Gartner Blog Network


On Threat Intelligence Use Cases

by Anton Chuvakin  |  February 4, 2014  |  3 Comments

While some people treat technical TI feeds as ready-made NIPS signatures, the reality of effective usage of threat intelligence feeds and reports for security is much more nuanced.

In this post, I will present a quick summary of discovered threat intelligence use cases, that apply to both strategic and tactical TI. Admittedly, I am saving the juicy details for my research paper, but I hope that these summaries will serve to both educate and start the discussion.

Type of use case Strategic TI Tactical TI
Planning Security architecture and monitoring planning based on long-term threats and relevant actor capabilities Study historical trends across TI feeds and environment match history (maybe???)
Prevention Better align security spending and attention based on attacker targeting; prevent attacks predicted by TI sources (HUMINT) Block bad IPs, URLs, domains, emails, files, etc; the staple usage of blacklists and high-fidelity TI feeds
Detection Look harder for intrusion evidence in places of “known interest” to attackers; review reports on threat actor tools to find ways to better detect them Use TI feeds to create NIDS sigs, NFT, SIEM and ETDR alerting rules; detect internal systems communicating with “known bads”
Triage “APT or commodity threat?” decision; a key decision that defines how subsequent IR process will go Use TI feeds as context for enriching alerts and other monitoring data; link alerts together into incidents; automated triage by escalating alerts linked to “known bads”
Incident response Better understand the business impact by relating incident artifacts to threat actor profiles; practical incident attribution Finding a full scope of an incident by linking local observables to TI; “pulling the thread” to find all compromised assets and all attacker traces
Threat assessment Assess overall threat level for your organization; report to management, board, etc Assess the risk of customers connecting to your IT resources based on TI feeds; fraud risk assessment
TI fusion – making better TI out of TI Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich tactical TI by linking to strategic TI Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich strategic TI by linking to indicators and internal TI

Note that I rolled “prediction” into prevention using strategic TI; if you think that prediction is a separate use case, just comment. At this point, true prediction (such as what is done by HUMINT and attacker sentiment analysis) is fairly rare.

P.S. By the way, are some of you wondering why I don’t call this domain “cyber threat intelligence” (CTI)? Even though I no longer assume that “c” in “cyber” stands for “clown”, frankly, I don’t see the need to “cyber it up.“ Hopefully, the discussion on definitions and types of TI makes it pretty clear that we are in the “cyber” domain here and not in gardening or something….

Posts related to this research project:

Category: security  threat-intelligence  

Anton Chuvakin
Research VP
2+ years with Gartner
14 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on On Threat Intelligence Use Cases


  1. yotam Gutman says:

    Nicely put. Trying to predict is nearly useless nowadays. instead of pretending we have a crystal ball it’s much better to employee good ‘ole HUMINT and try to alert in near-real time regarding imminent threats.

  2. Actually, this is precisely what I meant by predict: predict by figuring the attackers plans.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.