What is Threat Intelligence?


One of the main insights I have gained over the years working in cybersecurity is that — despite how much we talk about it and how important we all agree it to be — threat intelligence is often underused in the “identify and protect” stage of a cybersecurity stack, to the point where it’s only readily used in the “detect and respond” stage. 

Many of ThreatBlockr customers come to us in the first place seeking information on threat intelligence and wanting to know how well their next-generation firewall’s threat intelligence capabilities are protecting them. Usually, the answer is “not very well.”

When we look at a potential customer’s stack, we often find that they are not leveraging enough threat intelligence sources to effectively identify and protect against potential threats, leaving them vulnerable to attacks and breaches. Much of this underutilization comes from a misunderstanding of threat intelligence sources, what they are, how they’re used, and the best ways to utilize them throughout a cybersecurity stack. 

What is Threat Intelligence?

According to the Center for Internet Security, “cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information.”

This definition is the crux of what threat intelligence is. Simply put, it is information that has been collected, evaluated and analyzed so that we can then identify who and where the threat actors are. 

Threat intelligence comes from a variety of sources, including:

  • Information collected in the post-mortem period after an attack or breach
  • Government intelligence agencies
  • Open-source threat intelligence organizations
  • Proactive threat hunters or threat intelligence companies that hire cyber analysts to seek out and identify threats. Often, these organizations or individuals sell access to their feed as a revenue-generating project for their business.
  • Threat intelligence platform (TIP) providers

This information is then compiled into threat intelligence feeds for utilization by various cybersecurity technologies and solutions. Currently, most threat intelligence is leveraged once a threat actor has successfully entered a network and perpetrated an attack (this is known in the cybersecurity industry as “right of boom”). This is also one of the most glaring holes in the modern cybersecurity stack. 

Who Benefits from Threat Intelligence?

Every organization that wants to protect its data and information benefits from threat intelligence. Unfortunately, many small and medium businesses (SMBs) are operating with essentially zero threat intelligence, and it’s putting them at risk.

The threat of ransomware is an excellent example of why threat intelligence is so critical.

After an attacker penetrates your system, the time between the initial access and the activation of the malware is called ‘dwell time’. Most modern technologies assume a dwell time of six months, but many hackers now claim they operate with dwell times as short as five hours. That means that technologies often assume they have a much larger lead time to find the threat actor than what is actually available to them.

Without threat intelligence, companies would be stuck dealing with these issues on their own, with no information to guide them toward effective remediation of ransomware or other threats. 

Types of Threat Intelligence Sources

A threat intel source is either an internal or external place where data on cybersecurity threats is collected and analyzed. All good firewalls pull from vetted threat intelligence sources to tell their firewall what to block and what to allow. 

Necessary elements of a threat intelligence source include the source and the destination IP, so that analysts can know where bad actors are hiding as well as which aliases they may be using. Common threat intelligence sources include: 

  • Threat Intelligence Platforms (TIPs): This is any type of technology that organizes and aggregates threat intelligence data.
  • Government (FBI, CIA, etc.): These government organizations are tasked with protecting American citizens and businesses from cybercrime and cyberterrorism. They leverage their resources to scan for signs of bad actors in hopes of preventing incidents and mitigating those already in progress.
  • Corporations (Webroot, Proofpoint, etc.): Corporations that generate revenue by selling access to their threat intelligence data are excellent sources of information. Since they’re actively seeking out information, they provide data that may not be accessible elsewhere, all for a small licensing or use fee.
  • Information Sharing and Analysis Centers: These information-sharing centers were designed to provide industry-specific knowledge to help organizations develop their cybersecurity and protect their critical infrastructure. Known as ISACs or ISAOs (Information Sharing and Analysis Organizations), these bodies were established starting in 2015 to promote information-sharing within certain vital industries. 

These threat intelligence feeds can be leveraged in different ways for improved cybersecurity. For example, MDRs (and XDRs, EDRs, etc.) can use this threat intelligence for their disaster recovery functions, while TIPs are threat intelligence platforms that can feed into other tools as well. 

Common Challenges Your Next-Generation Firewall May Have with Threat Intelligence Sources

Confusion about threat intelligence sources comes when businesses start narrowing down which sources they’re pulling from, how many they can pull at a time and how they’re being integrated into the firewall. This creates a host of issues, but they can be summarized into two key points: 

  1. Traditional firewalls rely too heavily on proprietary cyber threat intelligence sources, and
  2. Traditional firewalls struggle to integrate other threat intel sources, leading to a limited number of eyes protecting their network. 

Proprietary Cyber Threat Intelligence Sources

NGFWs continue to provide a solid foundation for network security. I mean, this is why pretty much everyone has one, right?

However, a key challenge with firewalls is that they depend on a proprietary threat intel source to detect and block threats. This is often a selling point. This intelligence is derived from activity they see in the firewalls within their customers’ networks. While this data is useful, it is only one vendor’s view of the threat landscape and, as a result, is inherently limited. 

So, your next-generation firewall does use threat intelligence, but the limitation is that the sources they use are proprietary. This means that they’re pulling threat intelligence from their own sources, and only their own sources. 

To be clear, the proprietary threat intelligence sources that NGFWs use do have value. However, it alone is insufficient because it’s just one vendor’s view of the threat landscape.

To be fair, this isn’t news. Vendors have touted their threat intelligence as an advantage over their competition for years. However, that’s a very regressive way of looking at cybersecurity, but unfortunately, it’s quite common.  

Times have changed. As the threats and the threat actors have evolved, so have the methods of identifying them. For some time now, sophisticated and security-savvy organizations have been incorporating a broad-based view of threat intelligence from multiple cyber threat intelligence sources into their security operations. 

This includes threat intel from commercial providers, open-source, government and industry sources. These organizations have found that by leveraging threat intelligence sources from varied perspectives, they are able to have true visibility into the types of malicious traffic that may affect their networks, improving their ability to protect their networks and organization. 

Integrating Other Threat Intelligence Sources

That takes us to our second issue with most NGFW—their (in)ability to let your company integrate other threat intel sources now that you know you need additional eyes on your technology landscape. 

Every name-brand NGFW on the market has external IP and domain blocklist capabilities. However, these same firewalls have significant limitations concerning:

  1. The volume of threat indicators in their external blocklists;
  2. The size of blocklists; and
  3. The ways in which you can integrate third-party threat intel data into that firewall.

Right now, the best firewall on the market can only block 150,000 IP addresses, but most sit around a limit of 5,000 IP addresses. These are simple physical limitations. If one were to throw a few open-source threat intel sources into that firewall, they would quickly hit these limits. 

This means that even if you recognize (as you now do) that integrating other threat intelligence sources is vital to the health and success of your cybersecurity measures, your NGFW won’t really let you. 

Firewalls are now tasked with deep packet inspections, which ThreatBlockr doesn’t do (these are both critical functions, but they are very distinct and do not mix well with each other). However, ThreatBlockr does have the capacity to block an astonishing 50 million IP addresses and is actually able to scale to block 150 million. There simply aren’t that many known indicators yet.

Since ThreatBlockr isn’t actually analyzing the traffic, and because it aggregates all the intelligence feeds into one usable stream, it can update its threat intelligence automatically, allowing it to only block traffic that it knows is malicious.

This frees up your firewall to do the packet inspections and other traffic analysis it is meant to do without having to also analyze the traffic that ThreatBlockr identifies as needing to be blocked.  

What to Do About It

There is one thing all the tools currently leveraging threat intelligence (including next-generation firewalls) have in common: they are all reactive. That is, they are all using threat intelligence to respond to an attack or breach that is already in progress.

While mitigating ongoing issues is necessary, achieving better cybersecurity requires organizations to adopt a more active cybersecurity posture.

So, now that we know all about the limitations of our current system of next-generation firewalls, where do we go from here?

First, let’s summarize what we just learned.

  • The threat intelligence that NGFWs use to detect and block threats is proprietary and based on a single vendor’s view of the threat landscape. While this has value, it does not provide the broad-based view of threat intelligence required to protect your network.
  • Next-generation firewalls have significant limitations concerning the volume of third-party threat indicators that can be integrated, as well as how easy it is to integrate them. As a result, making threat intelligence actionable in NGFWs is challenging.

Of course, we want tools like our next-generation firewall to leverage threat intelligence to minimize damage in a breach. However, we also need it to leverage this threat intelligence before the breach occurs, so your system can stay free from threats.

What this boils down to is a need to add an extra layer of security that can integrate all the threat intel sources you need to protect your network.

ThreatBlockr is the only technology solution available today that does this.

ThreatBlockr is an inline gateway that proactively blocks malicious and unwanted network connections while simultaneously logging activity and actions, and delivering that intel back to the cloud for future reporting and protection. You can think of it as a firewall for your firewall that allows for easy, useful integration of various cyber threat intel sources. 

ThreatBlockr Covers Your Bases

ThreatBlockr is designed from the ground up to work with multiple threat intel sources and isn’t capped at a certain number of inputs.

Instead, ThreatBlockr uses these threat intelligence feeds at the edge of the network to check the traffic coming in and out to see if that traffic is already known to be malicious, and if so, blocks the IP address from hitting the security stack at all. This means you get the most coverage with the most flexibility possible.

So, where threat intelligence is typically leveraged as reactive, ThreatBlockr turns that threat intelligence into a proactive solution. No matter what new attacks are created over the coming years, ThreatBlockr will help your team learn and adapt so that you’re always prepared. 

Want to learn more? Schedule a free trial today to see how it works for yourself.