Threat intelligence, also called cyber threat intelligence (CTI), is the practice of gathering and analyzing trends about potential or ongoing cyber threats. Think of threat intelligence as a framework of tools that lets you know more about an attack well ahead of time or after attack discovery, including what tactics, techniques, and procedures (TTPs) threat actors are planning/using.
Game-changing, right? Threat intelligence not only lets you proactively beef up your defenses, it also helps you understand specific risks your business is exposed to and the cybersecurity investments to make to mitigate them.
Threat hunting and the resulting intelligence gathered provides you with internal and external (paid or open-source) data to feed into existing security solutions to strengthen your defenses against emerging threats. Plus, if attackers do manage to slip through your defenses, threat intelligence data lets you detect attacks faster before they negatively impact your finances or business operations.
The Cloud Threat Landscape
A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques.
Explore
Types of threat intelligence
There are four main types of threat intelligence, each with its own use cases and focus. Here’s a closer look:
Strategic threat intelligence
Strategic threat intelligence presents a bird’s eye view that lets C-suite execs, CISOs, and security operations center (SOC) managers see the big picture of their organizations’ threat landscape, including malicious actors, commonly targeted assets, and potential blast radii.
It focuses on revealing how organizations may be vulnerable to cyber threat trends, known vulnerabilities, and threat actors fueled by geopolitical conflicts. Strategic threat intelligence drives cybersecurity strategy, defines security investments, and shapes preventive actions.
Operational threat intelligence
Operational threat intelligence is typically collected from the dark web and other hacker sources. It provides real-time clues about ongoing or future attacks. With operational threat intelligence data, SOC analysts and incident response managers can dig into the names of attackers/attack groups, their motives, timing, and nature of attacks. This allows security teams to design specific countermeasures and tweak security controls to match up with emerging threats.
Tactical threat intelligence
Tactical threat intelligence provides more detailed insights on attacker TTPs, tools, and particular vulnerabilities attackers exploit in specific software. Security teams leverage this type of threat intelligence to understand how attackers operate and how to build effective defense strategies or strengthen existing security controls to mitigate risks.
Technical threat intelligence
Technical threat intelligence is time-bound threat data. It reveals specific attack vectors and indicators of compromise (IoCs), like IP addresses, malicious links, phishing emails, login anomalies, malware, and file hashes that suggest an ongoing attack. Technical threat intelligence requires quick action to contain attacks and rebuild defenses before the IoCs become full-blown attacks.
Use cases and benefits of threat intelligence
A wide range of stakeholders within organizations—from the C-suite level across all security teams—require threat intelligence to be able to do their jobs well. Here’s a quick look at the top use cases:
CISOs and CTOs use insights from threat data to make informed decisions about security spending and strategies, aligning investments and policies with real-world threats for maximum ROI.
Security architects deploy threat intel to anticipate attacks and build preventive security controls from the ground up.
SOC analysts gather threat intel to detect threats and IoCs faster and to prioritize alerts.
Threat researchers use threat intel for threat monitoring and modeling, and also threat actor profiling. (Threat actor profiling provides insights into attacker tools, techniques, commonly deployed exploits, and frequently targeted technologies so teams can predict attackers’ moves and evade them seamlessly.)
Security and incident response (IR) teams leverage threat intel to contain attacks faster and conduct swift root cause analysis.
DevOps teams need threat intel to develop secure-by-design software that’s protected from known threats.
Red teams employ hacker TTPs to effectively simulate attacks and discover/resolve security gaps that attackers could exploit.
Sources of threat intelligence
Reliable threat intelligence isn’t just random threat data pulled together; it’s information gathered from real data points, feeds, and attacks relevant to your specific cybersecurity goals. Top threat intel sources are:
Internal threat data
This is security information you draw from within your own organization to find software design vulnerabilities, attack attempts, and core risks in your stack. Go-to sources for internal threat data include network logs, runtime data, historical security incidents, security tool reports, and more.
External threat data
Of course, there’s more to grapple with than internal threats. To fortify against external threats, enterprises must collect actionable cyber intelligence from sources like…
Open-source intelligence (OSINT): Includes publicly available information collected from websites, social media, news sources, public databases, and domain registries
Dark web monitoring: Refers to data collected by tracking dark web forums, chatrooms, markets, and other hacker platforms
Closed-source intelligence (CSINT): Intelligence gathered by private threat intelligence analysts or security firms; CSINT is usually accessible by subscription or membership only
Government-sanctioned intelligence: Refers to information compiled in government advisories or intelligence feeds like the CISA Automated Indicator Sharing (AIS) threat intelligence feed
Human intelligence (HUMINT): Cyber intelligence reports gathered through undercover access to criminal forums, phishing attempts on hackers, or other stealth methods; HUMINT can be used to de-anonymize hackers or fact-check attackers’ data theft claims
Cloud-specific threat intelligence feeds
Cloud-specific threat intelligence feeds are threat intelligence sources focused specifically on cloud attack trends. These feeds contain intelligence reports on potential threats and vulnerabilities in cloud-native apps, data, and cloud environments. A prime example of a cloud-specific threat intelligence feed is the Cloud Threat Landscape, the first of its kind to focus specifically on cloud risks.
So how do cloud-specific threat intelligence feeds work?
Cloud intelligence feeds function as threat intelligence databases, continuously collecting, summarizing, and storing intel on past, ongoing, and future attacks on cloud environments.
Unlike generic threat feeds, cloud intelligence feeds focus on cloud TTPs like identity and access control weakness, supply chain risks, insecure API calls, and misconfigurations—including those in storage buckets, networks, containers, and other cloud-native services.
Cloud intelligence feeds pick out threats and attack vectors that keep surfacing so that organizations can understand attack patterns, malicious actors, and commonly targeted entry points in cloud environments.
How threat intelligence supports cloud security
Threat intelligence plays a critical role in cloud security, specifically covering areas such as:
Detecting cloud-specific threats: Threat intel helps to address risks unique to cloud environments like cloud misconfigurations (improperly configured storage buckets, insecure access keys, and unrestricted ports), identity and access threats (weak or misconfigured IAM), and container security risks (image vulnerabilities, misconfigurations, outdated images, and privilege escalation threats).
Proactive threat hunting: Threat intel fuels proactive threat hunting by providing the basis for identifying real-time threats easily (think suspicious access patterns and strange network traffic). It also helps to predict attackers’ moves, shorten their dwell times, and reduce mean time to repair (MTTR).
Improving compliance posture: Threat intel spotlights compliance risks like misconfigured storage buckets containing sensitive data or poor encryption mechanisms. This helps enterprises fix issues and stay compliant as new risks emerge.
Improving MTTR: Since threat intelligence unlocks timely and relevant insights on emerging threats, security teams can identify potential attack vectors before they’re exploited and develop targeted incident response strategies. This enables them to respond faster and more effectively, improving their MTTR.
Identifying IoCs: By integrating threat intelligence feeds into monitoring tools, SecOps teams can identify indicators of compromise associated with known threat actors, such as command and control (C2) servers, malicious IP addresses, and suspicious domains. This enables them to detect and respond to threats in real time, including data exfiltration attempts via cloud storage services or lateral movement within cloud environments.
How threat intelligence works: The threat intelligence lifecycle
The threat intel lifecycle follows a step-by-step process that begins with planning and ends with feedback. It’s a six-stage process that demonstrates how information flows in an ideal threat intelligence program.
Here’s a quick runthrough:
Stage 1—Planning and direction: Define your organization’s threat intelligence requirements. Understand what information you need to collect, what the goal of threat hunting is, and which teams/individuals will use the intel to achieve your goal.
Stage 2—Collection: At this point, threat hunting teams and threat intel analysts gather the data from one or more internal, external, or cloud-specific sources.
Stage 3—Processing: Curate the various threat intel you’ve gathered and filter out the noise so you’re left with just the signals you need. These signals can then be used for threat hunting operations that reveal threats hiding in your stack.
Stage 4—Analysis: Explore the filtered intel to get a feel for what it means for your business. You can also correlate the filtered intel with events to understand risks in your stack, tag relevant data for future reference, and enrich intel to triage incidents.
Stage 5—Dissemination: Get value out of the threat intel you’ve gathered by sharing the findings with the right stakeholders, including CISOs, SOC teams, and incident response teams. NIST suggests a number of threat information sharing guidelines, including creating secure pipelines for sharing internal threat data and developing information dissemination policies.
Stage 6—Feedback: Get feedback from relevant stakeholders to learn if the intel provided was relevant, which parts of it can be excluded, and which new aspects should be added to the loop. Though it’s often skipped, this stage is critical. Gathering feedback massively enhances the efficacy of the intel gathering process, letting you focus more on relevant threats rather than chasing around vulnerabilities and threat actors that may never target your enterprise.
Challenges of threat intelligence gathering
While many enterprises understand the need for threat intelligence gathering, putting it into practice isn’t always easy. Here’s why:
A major hurdle is the sheer volume of data from open-source intelligence sources. Faced with these massive volumes of data, organizations must not only wade through endless low-yield information and false positives before getting to the meat of it, they will also have to correlate the data with real-time risks in their stacks to find relevant threats.
Another huge challenge? Most threat databases are threat feeds rather than threat intel feeds. Here’s the difference: Threat feeds give you the raw data, leaving you to process it on your own, headaches and all. Threat intel feeds summarize threat data and add IoCs, offering insights for identifying threats in your systems. The one you choose can make or break your threat intel operations.
Skill deficit is also an issue. Many organizations lack dedicated threat analysts who have the skills and training needed to run intel gathering operations, interpret complicated threat data, and transform the data into actionable threat intelligence.
Then there’s the problem of poor internal threat data collection. For one, the sheer volume of data and number of data sources in the cloud is staggering, making it very expensive to store threat data. Second, it requires some degree of expertise, as well as the use of tools like security information and event management (SIEM) tools and malware dissemblers.
Wiz cloud threat intelligence
While gathering threat intelligence from several sources gives you more data, with threat intelligence, more is rarely better. If anything, lots of volume often comes with plenty of noise. That’s why you need Wiz, the only cloud-focused threat intel database. Here are the top 5 reasons to count on Wiz:
The Wiz Cloud Threat Landscape is a cloud-focused threat intelligence feed enriched with the context of specific risks in your cloud environments.
Our Cloud Threat Landscape gives you actionable defenses for resolving various types of cloud threats. What better way to put threat data to good use?
Wiz incorporates threat intel into all its platforms, including Wiz Sensor, Wiz Code, Wiz Cloud, and Wiz Defend. This way, Wiz maximizes protection for your mission-critical assets by adding new security controls and IoCs as threats and attack TTPs evolve.
With Wiz, you can correlate risks with threat intel and go threat hunting in your stack. The threat intel is used to create detection rules for Wiz Defend, which automatically detects threats. You can also visualize the results of your risk correlation and threat detection using the Wiz Security Graph. In other words, proactive threat detection just got way easier.
Aside from its rich threat database, Wiz has a threat podcast and a threat research repo, powered by our expert threat research team. You can tune in to the Wiz threat podcast whenever you want to keep up with the latest threats. You can also explore the threat research repo for breakdowns of attacks, techniques, and root causes.
Unmatched Cloud Threat Intelligence
Learn why CISOs at the fastest growing companies rely on Wiz for advanced cloud intel.
