Threat Intelligence: Understand to anticipate


Within just a few years, Threat Intelligence has become an essential tool in the fight against cyber threats. But what is it really all about?

Share the post:

According to Markets and Markets, in 2018, the Threat Intelligence (TI) market, also known as “CTI” for Cyber Threat Intelligence, was worth $5.3 billion worldwide. This figure is expected to reach 12.9 billion by 2023. Many solutions offering different types of Threat Intelligence have emerged to better meet the security challenges of companies. But how to choose the most appropriate solution for your security issues? Focus.

What is Threat Intelligence for?

Threat Intelligence can be defined as an extension of the security monitoring process, but at a much higher level. It thus complements traditional security approaches with an analysis based on attacker tracking.

The objective? To continuously feed a database of threats and hackers in order to remain in a position to respond as quickly as possible to potential attacks, but also and above all, to anticipate new ones. To do this, Threat Intelligence teams collect and organize threats in order to establish complete profiles (attackers, sectors of activity affected, methods used, etc.) throughout the year.

Threat Intelligence is not:

Threat Intelligence does not take into consideration:

  • obvious information about a threat that could be detected without knowledge of the field;
  • details about vulnerabilities (although often provided by IT providers);

Nor is TI a tool dedicated to incident response, although incident response teams benefit from Threat Intelligence feedback. The objective of a Threat Intelligence solution is above all to reduce operational risks in order to maintain or increase the company’s profitability. It should not be an exhaustive knowledge of threats and their characteristics. On the contrary, optimizing the sorting of the data collected makes it possible to process only the most relevant information in order to provide the most targeted responses possible. This is referred to as “intelligence”.

For Threat Intelligence teams, what is the difference between data, information and intelligence?

Threat Intelligence makes the following distinctions:

  • Data: available in large quantities, data must be extracted selectively, organized, dated and formatted to become information;
  • Information: it is produced when data points are combined to answer a simple question;

Intelligence: combination of information and data that can be used to reconstruct a story or a series of events that can be useful for decision-making. Intelligence helps to find an answer to a more complex question.

Data

  • From the system’s operating environment or from external sources
  • Available in large quantities but with a short life span
  • Collected randomly
  • Can be true, false, misleading
  • Not operable

Information

  • Combining data points with a simple question
  • Not evaluated
  • From filtered, organized and formatted data
  • Can be true, false, misleading
  • Not operable

Indications

  • Combination of information and data answering a complex question
  • Verified by experts
  • Collected from reliable sources, evaluated and cross-checked
  • True and accurate
  • Can be activated

An indication combines both informations and datas in order to build a story (a series of events) useful to the decision making process.

Next step to choose the most appropriate solution: discover the different types of Threat Intelligence.

About the blogger

Mathilde Poulbot is an engineer apprentice at Orange Cyberdefense. A graduate of the Saint-Malo University of Technology, she is currently studying at the Ecole Nationale Supérieure d’Ingénieurs de l’Université de Bretagne-Sud (ENSIBS).

Découvrez les blogueuses du Blog Orange Cyberdefense