Threat intelligence: why it matters, and what best practice looks like

Jason Steer, CISO at Recorded Future, discusses why threat intelligence should be high on the agenda for organisations, and what best practice entails

Cyber security professionals might disagree on many things. But one fact rarely disputed is the spiralling volume of cyber threats facing organisations today. Two years of mass remote working and investments in digital transformation have expanded the corporate attack surface in most organisations, giving threat actors many more opportunities to do their worst — and they are. In the UK, around two-thirds of medium and large businesses reported a breach during 2020. In Germany, the authorities logged an 8% increase in reported cyber crime in 2020, and a 22% increase in new malware variants.

In the face of increasingly well-resourced and determined adversaries, CISOs are struggling with skills shortages and growing IT complexity. Threat intelligence offers a rare opportunity to redress the balance — but only if it’s used in the right way, and with the right tools.

How to empower your chief information security officer (CISO)

This article will explore how organisations can empower their chief information security officer (CISO) to excel in securing infrastructure. Read here

Data, information and intelligence

What exactly is threat intelligence? It’s the use of data, processed into information, and interrogated further to tell a story which can be used to support enhanced decision making. Rather than answer direct simple questions, it can be used to paint a picture with which analysts can answer more complex inquiries.

One thing organisations aren’t short of today is data. Logs for everything overload already slammed analysts. Typical sources could range from traditional security controls (firewall, anti-virus, email and web gateways, etc.) to the technical — covering threat lists, spam and malware — to social media, industry forums, dark web sites, and media — including news, vendor research, blogs and vulnerability disclosures.

However, without context, these logs and feeds will inundate security teams, even if they are ingested directly into security tools and workflows unless they are automated. The result is alert fatigue, which is the quickest path to analyst burnout and poor outcomes.

The good news is that some threat intelligence platforms are able to take large volumes of threat data from multiple sources and languages, and output only relevant actionable intelligence to drive proactive security decision-making.

Best practice for threat intelligence

While no two organisations are the same, one useful way to think about deploying threat intelligence is to focus on three stages: monitoring, integration and analysis.

In the early days of a project threat intelligence strategy, it’s unlikely that you’ll have the relevant expertise, time, or resources that are necessary to support proactive intelligence analysis yet. However, by collecting information from various sources and monitoring them for threat indicators relevant to your business, it’s possible to drive significant value. This could include things like leaked corporate credentials, mentions of your product on the dark web or looking for typosquats of your corporate brands in domain name registrations that are important as you begin your journey.

The intelligence gained from doing so could help to inform the IT department for password resets, phishing email campaigns targeting employees and accelerate efforts to verify potential security incident efforts.

Next comes integration. The goal here is to reduce alert fatigue, automatically enrich indicators and speed up incident response by integrating threat intelligence with existing security control technologies. Good intelligence will help to drive faster prioritisation of the alerts that matter, provide external enrichment of indicators seen from internal sources, and add more context to understand the tactical, operational and strategic views. But, in order to do all of these things, the intelligence must be contextualised, delivered real-time via API, and machine-readable so the APIs can work with it.

Finally, we get to the most mature practice: analysis. This is about proactively identifying emerging threats and more closely examining risks to your business, industry and suppliers. It means going beyond uncovering new threats and towards delivering strategic value. This will put CISOs in an enviable position, enabling an evolution from reactive firefighting to proactive threat identification, hunting and prevention, as well as investment in new technologies and approaches.

The idea is to head-off threats before they have impact to your organistion.

From vaccine passports to voter IDs: the hidden security threats of digital passes

Kevin Bocek, vice-president, security strategy & threat intelligence at Venafi, discusses the hidden security threats that lie within digital passes, and how these can be mitigated. Read here

The final hurdle

So what does it take to get there? Boardroom sign-off for any new investments requires a watertight business plan and accurate ROI measurement. That may be easier in the earlier phases of maturity when there’s a clear case for using threat intelligence to reduce alert fatigue and enhance analyst productivity. But it could be more challenging to prove ROI in the monitoring and analysis phases.

However, the more clearly you define and measure the areas in which threat intelligence can make an impact, the better. This could involve walking through examples of intelligence-led security strategies with the executive team, sharing finished intelligence reports with the analyst team or even trying out a threat intelligence solution to discover the value yourself.

To be effective, a threat intelligence solution must integrate and enhance existing security controls you use. A solution must collect and analyse technical sources across the open and dark web, even converting foreign-language content into a usable format as it goes. And it has to provide tailored alerts to use cases your business requires in real time with minimal false positives.

Second, look for a technology partner rather than a passive tech provider — a vendor which is invested in your success and able to uncover new use cases over time. In the threat intelligence market, this should be a vendor that is more than just a feed aggregator but one that collects, produces and delivers actionable intelligence for tactical operational and strategic needs.

That’s the path to success. The journey starts here.

Written by Jason Steer, CISO at Recorded Future

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at