• United States




Managing threat information and intelligence

Jan 17, 20184 mins
CybercrimeData and Information SecurityData Breach

The last thing that any organization wants is to make the headlines following a security breach. The damage to their reputation can be enormous, as can the financial costs. Unfortunately, it’s not a case of if it will happen, but when it will happen.

data breach network security leak hacker
Credit: Thinkstock

Do you know the difference between information and intelligence? While this may seem nothing more than semantics in most situations, the difference is extremely significant when it comes to cyber security. Simply described, information is data or facts that have been collected and intelligence is actionable assessment of those facts.

The distinction can be best illustrated as follows:


An exploit for a zero-day Java vulnerability is publicly released on a security mailing list. Shortly thereafter, malware is identified using the vulnerability. Security vendors notify clients of this threat and provide recommendations for mitigation. This is threat information and, while useful, it is not, by definition, threat intelligence.


A security vendor monitoring exploitation of the Java vulnerability notices that infection rates in Asia are much higher than in the US. New strains of malware, which install code associated with a botnet command and control system on victim devices, are being observed in the wild. At the same time, a large financial institution has announced the acquisition of several smaller, regional banks initiating an increase in their non-sufficient funds fee from $20 to $35, thereby angering consumers. Many hacktivist groups begin discussing a protest against the US banking system on social media sites, promising to halt online transactions for a day at major institutions. One hacktivist Twitter account posts instructions for using botnet command and control software, which appears to be related to the botnet client code installed by a recently identified Java malware.

Piecing these data points together leads to a clearer picture – US banks are likely going to be targeted with a DDoS attack by a hacktivist group using botnets based on the Java vulnerability. Based on what is known about infection profiles, banks can expect the attacks to originate from Asian source IP addresses. This is threat intelligence – information gathered from several disparate sources, synthesized by human analysts to identify a specific threat to a specific target.

Recent headlines suggest that organizations today are not equipped to perform such highly intricate and complex analysis and, as a result, attackers appear to be winning the war. This is not to say that there is no use for security intelligence tools that can alert and respond when indicators are identified – but they are limited in capability for turning that information into actionable intelligence. Rather, threat intelligence platforms offered by managed security services providers are automating the identification and analysis of the data, so organizations can take the necessary and immediate steps to thwart the intruders.

Threat intelligence management technology is seeing significant growth across a broad range of users and, as recent hacks will attest, for good reason. It’s a reliable and cost-effective method for improving network security through proactive mitigation of potential threats. The technology is devised to understand, analyze, curate, and enrich threat information using advanced analysis techniques and proprietary tools. The supporting underlying infrastructure can collect and store massive amounts of information and make it available for curation, enrichment, automated correlation and processing, as well as enabling manual threat analysis and research.

While increased cyber threats have accelerated the need for threat intelligence services, businesses need to be aware of the different types of intelligence being delivered by the security industry. Is it intelligence resulting from the automated collection and analysis of data obtained from sources such as social network monitoring, spam traps, malware reversing and observation, live botnet connections and so on; or, is the intelligence derived from a blend of these sources along with more human analysis that can add a further level of intelligence? For instance, observation of a malware infection could offer insights into what the intruder does once inside the network or what specifically they are looking for. Instructive intelligence can also be gained from past responses.

The last thing that any organization wants is to make the headlines following a security breach. The damage to their reputation can be enormous, as can the financial costs. Unfortunately, it’s not a case of if it will happen, but when it will happen. So, it is essential to have threat intelligence capable of providing a comprehensive and real-time view of the threat. Human interactions, along with automated tools that identify emerging threats for scope and impact; effect attribution to known actors, techniques, tactics and procedures; curate known threats and when? They evolve; and, provide validated indicators of compromise (IOC) which offer a higher level of threat intelligence that can be used to enact countermeasures that guard against current and future vulnerabilities and intruders.


Steven Bullitt brings a unique government perspective to the executive management of our threat intelligence and incident response teams. Serving as the Vice President of Threat Intelligence and Incident Response for NTT Security, Steven is responsible for leading client-facing threat responses. Steven began his career as a special agent with the United States Secret Service and held various Supervisory within the Electronics Crimes Task force and the Electronic Crimes Special Agent Program.

Steven oversaw all United States Secret Service Cyber and Criminal investigations throughout Northern Texas and served on the United States Secret Service Presidential Protection detail. He was instrumental in creating the U.S. Secret Service Cell Phone Forensic Facility in Tulsa, Okla. and the National Computer Forensic Institute in Hoover, Ala.

He has a bachelors degree from the University of Texas, Dallas and a masters degree in Forensics Science Computer Fraud Investigation from George Washington University.

The opinions expressed in this blog are those of Steven Bullitt and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.