Understanding Threat Intelligence Use Cases

by Dave Blakey on Security • November 24, 2021 Understanding Threat Intelligence Use Cases

We've spoken recently about threat intelligence and the role it plays in protecting organizations, platform infrastructure, data, and transactions from various cyber threats. However, it is important to understand the particular use cases, so you can apply threat intelligence to solve specific security challenges in your organization. 

What is threat intelligence?

First, a refresher on what threat intelligence actually is. Threat intelligence is timely information about active threats and threat sources that are: 

  • abusing your platform infrastructure
  • attacking your infrastructure, customers, or data
  • presenting a threat somewhere else in the world (a potential threat to you).

Good threat intelligence is fast, accurate, and practical. Users of threat intelligence information benefit from threat data that:

  1. updates as close as possible to real-time
  2. suffers few false positives or false negatives, and is enriched with useful information such as geo-location, host, history, and threat scoring
  3. integrates easily with any standard security tools such as firewalls, SIEM platforms, and anything that can make use of an API.

Now let’s take a look at the most common use cases.

Security Direction and Strategy

The challenge for many security team leaders is balancing limited available resources against the need to secure their organizations from ever-evolving threats. While they could look to build massive teams and efforts around this, it's not often feasible and so a more efficient approach is needed. 

Threat intelligence can help map the threat landscape, calculate risk, and give security personnel the intelligence and context to make better and faster decisions. This includes assessing the relevant business and technical risks, identifying the right strategies and technologies for mitigation, and justifying these efforts to management. 

Threat intelligence can be a critical resource for all these activities, providing information on general trends, such as:

  • Which types of attacks are becoming more (or less) frequent
  • Which types of attacks are most costly to the victims (client and business)
  • Which new kinds of threat actors are coming forward, and which assets and enterprises they are likely to target
  • Which security practices and technologies have proven the most (or least) successful in stopping or mitigating these attacks

It can also enable security groups to assess whether an emerging threat is likely to affect their specific enterprise based on factors such as:

  • Industry — Is the threat affecting other businesses in our vertical?
  • Technology — Does the threat involve compromising software, hardware, or other technologies used in an enterprise?
  • Geography — Does the threat target facilities in regions in which our company operates?
  • Attack method — Have methods used in the attack been used successfully against similar companies?

With these types of intelligence, gathered from a broad set of external data sources, security decision-makers gain a holistic view of the cyber risk landscape and the greatest risks to their enterprise.

Here are four key areas where threat intelligence helps security leaders make decisions:

Mitigation

Threat intelligence helps security teams prioritize the vulnerabilities and weaknesses that threat actors are most likely to target, giving context on the Tactics, Techniques, and Procedures (TTP) those threat actors use, and therefore the weaknesses they tend to exploit.

Communication

Security teams are often challenged by the need to describe threats and justify countermeasures in terms that will motivate non-technical business leaders, such as cost, impact on customers, and new technologies. Threat intelligence provides powerful ammunition for these discussions, such as the impact of similar attacks on companies of the same size in other industries, or trends and intelligence from the dark web indicating that the enterprise is likely to be targeted.

Supporting Leaders

Threat intelligence can provide security leaders with a real-time picture of the latest threats, trends, and events, helping them respond to a threat or communicate the potential impact of a new threat type to business leaders and board members in a timely and efficient manner.

The Security Skills Gap

Security teams must make sure the IT organization has the human resources to carry out its mission. But cybersecurity’s skills shortage means existing security staff frequently carry unmanageable workloads. Threat intelligence automates some of the most labor-intensive tasks, rapidly collecting data and correlating context from multiple intelligence sources, prioritizing risks, and reducing unnecessary alerts. Powerful threat intelligence also helps junior personnel quickly “upskill” and perform above their experience level.

Security Incident and Event Management

Threat intelligence helps security teams to respond to active security incidents. When security teams face an incident, they must investigate the different issues quickly to know when and how to respond – to best mitigate the potential threat. 

While this calls for immediate action, the amount of information that often needs to be dissected can make this rather difficult to achieve. This is why surfacing the right information with security teams is so important.

Threat intelligence enables them to have all the required data on hand and to quickly discern the best approach for a given scenario. 

Threat intelligence reduces the pressure these teams face in multiple ways:

  • Identifying false positives and dismissing them
  • Enriching alerts with real-time context, such as custom risk scores
  • Comparing information from internal and external sources

Pre-emptive Cyber-Security

The Identification of threats and risks is of great value, but its effectiveness is greatly reduced if it leads to action only after a major security incident. Therefore threat intelligence needs to also enable pre-emptive prevention of security incidents.

Security teams can use the information on threats not currently affecting their organization, assess the risk, and block those threat sources before they can do any damage. 

An integrated toolchain would see a threat intelligence platform connected directly with web application firewalls (WAFs), with the latter automatically blocking identified threat sources pre-emptively. This way, by the time your security team is aware of a risk it's already been mitigated. This allows the team to focus on further improving their security protocols. 

 

Snapt CTA: Download free white paper: How ADCs Can Become AI-Powered Threat Intelligence Platforms

 

Security Operations

Outside of responding to threat events, security teams need to deal with huge volumes of alerts generated by the networks they monitor. A common problem is that most security alerts are likely not real threats but false positives or non-critical status updates. 

Triaging these alerts takes too long, and so many are never investigated at all. “Alert fatigue” leads analysts to take alerts less seriously than they should. 

Threat intelligence with fewer but highly actionable alerts – to minimize the noise – means analysts can stop wasting time pursuing alerts based on:

  • Actions that are more likely to be innocuous rather than malicious
  • Attacks that are not relevant to the enterprise
  • Attacks for which defenses and controls are already in place and require no further response

Vulnerability Management

Effective vulnerability management means shifting from taking an unrealistic “patch everything, all the time” approach to prioritizing vulnerabilities based on actual risk. Security teams must patch vulnerabilities in a way that is palatable to the rest of their organization otherwise they risk being perceived as “annoying” and then being ignored.

Although the number of vulnerabilities and threats has increased every year, research shows that most threats target the same, small proportion of vulnerabilities. Threat actors are also quicker — it now takes only fifteen days on average from a new vulnerability being announced to an exploit targeting it appearing.

This has two implications:

  • You have two weeks to patch or remediate your systems against a new exploit. If you can’t patch in that timeframe, have a plan to mitigate the damage.
  • If a new vulnerability is not exploited within two weeks to three months, it’s unlikely to ever be — patching it can take a lower priority.

Threat intelligence helps you to identify the vulnerabilities that pose an actual risk to your organization. For example, Snapt NovaSense goes beyond pure risk scoring by combining internal vulnerability scanning data, external data, and additional context about the Tactics, Techniques, and Procedures (TTP) of threat actors. 

Risk Analysis

Risk modeling can be a useful way for organizations to set investment priorities. But many risk models suffer from a vague and non-quantified output that is hastily compiled, based on partial information and unfounded assumptions, and difficult to take action on.

Threat intelligence provides context that helps risk models make defined risk measurements and be more transparent about their assumptions, variables, and outcomes. It can help answer questions such as:

  • Which threat actors are using this attack, and do they target our industry?
  • How often has this specific attack been observed recently by enterprises like ours?
  • Is the trend up or down?
  • Which vulnerabilities does this attack exploit, and are those vulnerabilities present in our enterprise?
  • What kind of damage, technical and financial, has this attack caused in enterprises like ours?

Fraud Prevention

It isn’t enough to only detect and respond to threats already exploiting your systems – you also need to prevent fraudulent uses of your data or brand. If a company's intellectual property is primarily digital, it can be easily duplicated and used elsewhere in an unauthorized manner. As such, it's vital for companies to protect these valuable assets. 

Threat intelligence gathered from various sources provides a window into the motivations, methods, and tactics of threat actors, especially when this data is correlated with information from technical feeds and indicators. 

You can use this to identify where fraudulent activities are taking place and act accordingly. 

Use threat intelligence to prevent:

  • Payment fraud — Monitoring sources like criminal communities, paste sites, and online forums for relevant payment card numbers, bank identifier numbers, or specific references to financial institutions can provide early warning of upcoming attacks that might affect your organization.
  • Compromised data — Cybercriminals regularly upload massive caches of usernames and passwords to paste sites and the dark web, or make them available for sale on underground marketplaces. Monitor these sources with threat intelligence to watch out for leaked credentials, corporate data, or proprietary code.
  • Typosquatting — Get real-time alerts on newly registered phishing and typosquatting domains to prevent cybercriminals from impersonating your brand and defrauding unsuspecting users.

Platform Abuse Intelligence

One use for threat intelligence that is often underappreciated but which makes a major impact on many organizations is the identification and countering of platform abuse. Platform holders, data centers, ISPs, and other hosts need to detect not only external threats but also malicious or fraudulent behavior of internal host systems and users

Major threats can be missed by some security scans because they are masking themselves in an internal process or third-party service and are not getting flagged correctly. It’s important to detect when internal host systems are not behaving correctly and to be able to remove them from operation before they cause further harm.

These threats can come in the form of phishing scams, Distributed Denial-of-Service (DDoS) attacks, or the passing of fraudulent data in a manner that might not get flagged as it is from a safe source and potentially exempt from a firewall. 

If your threat intelligence systems can successfully identify these events and proactively close them down, they can save your organization from immense damage.

Conclusion

It’s clear that threat intelligence is key to helping business, education, finance, government, healthcare, and other sensitive organizations proactively manage their security risks in different scenarios. 

Security teams must understand and prioritize their use cases for threat intelligence – this is key to ensuring they get the right information from their tools and can apply the intelligence to solve security challenges effectively.   

Snapt NovaSense is a threat intelligence platform that addresses all the use cases outlined in this article. NovaSense provides real-time, real-world threat intelligence that identifies platform abusers, botnets, cybercrime, and malware. It aggregates data from multiple third-party and first-party sources, identifies and classifies threats, enriches the data with actionable intelligence, and enables security teams to integrate the data easily with their favorite systems. 

novasense-dashboard-threat-map

Unlike other threat intelligence solutions, NovaSense aggregates third-party data sources and our own first-party threat data collected from the thousands of Web Application Firewalls (WAF) deployed by Snapt’s customers in live environments. 

When one Snapt Aria or Snapt Nova WAF identifies and blocks a threat, NovaSense learns from it and sees the big picture, and instantly shares the intelligence with every NovaSense-integrated Aria and Nova WAF deployed by our customers for fully automated pre-emptive blocking of cyber security threats.

snapt-novasense-architecture-diagramUnique first-party threat data and advanced machine learning produce the fastest, most accurate threat intelligence available. You can try our latest sample threat lists for free.