Threat intelligence basics

One step ahead of the attackers

Knowledge is an important instrument of defence against cyberattacks. If a company knows how an attack might be made and on what, it can arm itself accordingly. Here, in the prevention stage, threat intelligence comes into play to gain advance knowledge on several levels.

Text: Andreas Heer, 12 march 2018

A bad deed every day: new cyberattacks on companies and authorities make the headlines on a daily basis. The attackers’ motivations are varied. Sometimes they want to gain access to confidential data (e.g. company secrets), and sometimes they aim to cause damage. In still other cases, the attackers only wish to obtain information in preparation for a bigger target. Diverse as the reasons for cyberattacks may be, commercial interests are almost always behind them. The aim is to convert these attacks into (digital) cash as quickly and as easily as possible.

A new trend in the cyberscene is “crypto mining”. Mining components are installed in manipulated websites in order to use the computing resources of unsuspecting visitors to mine for crypto coins. Cybercriminals’ imagination knows no limits. New business ideas for cybercrime and new attack patterns are created almost daily. With enough criminal energy and the corresponding expertise, they are often able to disable the existing security measures, using forms of attack which are different each time.

Detecting attacks before they take place

This does not mean that companies are defenceless – because even targeted attacks can be averted if the threat status and attack scenarios are known. With the aid of an “early warning system”, companies can take preventative protective measures before an attack occurs. This is precisely where threat intelligence comes into play. The term refers to knowledge about current and possible threats and attack scenarios. Threat intelligence is not therefore security software; instead, it is the collection of data which can be used for targeted defence against potential attacks. This is somewhat comparable to weather data used to predict the possible course of hurricanes.

Threat intelligence is a young discipline within IT security and is interpreted in different ways by different providers. For example, the type and volume of data varies depending on the provider. And threat intelligence presupposes specialist knowledge in the area of Cybersecurity in order to convert the information into specific defensive measures. With this in mind, this approach provides effective protection for the prevention of attacks and therefore damage prevention.

Threat intelligence: not just technical but also strategic

However, threat intelligence is not limited to technical implementation; rather, it should be integrated into the entire life cycle of the IT security strategy. This means that the available information is also fed into strategic planning. Accordingly, the British “Centre for the Protection of National Infrastructure” (CPNI) identifies four levels on which threat intelligence operates:


  • Strategic: Information used by Risk Management to assess the current cyber threat status. For example, information about the frequency of regional or industry-specific attacks.
  • Tactical: How do the attackers operate, and which tools and sources of information do they use? For example, if attacks begin with targeted phishing attacks on individual employees, appropriate preventative measures can be derived from this information.
  • Operative: Details on known attacks which enable defensive measures to be taken against this type of attack.
  • Technical: Specific information which allows security systems to detect attacks. Examples of this are addresses of command & control servers, malware signatures, IP addresses and domain names or social media accounts from which attacks have been launched.

Security thanks to advance knowledge

When deployed correctly, threat intelligence adds a preventative component to Cybersecurity. This is because technical security measures only step into action when an attack takes place. With threat intelligence, companies can arm themselves against possible attacks and take measures in advance. This also means that IT security is prepared in the event of an actual attack and can avert the attack. However, threat intelligence does not run itself; it requires specialist knowledge at the strategic and technical level in order to interpret the data and draw the right conclusions from them. The prior knowledge is then extremely useful for preventative defence against attacks. Or, to put it another way, threat intelligence is an opportunity for companies to be a step ahead of attackers in the endless game of cat and mouse.

Hand with smartphone


Would you like to regularly receive interesting articles and whitepapers on current ICT topics?

More on the topic