Threat Intelligence — White Hat Collective

Threat Intelligence is the study of data using tools and methods to produce meaningful information about current or potential threats against the company, which aids in risk mitigation.

Threat Intelligence is the activities and resources available to cybersecurity professionals seeking to improve their knowledge about the changes in the threat environment. It is part of any organisations continual improvement towards to cybersecurity, keep up to date with threats in order to protect against them. By keeping up to date, the organisation can also pre-emptively plan ahead for threats that may affect their organisation in the future and protect against them.

Threat intelligence can be gathered from open source intelligence (OSINT) or from commercial services. Regardless of the source the information is usually provided in Threat feeds. These feeds often include, IP Addresses, hostnames, domains, email addresses, URLS hashes, file paths, CVE numbers etc. as well as a description of the threat and any theory to go with its application. Reports can also provide indicators of compromise (IoCs) showing what would happen if the attack has already occurred, files you may find left behind or evidence they had been there.

Open Source Intelligence

As the name suggests open source intelligence is acquired through publicly available sources.

Examples of these sources are;

senki.org
AT&T's Open Threat Exchange
MISP Threat Sharing Project
Threatfeeds.io

Government sources;

Vendor Sources;
Microsoft's threat intelligence blog
Cisco's threat security

Public sources;
Sans Internet storm centre
virushare.com

Commercial services and Closed-Source Intelligence

Commercial security vendors, government agencies and other security organisations may keep their findings restricted as they do not wish to openly expose vulnerabilities in their services. A vendor might offer the information if your product from them is affected by a vulnerability or they might keep it restricted to patch the problem without drawing even more attention to it.

There is an array of threat maps out there displaying current attacks in real time. Companies can use this to see if they are being targeted and pre-empt any attacks that may come their way and where from.

Assessing Threat Intelligence

With the large array of resources available that we have mention here. It is our job as cyber professionals to analyse and asses these sources;

Are they timely? do they display current up to date information?

Are they Accurate? If they are open source is the data reliable?

Is the information relevant to you network or organisation?

This is typically assessed through a confidence score (1-100) with high scores being the most trustworthy scores and the lowest scores being discredited sources.

(threatconnect.com/blog/best-practices-indicator-rating-and-confidence)

Confidence
Score Range

0 - 50

51 - 74

75 - 100

Classification

Low or Benign

Medium or Suspicious

High or Malicious