What is Cyber Threat Intelligence?

FireEye defines “cyber threat intelligence” as evidence-based knowledge about adversaries – their motives, intents, capabilities, enabling environments and operations – focused on an event, series of events or trends, and providing a decision advantage to the defender.

FireEye developed this definition specifically to emphasize adversaries, given that cybersecurity attack and defense ultimately takes place between human beings. While important to an understanding of your adversaries’ capabilities, all implements, creations, or environments are simply assets being used by that human to compromise the security of another human being. This focus on adversaries is one of the elements that makes FireEye Threat Intelligence different, and more effective.

The New Standard in Cyber Threat Intelligence is Here

To access the threat data and analytics our experts rely on, get Mandiant Advantage for free or check out our subscriptions.

Access The Latest FIN11 Report

Get unparalleled cyber threat intelligence today on our FREE SaaS platform.
Know the threats that matter to you right now.

What Is the Difference Between Information and Intelligence?

It can be easy to confuse intelligence with information. The difference is that information–for example data feeds with bad IP addresses or other indicators for machine-to-machine consumption—does not have enough context by themselves to drive action. Intelligence includes this information, but with added analysis and context, including behavioral, technological and even cultural knowledge. Raw data is a necessary component of threat intelligence, but the two are not the same.

Following is a brief comparison of the two concepts:

Information is...

  • Raw, unfiltered feed
  • Unevaluated when delivered
  • Aggregated from virtually every source
  • May be true, false, misleading, incomplete, relevant or irrelevant
  • Not actionable

Intelligence is...

  • Processed, sorted information 
  • Evaluated and interpreted by trained Intelligence Analysts 
  • Aggregated from reliable sources and cross- correlated for accuracy 
  • Accurate, timely, complete (as possible), assessed for relevancy 
  • Actionable

Cyber threat intelligence needs to include more than raw data; it requires rich contextual information that can only be created with the application of human analysis. This contextual information includes an understanding of the past, present and future tactics, techniques and procedures (TTPs) of a wide variety of adversaries. It must also include the linkage between the technical indicators (e.g., IP addresses and domains associated with threats or hashes that “fingerprint” malicious files), adversaries, their motivations and intents, and information about who is being targeted.

How is Information Turned into Intelligence?

Most intelligence is created from information by way of the intelligence cycle, which includes five essential steps:

1. Planning & Requirements
Define a clear CTI mission that speaks to the goals of the program. Highlight the use of a requirements-based approach with continuous management of its execution. This will drive the lifecycle process and reduce organizational risk through informed direction of resources.

2. Collections & Processing
Using a data acquisition strategy, determine how, when, why, and what should be collected to fulfill requirements. Normalize, de-dupe and enrich threat data to produce information that’s consumable and applicable. To reduce processing time, automated collection systems – such as a Threat Intelligence Platform (TIP) – are increasingly utilized across today’s enterprises.

3. Analysis
Evaluate, analyze and interpret the processed information against your program’s requirements to provide sound analytic judgments that determine confidence, relevance, likelihood, and threat impact. Assess collection gaps to satisfy requirements.

CTI Process Lifecycle

4. Production
Produce finished intelligence products such as briefings and technical reports that are timely, relevant, actionable, and trace back to stakeholder needs – whether operational, tactical or strategic. Document any product deficiencies against stakeholder requirements.

5. Dissemination & Feedback
Deliver finished intelligence products to internal or external stakeholders at defined frequencies and methods. Products should outline expected courses of action and provide a means for stakeholders to evaluate the product received.

Because adversaries and their behavior and tactics can change, the cycle begins anew based on the conclusions and results of the previous steps.

Why Is Cyber Threat Intelligence Important?

Cyber threat intelligence to a network defender is like battlefield intelligence to a military commander, or medical tests and imagery to a surgeon. In these situations, just as with network defense, the wrong decisions can have catastrophic consequences. In all of these cases, we’d want and expect those responsible to make the best decision possible after considering all of the risks and options.

And that is why cyber threat intelligence is important; it helps network defenders and their leaders make better-informed security decisions about how to anticipate, prevent and remediate cyber threats and attacks.

What Are the Different Types of Threat Intelligence?

The three categories, or types of cyber threat intelligence have to do with the different objectives and uses of threat intelligence. Different threat information and different methods of analysis are useful at different levels of business and defense, and for different audiences. So, the types of cyber threat intelligence map to these levels:

  • Strategic Cyber Threat Intelligence is concerned mostly with the future, including emerging trends, and is used to make longer-term decisions.
  • Operational Cyber Threat Intelligence considers historical capabilities, affiliations and motivations of threat actors, and is used mostly to make resource-allocation decisions around real and perceived threats.
  • Tactical Cyber Threat Intelligence analyzes interactions between the technology environment and threats and is typically used to assist in mitigation of active or imminent threats or attacks.

Learn more about FireEye Mandiant Threat Intelligence offerings.

Ready to get started?

Our security experts are standing by to help you with an incident or answer questions about our
consulting and managed detection and response services.

+1 888-227-2721 +61 281034308 +32 28962867 +1 877-347-3393 +971 45501444 +358 942451151 +33 170612726 +49 35185034500 +852 3975-1882 +91 80 6671 1566 +353 (0)216019160 +39 0294750535 +81 3 4577 4401 +03 77248276 +52 5585268207 +31 207941289 +64 32880234 +48 223072296 +7 4954658084 +65 31585101 +27 105008408 +82 7076860238 +34 932203202 +94 788155851 +46 853520870 +886 2-5551-1268 +27873392 +44 2036087538 +842444581914