{"id":2552,"date":"2016-09-19T08:55:53","date_gmt":"2016-09-19T08:55:53","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=2552"},"modified":"2020-05-06T10:28:04","modified_gmt":"2020-05-06T17:28:04","slug":"demystifying-threat-intelligence","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/demystifying-threat-intelligence\/","title":{"rendered":"Demystifying Threat Intelligence"},"content":{"rendered":"

You cannot effectively mitigate cyber threats without threat intelligence.<\/p>\n

If you think organizations are covered when it comes to using threat intelligence to counter cyberthreats, think again. Although enterprises have invested in multiple security systems and technologies, most lack the resources, time and tools to really understand and prioritize threats.<\/p>\n

What is threat intelligence?<\/strong><\/p>\n

According to\u00a0Gartner<\/a>, \u201cThreat intelligence is evidence-based knowledge (e.g., context, mechanisms, indicators, implications and action-oriented advice) about existing or emerging menaces or hazards to assets.\u201d<\/p>\n

A key point is that threat intelligence is not simply data and information \u2013 threat intelligence provides\u00a0context<\/strong>. Without context on threat type\/category, when a threat was discovered, and the source (e.g. geographic origin), it can be difficult for a security team to prioritize threat indicators and create effective security policies for taking action on existing and emerging threats. Also, investigation of threats is contingent upon being able to obtain context.<\/p>\n

Who is creating and using threat intelligence?<\/strong><\/p>\n

Historically, government and defense have invested the most to create, use and also distribute threat intelligence data (in a controlled manner). From a private sector perspective, verticals such as financial services, healthcare, retail and technology are leveraging threat intelligence data to understand and act on threats. They typically transact sensitive data (financial, personal) and stand to lose a lot of money (legal, financial costs) if they suffer from a data breach. However, generally speaking, any organization that is using security technologies such as firewall, antivirus and others is using threat intelligence data because these technologies apply threat intelligence data to operate.<\/p>\n

What are the benefits of threat intelligence?<\/strong><\/p>\n

There are several potential benefits of threat intelligence, including:<\/p>\n

    \n
  1. Rich threat context<\/u><\/strong>\u00a0for faster prioritization and threat response<\/strong>: Given that there are multiple alerts from sources such as SIEM, firewall and other tools, Security Ops and Incident Response teams need to be able to quickly understand which threats to tackle first. Threat intelligence provides these teams the necessary context (what the threat is\/category, when it was first discovered, severity level, etc.).<\/li>\n
  2. Streamline security operations resources<\/u><\/strong>: With the shortage in cyber security skilled professionals (http:\/\/www.informationweek.com\/strategic-cio\/security-and-risk-strategy\/cyber-security-skills-shorta…<\/a>) and looming threat of a data breach, organizations cannot depend on scarce security resources to be constantly \u201con top of their game\u201d in deflecting threats. By deploying threat intelligence on various security systems (e.g. firewall) and network control points (e.g.,\u00a0DNS Firewall<\/a>), that is both reliable and automatically refreshed by the threat intelligence provider itself, organizations aren\u2019t at the \u201cmercy of\u201d scarce security resources who are here today, but may be gone tomorrow.<\/li>\n
  3. Leverage network intelligence to identify infected devices and targeted users<\/u><\/strong>: DNS, DHCP and IP Address Management (DDI) services provide critical, actionable network intelligence such as the devices used by, IP addresses assigned to and web sites visited by users. By tracking user behavior over time, the security team can create a profile of \u201cnormal\u201d user behavior to use as a baseline and then alert and flag any deviations from that profile which may be indicative of suspicious or rogue activity.\u00a0Combining<\/em>\u00a0network and user context with threat intelligence (e.g. device is trying to connect to a \u201cransomware C&C\u201d server) helps organizations quickly identify infected devices and the users being targeted.<\/li>\n<\/ol>\n

    Unfortunately, despite the potential benefits of threat intelligence, organizations also face some key challenges, including:<\/em><\/p>\n