The evolution of cybercrime is shifting into hyperdrive. Malicious actors are file-tuning their tactics, techniques, and procedures (TTP) non-stop, leveraging AI to make attacks more sophisticated, and automation to overwhelm the target's defenses.
Traditional protections like firewalls, encryption, MFA, and IDS/IPS continue to be crucial, but these are reactive methods to an extent, and their effectiveness heavily depends on how well they are configured. If they remain static in a dynamic environment, they'll become irrelevant very quickly.
When it comes to bridging this gap, threat intelligence is often the elephant in the room. Yet, it's potent enough to give white hats the upper hand in this race. It helps prioritize risks, organize protection efforts, and allocate resources more flexibly to address the most pressing threats first.
With these insights, security personnel know which attack vectors to watch more closely, how to orchestrate the defenses, and what new phishing and social engineering trends to warn employees about. Additionally, sharing threat intelligence with law enforcement and other companies paves the way for disrupting high-profile incursions before they happen.
The calculus behind every spot-on cybersecurity decision boils down to up-to-date and verified data. But let's face it: finding this kind of data is easier said than done. To set a robust threat intelligence strategy in motion and get the most mileage out of it, security teams should harvest and combine information from several different sources, learn to correlate these findings with industry-specific vulnerabilities, and importantly, make it an ongoing process.
Internal data
The first place to look is within. Tools like IDS, EDR, and SIEM produce useful information about system events, network traffic, user activity, and other interactions around your IT environment. These can provide important signs of attempted attacks, unusual behavior, and security incidents that point to emerging threats.
Cybersecurity scans are a godsend here because they reveal software gaps waiting to be patched, including zero-day vulnerabilities. You should also draw on network logs, runtime data, and historical security incidents for more insights about potentially suspicious interactions. Cross-correlating your internal data with external threat data helps paint a richer picture of the threat landscape.
Open-source intelligence
Open-source intelligence, or OSINT, mostly stems from publicly available ethical hacker communities that freely share information about evolving threats. They amass data from websites, social media networks, news sources, public databases, and domain registries.
For example, a non-profit project URLhaus uses a sophisticated system of rotating residential IP addresses to deploy automated website checkers, looking for malware and sharing the results with its community of security researchers. Bright Data's infrastructure allows the URLhaus team to collect and share the data it needs without being blocked by black hats, and to date, the initiative has succeeded in taking down over one million malware sites.
OSINT can be an excellent source of early warning signs about potential cyberattacks, insights into specific threat actors, campaigns, or TTPs, and for understanding the broader threat spectrum facing the organization. You can align OSINT with your specific use case, like monitoring brand mentions, industry-specific keywords, or indicators of compromise (IOCs) that are linked to known threats.
Monitoring the dark web and social media
Alongside OSINT, and sometimes overlapping with it, you'll find data that's collected through monitoring and tracking conversations on various social media channels—some of them questionably legitimate.
Human Intelligence (HUMINT) is usually carried out by ethical hackers who use stealth tactics to penetrate criminal forums and carry out phishing attacks on malicious actors. They amass information shared in dark web forums, chatrooms, markets, and other hacker platforms to get a catch-all understanding of adversarial activity. There are automated tools that can do the heavy lifting to handle certain aspects of this work, especially for social media monitoring.
External collaboration
It's important to share and draw on threat data from external entities, including government agencies, law enforcement, and national security bodies. Agencies like the FBI, CISA, and NSA in the U.S., ENISA and Europol in the EU, and INTERPOL regularly compile reports or run threat data feeds like CISA's Automated Indicator Sharing (AIS). These generally shed light on nation-state actors, APTs, and attempts at cyber espionage or cyber warfare.
Industry-specific organizations also exist for key economic sectors like financial services, healthcare, energy, and transportation to serve as hubs for exchanging threat intelligence data, incident reports, and best practices.
You should also coordinate with other companies in your vertical and region to share threat data and help prevent cyberattacks. Sector-specific threat data tends to be particularly valuable these days.
Commercial feeds
Finally, there are private companies that compile threat intelligence feeds. You'll usually have to register and pay a fee to access those databases. These feeds aggregate data from a range of sources, including OSINT, proprietary research, malware analysis, dark web monitoring, and global threat intelligence networks.
Commercial feeds might save you the time and hassle of gathering all the threat data on your own, and they can share useful information about IOCs, malware signatures, threat actor profiles, and other actionable intelligence. However, sometimes the data is poor quality and unreliable, so you should always verify the source and avoid making security decisions based on this channel alone.
Threat intelligence data is out there
There's plenty of data lurking across the internet for security teams to examine, analyze, and leverage for threat intelligence. By drawing on a combination of internal, external, OSINT, dark web, and sometimes commercial sources, you can curate a valuable threat data feed that helps refine your security measures and proactively harden your organization's security posture. Last but not least, be open to sharing your findings with the community, because security is a collaborative effort where everyone's input is important.
