Answer yes if your organisation uses threat intelligence to make smarter decisions relating to information security strategy, policy, processes or operations. This could be collected, analysed and produced internally, or gathered from external sources such as information services or special interest groups. In the notes section, please describe how you collect, analyse and use threat intelligence within your organisation, or upload a document (as a PDF file) as supporting evidence.
Organisations operate in a continuously evolving environment of risks. Threat Intelligence activities provide awareness of your environment so that existing and emerging threats can be reviewed and appropriate actions taken to prevent, detect, or respond to them.
Organisations typically receive and make use of threat intelligence provided by independent security information advisors, suppliers, technology vendors, government agencies or collaborative peer groups. There are different types of threat intelligence which should be used in different ways.
Strategic threat intelligence provides the big picture of how threats and attacks are changing over time. Strategic threat intelligence will identify historical trends, threat actor motivations, or attributions as to who is behind particular events. This can be used to inform senior management about the evolving threat landscape and as input to medium to longer term risk management and mitigation planning.
Operational threat intelligence is knowledge curated by specialists and experts as they examine details from known attacks. These analysts can build a picture of threat actor technical capabilities, common targets and methods by piecing together indicators and artifacts from forensic analysis and distill these into operational intelligence. You can use this operational threat information to help improve defensive capabilities such as enhancing incident response plans and deploying controls to disrupt, slow or limit the impact of similar attacks and incidents.
Tactical threat intelligence is the most basic form of threat intelligence. This includes common indicators of compromise (IOCs), often used for machine-to-machine detection of threats and for incident responders to search for specific artifacts in an organisation’s network of connected systems. IOCs are provided to analysts to serve as examples of a particular threat, such as a malware sample, malware family, intrusion campaign, or threat actor. Analysts can enrich alerts from security solutions with tactical threat intelligence to provide more context and determine which threats need to be prioritised for immediate action.
You can use the reported strategic, operational or tactical threat information to assess the relevance and importance of each threat to your organisation’s resilience and operational objectives. This may be as part of a routine risk management process or, in the case of a new, emerging threat (for example the discovery of a system vulnerability) you might use security event and incident management to quickly triage the threat information.
This will help inform and prioritise improvement actions to:
Collaboratively sharing threat intelligence with peers is strongly recommended to help improve community awareness and improvement.
Maintaining awareness of your operating environment is an important part of managing risks to your organisation.
Information about existing or emerging threats should be collected and analysed from a range of sources. Examples include:
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.