Threat intelligence

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”

— Gartner's website

Easing the consumption

Certain organizations attempt to integrate threat data feeds into their network; however, they often struggle with managing the substantial influx of data. Consequently, analysts may find it challenging to determine what information is pertinent and what is not, thereby burdening them further due to the lack of suitable tools to process and prioritize the data.

The most effective solutions leverage machine learning to automate the collection and processing of data. These solutions are capable of integrating with pre-existing systems and consolidating unstructured data from a variety of sources. By analyzing this information, they can provide context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) used by threat actors, effectively connecting the dots and aiding in incident response.

A central role for threat intelligence

If threat intelligence is treated as a separate function within a security team, instead of being considered an integral component that complements all other functions, it may result in many individuals who could benefit from it not having timely access to it. Over time it is becoming a central resource in the structural cyberdefence.

Several subcategories of threat intelligence

Threat intelligence is typically divided into three distinct subcategories:

  1. Strategic - Pertaining to broader trends and intended for a non-technical audience.
  2. Tactical - Focused on outlining the tactics, techniques, and procedures of threat actors and intended for a more technical audience.
  3. Operational - Comprising technical details related to specific attacks and campaigns.

Stakeholders and consumers of strategic intelligence can include:

  • C-Suite (CISO, CIO, CSO, CTO)
  • Board Members
  • Senior VPs
  • Intelligence Leaders (Cyber and Physical)

Stakeholders and consumers of tactical threat intelligence can include:

  • SOC Analysts
  • IT Analysts
  • Vulnerability Management Teams

Stakeholders and consumers of operational threat intelligence can include:

  • Security Leaders
  • SOC Managers
  • Threat Hunters
  • Cyber Threat Intelligence Teams
  • Incident Responders

Second degree uses

Overcoming SOC fatigue

Distinguishing relevant threats and helping triage incidents/events.

Prioritize Vulnerability management

Away from 'patch everything'

Threat actors are also quicker — it now only takes fifteen days on average between a new vulnerability being announced and an exploit targeting it appearing.

This has two implications:

  • You have two weeks to patch or remediate your systems against a new exploit. If you can’t patch in that timeframe, have a plan to mitigate the damage.
  • If a new vulnerability is not exploited within two weeks to three months, it’s unlikely to ever be — patching it can take lower priority.

Fraud prevention

Security leadership

Reduce Third Party Risk


5 Use Cases

Best solutions

To help you in this task, we recommend these products from our selected partners:

Best products on the market