The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

Spy Game: The Emerging Cybersecurity Realm of Threat Intelligence

Artificial intelligence is watching. Data gathered and analyzed by machines is becoming an invaluable asset in the ongoing fight against cybercrime and cybercriminals.

ThinkstockPhotos 99508853Five years ago, IBM stunned the world when its Watson machine learning system defeated two former Jeopardy! champions to capture a $1 million prize. This amazing feat moved far beyond the game-playing capabilities that computers had previously achieved in much more structured games, such as chess.


Competing effectively on Jeopardy! required not only access to massive amounts of information but also the ability to understand and answer complex natural language questions. This summer, IBM announced that they were turning the cognitive power of Watson loose on a new problem – cybersecurity.


While Watson might be the most famous cyberpersonality to take on the challenge of defending networks against attacks, it isn’t the first. This is the latest development in the emerging field of cyberthreat intelligence (CTI), a discipline dedicated to applying military-style intelligence techniques to the collection, analysis and use of information about cybersecurity threats.


When CTI solutions first appeared on the market a few years ago, they were met with a healthy dose of skepticism. After maturing significantly, CTI implementations now play an important role in many enterprise cybersecurity programs.


What is Threat Intelligence?


Threat intelligence takes the collection, analysis and dissemination techniques perfected by the military and applies them to a new domain of warfare: the information landscape. Like traditional intelligence agencies, CTI providers collect information from a wide variety of cybersecurity sources, analyze it and then use that information to produce intelligence products that provide value to their customers.


CTI providers do the heavy lifting of cybersecurity analysis that most enterprises simply don’t have the resources to undertake. They typically combine information from at many different categories of sources to generate products that help their clients better understand and react to the evolving cybersecurity threat landscape. Some of hese sources include:


Gathering threat information from deployed security tools. One of the greatest sources of threat information is the current inventory of security devices deployed in enterprises around the globe. CTI vendors gather information from the security products installed on the sites of their customers, anonymize the data and then aggregate it to facilitate the early identification of new threats.


Deploying their own sensors. CTI providers use darknets, honeypots, DNS sinkholes and other techniques to gather their own information about the sources of malicious traffic.


Gathering intelligence from public sources. The Internet and dark web already contain tons of cybersecurity information ready for the taking, including password dumps, BitTorrent sites, hacker forums and more. CTI providers comb through these sources, seeking nuggets of information that may be useful and relevant to their clients.


Recruiting spies. Sometimes the best source of information is good old-fashioned spying. Rumors persist that some CTI providers seek moles inside of cybercriminal organizations to feed them information.


After CTI providers gather information from all of these sources, they feed it to a team of analysts who have the job of transforming it into actionable intelligence. One of the most common products offered by CTI vendors is a real-time feed of known malicious hosts on the Internet.


Many firewalls, intrusion prevention systems and other security devices are capable of receiving these live feeds and proactively blocking malicious hosts before they attempt to penetrate protected networks. CTI providers may also produce detailed reports analyzing cybersecurity threats either in general or customized for a specific client.