From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Threat intelligence

- [Instructor] Threat intelligence is a critical component of any organization's cybersecurity program, allowing the organization to stay current on emerging cybersecurity threats. Broadly defined, threat intelligence consists of the set of activities that an organization undertakes to educate itself about changes in the cybersecurity threat landscape, and integrate information about changing threats into its cybersecurity operations. There is a ton of information available online about cybersecurity threats. In fact, you could probably make a full-time job out of reading about cybersecurity. Most of us don't have time to read all day, but every security professional should take the time to remain current on our field. Gathering information from freely available public sources is known as open-source intelligence. Some of the more common sources of open-source intelligence include security websites, vulnerability databases, the general news media, social media, information published on the dark web, public and private information sharing centers, file and code repositories, and security research organizations. Some techniques are fairly straightforward and can be used by adversaries, as well as corporate security teams. For example, an adversary can develop a list of targets for social engineering attacks by conducting email harvesting, where they search the web for valid email addresses from the target's domain, and then use those addresses to send out phishing attacks. Combing through all of this open-source intelligence can be very time consuming, and many organizations simply don't have the time to invest in reading through this data and mining it for critical intelligence nuggets. An entire threat intelligence industry has sprung up to support these companies with closed-source and proprietary threat intelligence products that use predictive analytics. These products range from information briefs that summarize critical security issues to IP reputation services that provide real-time information about IP addresses engaged in cybersecurity threat activities. Organizations may send these feeds directly to firewalls, intrusion prevention systems, and other security tools, and use them to block access from suspect IP addresses in real time. Some security organizations even publish real time threat maps on their websites that allow you to visualize the attacks that they're detecting. Now, these are more marketing gimmick than a useful security tool, but they sure are fun to watch. With all of these differing information sources available to you, you should take the time to evaluate how well each one fits into your security program. You can use three important criteria to evaluate a threat intelligence source. The first is timeliness. How soon after a new threat arises or evolves will the threat intelligence source reflect this new information? The second is accuracy. Is the information reported by the threat intelligence source correct? And finally, threat intelligence sources should be reliable. This means that they should consistently deliver timely and accurate intelligence in a way that meets your business needs.

Contents