← Back to Glossary

What is Threat Intelligence?

by Iwan Price-Evans on Security • March 16, 2022

Threat intelligence is the collection, processing, analysis, and dissemination of current and predictive security data that allows security teams, developers, and automated tools to make intelligent decisions to safeguard the security of their infrastructure, data, and users.

Threat intelligence provides structured information that allows an organization to act against a threat to their people, customers, or the physical or technical assets that are valuable to them.

Threat intelligence can be gained by collecting, analyzing, and assessing large volumes of information and identifying threats within it. This analysis is performed with three questions constantly in mind:

  • Who are the threat actors?
  • Why are they intending to perform these actions?
  • How capable are they of being successful?

What are the types of threat intelligence?

There are three types of threat intelligence data that enable proactive threat assessments.

Strategic 

Strategic threat intelligence provides risk-based threat trends to non-technical audiences. This provides a big-picture view of cyber threat actors and their intentions to high-level decision-makers within an organization. 

Strategic intelligence information usually comes from freely available sources. Strong communication between threat analysts and leadership teams ensures that risk trends and emerging threats are highlighted to these decision-makers.

Tactical

Tactical threat intelligence assesses threat actors' tactics, techniques, and procedures (TTPs) in real-time. It creates an understanding of the attack vectors, tools, infrastructure, and forensic avoidance strategies being used against a target organization, location, or even a whole industry.

The primary audience for these assessments can be system architects, security professionals, and security decision-makers.

Technical audiences are provided with assessments of events or activities occurring in day-to-day operations. This audience will be provided with technical threat indicators which will identify technical information such as IPs or malware hashes.

Operational

Operational threat intelligence relates to identifying the activity and communications of specific individuals or groups. The purpose of this is to provide decision-making information for operational security responses. Operational intelligence is highly specialized and technically focused, identifying the details of individual attacks or attack campaigns for response teams to act upon.

Operational threat intelligence usually comes from closed sources. Some less organized attackers may discuss attack details publicly via social media or chat rooms. However, more serious criminals operate in private or via the dark web.

Intercepting and compromising a threat groups' communications is difficult and often has ethical or legal implications. Threat actors often obfuscate communications to maintain secrecy, coding or aliasing names, targets, and types of attack. Another challenge is that often threat groups communicate in non-English languages and may operate in non-English speaking countries. Trying to monitor high-volume social media or chat room data is equally difficult, is often illegal, and sometimes technically impossible.

By studying past activity, analysts can correlate attacks with specific trigger events uncovering incoming attacks before they happen. This real-world event and cyber activity information can generate forensic threat intelligence reports for response teams to action.

The triad of strategic, tactical, and operational threat analysis focuses on identifying threat actors' tactics, techniques, and procedures. This allows organizations to make threat assessments from these insights and enables the application of targeted responses.

What is a Threat Intelligence Platform?

A threat intelligence platform (TIP) productizes threat intelligence, performing the functions of collection, processing, analysis, and dissemination of threat data.

Threat intelligence platforms typically integrate with security automation tools, developer pipelines, and incident response workflows to help organizations to understand the threat landscape and to counter threats when – or before – they arise.

Learn more about Snapt NovaSense threat intelligence platform.