The phrase Threat Intelligence has slowly gained significance in the information security community and their discussions. With the decision makers considering it as a high priority requirement, vendors have launched an array of products which are indeed confusing for an executive with the managerial background. This is an introductory post in our series of detailed discussion on threat intelligence.
The concept of threat intelligence is quite alluring as it presents itself as an efficient and better method to manage the security risks for a business. Essentially, on the basis of previously acquired data, it turns unknown threats into known threats so that the internal security team can effectively mitigate the identified risks before they are exploited by the attackers. At present, there is no consensus on the definition of threat intelligence. For traditional purposes, threat intelligence is defined as an information which can assist and support in the decision-making process along with reducing the time taken to discover or prevent an attack. With threat intelligence in cyber security is still in its youth and high variations in the products offered by the vendors and their prices, there is always a chance that a business might end up paying a large amount of money to a product marketed as based on threat intelligence and at the end, it does not deliver the expected results. In order to define threat intelligence, it is important to understand the intelligence. The concept of knowns and unknowns became popular after a press conference organized by Donald H. Rumsfeld, the then US Defence Secretary on February 12, 2002. The concept can be represented as given below in the context of security threats – Threat Intelligence can be considered as the process of moving from Unknown Unknowns to Known Unknowns by discovering the previously unknown threats. Hence, it is clear that the goal of this concept is to keep the most number of threats in the Known Knowns category and a minimum number of threats in the Unknown Unknowns category. If this concept is understood in its essence, it is imperative to have targeted defence strategy for the targeted attacks.
From a broader perspective, any type of information which assists in decision making can be called as threat intelligence. The categorisation of threat intelligence is who is going to utilise it and what are the aims to be achieved. It is categorised as follows –
Information leakage of threat intelligence, incident data, and status data can have several legal consequences for organizations.
Log Management is a security control which plays a crucial role in identifying the type of an attack during a security incident.