Threat Intelligence Platform

Threat Intelligence Platform (TIP) is an emerging technology discipline Originally pioneered by Greg Martin founder of ThreatStream (Anomali) [1] that helps aggregate organisms, correlate, and analyze threat data from multiple sources in real time to supporting defensive shares. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. TIP automated proactive threat management and mitigation. TIP automated proactive threat management and mitigation.

Traditional approach to enterprise security

The traditional approach to enterprise security and the use of a variety of processes and tools to conduct incident response, network defense, and threat analysis. Integration between these teams and sharing of threat data is often a manual process that relies on email, spreadsheets, or a portal ticketing system. This approach does not increase the number of students and the number of students. With attacking sources changing by the minute, hour, and day, scalability and efficiency is difficult. Large Security Operations Centers (SOCs), for example, produce hundreds of millions of events per day, making it difficult to filter down suspicious events for triage.

Threat intelligence platforms

Threat intelligence platforms make it possible for organizations to gain an advantage over the adversary by detecting the presence of threatening actors, blocking and tackling their attacks, or degrading their infrastructure. Using threat intelligence, businesses and government agencies can also identify the potential sources of risk and the most vulnerable people. [2]

Tactical use cases for threat intelligence include security monitoring , incident monitoring , threat detection and threat assessment. A TIP also drives smarter practices back into SIEMs , intrusion detection, and other security tools due to the finely curated, rising, and widely sourced threat intelligence that a TIP produces.

An advantage held by TIPs, is the ability to share threat intelligence with other stakeholders and communities. Adversaries typically coordinate their efforts, across forums and platforms. A TIP provides a common habitat that makes it possible for security teams to share information with their own trusted circles, interface with security and intelligence experts, and receive guidance on implementing coordinated counter-measures. Full-featured TIPs enable security analysts to simultaneously coordinate these tactical and strategic activities with incident response, security operations, and risk management teams while aggregating data from trusted communities. [3]

Threat intelligence platform capabilities

Threat intelligence platforms are made up of several primary feature areas [4] that allow organizations to implement an intelligence-driven security approach. These courses are supported by automated workflows that streamline the threat detection, management, analysis, and defensive process and track it through to completion:

  • Collect – A TIP collects and aggregates multiple data formats from multiple sources including CSV, STIX, Custom XML.JSON, IODEK, OpenIOC, and even email. In this way a TIP differs from a SIEM platform. While SIEMs can handle multiple TI feeds, they are less suited for ad hoc importing or for analyzing unstructured formats that are regularly required for analysis.
  • Correlate – The TIP allows organizations to begin to automatically analyze, correlate, and pivot on data so that actionable intelligence in the who, why and how of a given attack can be gained and blocking measures introduced. Automation of these processes is critical.
  • Enrichment and Contextualization – To build enriched context around threats, A TIP must be able to automatically increase, or allow threat analysis. This is a very useful tool for monitoring and evaluating the performance of the organization.
  • Analyze – The TIP automatically analyzes the content of threshold indicators and the relationships between them to enable the production of usable, relevant, and timely threat intelligence from the data collected. (TTPs). This paper presents the results of the study. In addition, visualization capabilities help depict complex relationships and allow users to pivot to reveal greater detail and subtle relationships. TIP framework is the Diamond Model of Intrusion Analysis. [5] The Diamond Model. This process helps teams to refine and place data in context to develop an effective action plan. For example, A threat intelligence intelligence analyst may perform relationship modeling on a phishing email to determine which sent it, which received the email, the domains it is registered to, IP addresses that resolve to that domain, etc. From here, the analyst can pivot further to reveal other domains that use the same DNS resolver, the internal hosts that try to connect to it, and what other host / domain name requests have been attempted. The Diamond Model differs from the Cyber ​​Kill Chain® approach (attributed to Lockheed Martin [6] ) which the defensive, an organization needs only to disrupt a link in the chain to compromise an attack. However, not all the stages of an attack are apparent to the defender. While recognition may be detectable if an attacker is browsing its victim’s website, The weaponization stage remains hidden. The Diamond Model, however, focuses more on understanding the attacker (their TTPs and motivations). Instead of looking at a series of events, This ensures a more effective overall response. [7] Rather than play whack-a-mole with persistent threats, organizations.
  • Integrate – Integrations are a key requirement of a TIP. Data from the platform needs to find a way back in the security tools and products used by an organization. Full-featured TIPs enable the flow of information collected and analyzed from feeds, etc. and Disseminate and integrate the cleaned data to other network tools Including Siems , internal ticketing systems, firewalls , intrusion detection systems , and more. Moreover, APIs allow for the automation of actions without direct user involvement. [8]
  • Act – A mature threat intelligence platform. Built-in workflows and processes accelerate cooperation dans le security team and ‘wider communities like Information Sharing and Analysis Centers (ISACS) and Information Sharing and Analysis Organizations (ISAOs), so That teams can take control of course of Action development, planning mitigation, and execution. This level of community participation can not be achieved without a sophisticated threat intelligence platform. Powerful TIPs enable these communities to create tools and applications that can be used to change the game for security professionals. In this model, analysts and developers freely share applications with one another, choose and modify applications, And accelerate development through plug-and-play activities. In addition, threat intelligence can also be used to modify the security architecture.

Operational Deployments

Threat intelligence platforms can be deployed as a software or appliance (physical or virtual) on-premises or in dedicated or public clouds for enhanced community collaboration.


  1. Jump up^
  2. Jump up^ “Threat Intelligence Platforms: The Next ‘Must-Have’ For Harried Security Operations Teams” . Dark Reading . Retrieved 2016-02-03 .
  3. Jump up^ Poputa-Clean, Paul (January 15, 2015). “Automated Defense Using Threat Intelligence to Increase Security” . WITHOUT InfoSec Reading Room .
  4. Jump up^ “Technology Overview for Threat Intelligence Platforms” . . Retrieved 2016-02-03 .
  5. Jump up^ “The Diamond Model of Intrusion Analysis |” . . Retrieved 2016-02-03 .
  6. Jump up^ Eric M. Hutchins; Michael J. Cloppert; Rohan M. Amin (2009). “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” (PDF) . Lockheed Martin .
  7. Jump up^ MacGregor, Rob (May 29, 2015). “Diamonds or chains” .
  8. Jump up^ “What’s in a true threat intelligence analysis platform?” . ThreatConnect | Enterprise Threat Intelligence Platform . Retrieved 2016-02-03 .

Leave a Comment

Your email address will not be published. Required fields are marked *