The threat intelligence landscape has vastly changed over the years. While the term was originally used to refer to malware Indicators of Compromise (IOC) – lists of known malware signatures and the servers those malware communicate with, a method to identify infected devices within corporate networks – as time went by vendors have broadly expanded that concept to offer new types of intelligence. The term “Threat Intelligence” encompasses an ever-growing set of offerings that, on an operational standpoint, have different use cases.
For example, intelligence on external threats such as leaked documents or leaked source code has nothing to do with malware. Other examples may not even refer to malicious threats, where sensitive data can leak due to an error on one of the employees’ behalf. Intelligence can be in the form of feeds, mapping known “bad things” on the internet, or could be specific to an organization. Yet, all these intelligence deliverables are grouped together with malware IOCs as part of “threat intelligence”.
Adding to the complexity is the fact that some “threat intelligence” offerings are focused on detecting threats, while others are focused on enriching it. There are multiple popular threat intelligence solutions designed to help SOCs investigate potential incidents. In these use cases, the user already has an indicator – an IP address, a domain name, etc. – and they want to understand if it is legitimate or malicious. Intelligence offerings focused on detection aim to alert the users of the threats in the first place. In larger intelligence operations, a combination of both types of offerings is implemented.