What is threat intelligence?

Threat intelligence (also known as TI, or cyber threat intelligence) is contextual information obtained through research and analysis of existing and emerging cyber threats. Threat intelligence helps cybersecurity professionals understand and proactively defend against threat actors’ latest tactics — expanding organizations’ ability to detect and respond to novel threat types.

Typically, security teams subscribe to several threat intelligence sources, which either provide security analysts with raw threat feeds or can even integrate directly within the team’s security tools for automated detection of new threat types. When this raw data is processed, parsed, and interpreted, it becomes actionable threat intelligence.

Threat intelligence is an essential component of a proactive cybersecurity strategy. It provides organizations with vital context for detecting and responding to cyber threats, allowing them to mitigate risk and improve defenses.

In a security operations center (SOC), threat intelligence plays a pivotal role in helping teams detect, prioritize, and respond to threats by identifying indicators of compromise (IoCs). These could include malicious domain names, IPs, URLs, or file hashes linked to cyberattacks. Additionally, threat intelligence feeds can provide insights into the tactics, techniques, and procedures (TTPs) popular among threat actors. With threat intelligence, organizations can anticipate and counter targeted attacks to reduce the likelihood and impact of security incidents, and ultimately enhance their overall security posture.

There are three key considerations to keep in mind with threat intelligence:

1. Threat intel must be updated regularly, preferably in real time. The latest TI and attack techniques inform security teams on the best detection rules and other cybersecurity defenses.
2. Threat intelligence can’t be siloed. TI from various sources must be integrated into security workflows to ensure visibility and implementation.
3. Context is critical. Security teams leveraging threat intelligence rely on the information most relevant to their industry, technology stack, region, business size, etc.

Learn how to accelerate the SOC with AI-driven security analytics

Threat intelligence works by collecting data from various sources, analyzing it to identify potential threats, and providing actionable insights about potential threats or current attacks.

For a cybersecurity team, threat intelligence can be gathered by analysts or, more often, a feed that security practitioners will integrate into their environment. Either way, the goal is to gather, analyze, and interpret threat data to create threat intel reports.

How is threat intelligence gathered?

Threat intel analysts gather data from various sources, such as open-source intelligence (OSINT), government and law enforcement intelligence, commercial threat feeds, internal logs and telemetry, industry-specific information sharing and analysis centers (ISACs), and others.

For example, in 2024, researchers at Elastic Security Labs analyzed 1+ billion data points from Elastic’s unique telemetry and presented the findings in the annual Elastic Global Threat Report. The insights from this report can help security teams set their priorities and adjust workflows.

Get the 2024 Elastic Global Threat Report

Usually, organizations leverage threat feeds from private and public sources. Each threat intelligence feed is a continuous, curated data stream about current and emerging threats, enabling a proactive response.

While some organizations rely on their own security teams to collect, organize, analyze, and interpret data from threat intelligence feeds, it can be a challenge for smaller teams. Instead of manually aggregating and managing large amounts of threat intelligence data, they can leverage a threat intelligence platform (TIP). A TIP is a cybersecurity tool that eases the ingestion and preparation of data from multiple sources in different formats. With a unified view of all IoCs and the ability to search, sort, filter, enrich, and take action, a TIP helps intelligence analysts quickly discover and act on reported threats.

When choosing a TIP, security leaders look for these key capabilities:

• The ease of data ingestion and breadth of threat intelligence integration with leading threat intel providers
• Automatic visibility into critical and widely used vulnerabilities, such as Log4j, BLISTER, or CUBA
• Access to all active IoCs in one centralized view
• The ability to search, sort, and filter IoCs in real time

How is threat intelligence used?

Threat intelligence empowers organizations with data on existing and emerging threats, facilitating more proactive defense systems. The most common ways threat intelligence can be used include:

• Identifying potential threats: By monitoring threat feeds and analyzing data, threat intelligence analysts can proactively detect against emerging threats, attack vectors, or malicious actors.
• Investigating IoCs: Threat intelligence analysts can investigate IoCs in real-time. With the addition of contextual insights, they can detect and contain active attacks faster.
• Prioritizing vulnerabilities: Using in-depth contextual insights and ranking vulnerabilities based on their risk and potential impact, TI can prioritize and help zero-in on vulnerabilities requiring immediate attention.
• Detecting and responding to incidents: Threat intelligence can help identify threats currently active in their environment, empowering security teams to take informed and immediate action.
• Developing security strategies: With an overview of potential and existing threats, organizations can establish a more robust cybersecurity strategy.

Using TI, security teams evaluate their organization’s visibility, capabilities, and expertise in identifying and preventing cybersecurity threats. Security leaders use TI to answer questions like: How is the organization’s environment impacted by the current and emerging threats identified? Does this information change the organization’s risk profile or impact the risk analysis? And what adjustments do the organization’s security teams need to make to controls, detections, or workflows?

Depending on the stakeholders, context, and complexity of threat analysis, TI falls into four categories: strategic, tactical, operational, and technical threat intelligence.

Strategic threat intelligence

Strategic threat intelligence provides an overview of the threat landscape and its potential long-term impact on the organization. It can include information about geopolitical events, wider industry trends, and targeted cybersecurity threats.

Goal: Risk management, long-term planning, strategic security, and business decision-making

Stakeholders: C-suite

Tactical threat intelligence

Tactical threat intelligence provides details about the TTPs used by threat actors. It describes the attacks that might target an organization and how best to defend against them.

Goal: Managing defenses/endpoints, security controls decision-making

Stakeholders: SOC and IT leaders

Operational threat intelligence

Operational threat intelligence builds a more proactive defense for an organization. It provides insights into specific threat actors that are most likely to target a business, the vulnerabilities they are likely to exploit, or assets they might target.

Goal: Vulnerability management, incident detection, threat monitoring

Stakeholders: SOC analysts, threat hunters

Technical threat intelligence

Technical threat intelligence usually focuses on IoCs and helps detect and respond to attacks in progress. This type of intelligence continuously adapts to the changing security environment and is easiest to automate.

Goal: Incident response

Stakeholders: SOC analysts, incident responders

The threat intelligence lifecycle is a framework for turning raw threat data into actionable insights. With such a framework, an organization can optimize its resources, while remaining vigilant against a continuously evolving threat landscape.

The threat intelligence lifecycle usually consists of six stages that loop for continuous process improvement:

1. Planning. Setting clear objectives for the whole threat intelligence program is crucial for its success. During this stage, the team should decide on the goals, processes, and tools needed and whether those goals address the needs (as well as risks and vulnerabilities) of the business and various stakeholders.
2. Data collection. Once the objectives are established, it's time to gather data from various sources.
3. Processing. Data from disparate sources is likely to be differently formatted. At this stage, security teams normalize raw threat data into a usable format.
4. Analysis. The processed data is ready for analysis. Teams look for answers to the questions they asked during the planning stage, identify patterns, assess potential impacts, and transform data into actionable insights for decision-makers and stakeholders.
5. Reporting. At this stage, security teams share the results of their analysis within a SOC or with the executive team.
6. Feedback. The threat intelligence lifecycle is refined during this stage, as feedback is collected. Priorities might change, threats might evolve, and this stage is when adjustments and changes have to be made to ensure the efficiency of the TI program.

While the TI lifecycle relies on human threat intel analysts and their knowledge, some more time-consuming steps can be automated — such as threat intel reporting. Elastic offers a streamlined approach using Elastic AI Assistant for Security to help with the process of writing threat intelligence reports. It uses markdown templates and the Elastic AI Assistant's knowledge base.

Learn more about streamlining threat intelligence reporting with Elastic AI Assistant

Threat intelligence should enhance an organization's SecOps workflows. TI is most effective when integrated with the tools within a team's security stack. It works best as part of an automated system, bringing in threat data from diverse sources directly into a security platform for unified analysis and detection workflows.

Beyond tools, an effective security program includes workflows for responding to and managing threats. These workflows are essential for identifying and responding to security incidents. Elastic's detection engineering behavior maturity model (DEBMM) provides a structured approach for security teams to consistently mature their processes and behaviors — and threat intelligence is one of its focal points. Having good data sources is crucial for security teams to ensure the effectiveness and accuracy of their detection rules. This includes incorporating TI workflows to enrich telemetry data with relevant threat context, improving detection capabilities overall.

A well-integrated threat intelligence program makes it easier to bring threat data into an organization's security infrastructure — providing more insights that help teams detect and respond to threats faster.

Learn how to modernize security operations

• Elastic security for Threat Intelligence
• Explore threat research from Elastic Security Labs
• Elastic Security solution
• What is SecOps?
• What is SIEM?