intelligence, trends, patterns, and other insights are turned into actionable recommendations. The output of this analysis can include the identification of specific threats or vulnerabilities along with solutions to eliminate or remediate the risks.

Step 5: Present the threat intelligence
Once raw data has been processed and analyzed, it needs to be formatted and packaged for presentation. The audience will dictate the form of the presentation. In some cases, it is in a report. In others, it is presented as a slide show. Whatever format is selected, it is important that the final information that has been developed is clear, concise, and ready to be operationalized.

Step 6: Reflect and refine the final threat intel  
The final phase is to assess the threat intelligence based on the KPIs established during the planning phase. Then, adjustments should be made to optimize the plan.

Types of Threat Intelligence

Threat intelligence data is broken into four broad categories—operational, strategic, tactical, and technical. Within these categories, the data can be human or machine-readable.

Human-readable cyber threat intelligence examples 

  • Cyber intelligence alerts
  • Malware alerts
  • Situational awareness
  • Threat intel sharing
  • Threat research reports
  • Vulnerability reports

Machine-readable cyber threat intelligence examples 

  • Exploit alerts
  • Indicators of compromise (IoCs)
  • Kill chain mapping
  • MITRE ATT&CK mapping
  • Tactics, techniques, and procedures (TTPs)
  • Vulnerability mapping

Operational threat intelligence
Operational threat intel helps information security teams prevent cyber attacks by providing context and enabling an understanding of the attackers and threats. This includes their motivation, specific capabilities, infrastructure, TTPs, and the anticipated timing of an attack. This information is then operationalized to prioritize and execute targeted, proactive security responses to specific threats. 

Operational cyber intelligence is developed using a combination of machine-readable  and human-readable data. It is used across security groups, including security managers, malware analysts, network defense teams, host analysts, SOC analysts, threat hunters, and incident response teams to:

  • Develop rules or signatures for detection alerts
  • Prioritize the installation of security updates and patches  
  • Proactively respond to planned attacks

Strategic threat intelligence
Strategic cyber intelligence provides a non-technical context to cyber threats to help an organization’s leaders make informed decisions based on an understanding of the cyber risks and vulnerabilities. Areas that strategic threat intelligence focuses on include cyber threats that target a specific industry, vulnerabilities in critical systems, and geopolitical situations that could spawn nation-state attacks. Stakeholders use strategic threat intelligence to align broader organizational risk management strategies and investments with the cyber threat landscape.

Strategic threat intelligence data is gathered primarily from human-readable sources and requires a deep understanding of the threat landscape, which makes it difficult to create. Delivered in the form of reports, strategic threat intel is used by security and business leaders, such as CEOs, COOs, CISOs, CIOs, and CTOs, to inform:

  • Cybersecurity budgeting with information about the organization’s security posture and gaps  
  • Decisions about how to address new security requirements driven by changes in the regulatory compliance landscape  
  • Risk assessments with information about the vulnerability landscape, including exposures to data breaches  

Tactical threat intelligence
Tactical threat intelligence is used to understand the details of prospective threats and active attacks to implement responses to a threat that address the underlying cause and functions. The usual focus of tactical threat intel common IoCs includes:

  • Artifact-based indicators, suspicious email attachments or URLs, network log files, and data in registries and file systems 
  • Behavioral indicators, such as emails with malicious links or attachments, privileged user logins at odd times or from suspicious locations, and multiple login failures
  • File-based indicators, such as a hash or file name associated with known malware attacks or subject lines used in phishing attacks
  • Network-based Indicators, such as suspicious port activity, data exfiltration, and unusual network traffic 

Tactical cyber threat intelligence data is typically gathered by machines and includes open source intelligence (OSINT), such as attack group reports, the dark web, news reports, public block lists, social media, threat intelligence feeds, and vendor blogs. Behavior threat indicators are ingested into cybersecurity systems, such as endpoint detection systems (EDS), firewalls, intrusion detection and intrusion prevention systems (IDS/IPS), and SIEMs, and used by security operations center (SOC) analysts and others on security teams to: 

  • Test security systems and processes
  • Optimize security system and processes
  • Identify vulnerabilities in security controls

Technical threat intelligence
Technical threat intelligence is used to identify indicators of or evidence of an attack. This type of threat intel is used to support analysis in the wake of an incident. Examples of threat intel are domains used for command and control (C&C), Common Vulnerability and Exposure (CVE) data, details about attack vectors, malware samples, phishing email content, and reported URLs.

Machines usually gather technical threat intelligence data. Cybersecurity teams use technical threat intelligence to: 

  • Direct threat hunting 
  • Follow up on security alerts
  • Gather forensic evidence

What to Look for in a Threat Intelligence Program

The top seven considerations for a threat intelligence program are:

1. Leverages solutions that integrate multiple forms of threat intelligence 

2. Consolidates indicators from multiple sources, eliminates duplicates 

3. Provides security operations teams with recommendations on responding to threat indicators

4. Automates identification and alerting about new threats

5. Integrates with security tools to automatically share threat intel data

6. Filters “noise” and helps prioritize threats and responses

7. Helps identify gaps across systems and processes

Find the Right Threat Intelligence Mix and Methods

Using threat intelligence, organizations gain an in-depth understanding of the specific attacks that they are exposed to, which allows them to assess risks, prioritize remediation, and implement response plans. Threat intel also enables faster, more effective responses to attacks in progress by providing details about the attack vector and its likely course. There are many sources of cyber threat intelligence that can be deployed in a number of ways. Understanding how threat intelligence works is critical to selecting the right mix of solutions and services to support security programs.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000+ customers with millions of users worldwide.

Last Updated: 18th April, 2024

Share this Page