What is a Threat Intelligence Platform (TIP)?

The cybersecurity threats faced by all organizations are wide-ranging. The threat landscape that bad actors look to exploit is constantly changing as new threats to existing systems are discovered, and new technologies with their own specific vulnerabilities get deployed.

A proactive approach to security operations and protection is now essential to combat the ever-changing threat landscape. Finding out about potential attacks by cybercriminals and other bad actors before they happen, and then disrupting the attack before it starts, is a better outcome than cleaning up IT systems and dealing with fallout after an attack has occurred.

If you know where to look, there is often visible intelligence indicating that an attack against an organization is planned or imminent. The task of gathering threat intelligence is the function of a Threat Intelligence Platform (TIP).

Definition: What is a Threat Intelligence Platform (TIP)?

A Threat Intelligence Platform (TIP) is a cybersecurity solution that discovers, collects, aggregates, organizes, and analyzes threat intelligence from the clear web, deep web, and dark web. A TIP will gather actionable intelligence from multiple sources and in various formats. It will use advanced algorithms and machine learning to analyze the data collected to identify indicators of compromise (IOCs). Advanced TIP systems will also integrate human intelligence gathered by cybersecurity professionals who interact with threat actors in the locations where they plan attacks and exchange leaked and stolen data.

Using the information discovered and surfaced by a TIP, cybersecurity teams can identify emerging threats from known malware attack types, plus plans for future attacks, and use this to do proactive risk management and remediation.

What Intelligence Sources Should a TIP Monitor?

The sources that a TIP monitors for threat intelligence should include the following across the clear web, deep web, and dark web:

Open Source Intelligence - known in security circles as OSINT. This is the threat intelligence information obtainable from publicly available open sources. These include security forums and dedicated national and international security announcement lists.

Signals Intelligence - intelligence derived from monitoring the information flow from computers and mobile devices. This type of information is often called machine intelligence (not to be confused with machine learning or AI) and shortened to SIGINT in security circles.

Social Media Intelligence - social media conversations are a rich source of threat intelligence. SOCINT is a subset of OSINT, but now gets treated as a top-tier information source. Phishing and brand impersonation are significant threat targets for SOCINT intelligence gathering.

Human Intelligence - also known as HUMINT, is the intelligence gleaned from building up human-to-human connections in appropriate locations. It involves communicating with people instead of harvesting information from devices, and doing so without raising suspicion and scaring off valuable sources of threats before obtaining intelligence.

Dark Web Intelligence - threat intelligence gathered from sites on the dark web where cybercriminals gather to chat and trade. Sources include black markets, private chat rooms, dark web forums, and other anonymous places.

There is overlap between these sources - much HUMINT comes from dark web intelligence research. However, intelligence gathering techniques often differ between the sources outlined above.

Across these sources, the information gathered by a TIP can identify threats and then allow actions to nullify them. Organizations can configure advanced TIP solutions to do automated mitigation tasks to counter discovered threats. For example, to issue takedown requests for domain names that mimic an organization's brand or IP addresses that are in a range owned by an organization.

The IntSights Threat Intelligence Platform (TIP)

The IntSights Threat Intelligence Platform (TIP) is a core product in The IntSights External Threat Protection (ETP) Suite. The other products in ETP are Threat Command, Vulnerability Risk Analyzer, and Threat Third Party.

The IntSights TIP is an industry-leading Threat Intelligence Platform solution. It provides a fully automated cyber threat intelligence service covering the lifecycle of data collection, processing, threat analysis, and enrichment through to dissemination of threat information and mitigation actions. It presents discovered threats in an easy to triage way for stakeholders using a visual network graph view that anyone can use to categorize threats by risk factor and trigger workflows to mitigate risks. By doing this, the IntSights TIP becomes a single source of truth, so your teams can get immediate access to real-time, contextual intelligence. This includes visibility and context on related malware, threat actors, and targeted campaigns. Following investigation and analysis, your teams can push intelligence out to augment your existing security stack and proactively block threats.

Features and Capabilities of The IntSights Threat Intelligence Platform (TIP)

Workflows - speed research into threats across all intelligence sources with analysis and reporting workflows. Make use of an extensive list of public, private, and industry threat intelligence feeds, along with advanced investigation and search tools offering attack visualization and details. Visualize threats on a single pane-of-glass dashboard. Reduce the pressure on security teams by eliminating false positives and noise from the threat data by prioritizing the most credible feeds and IntSights credibility scoring.

Integrate with existing security solutions - with the IntSights TIP you can automatically augment your security devices and update critical blocklists. Leverage our vast network of integrations with security products such as enterprise firewalls and SIEM, EDR, and SOAR platforms, to enrich organization-specific IOCs and other threat indicators in real-time. Instant responses across the security stack are possible due to the extensive network of IntSights integration partners.

Stay Ahead of the Next Threat - proactively research malware, TTPs (Tactics, Techniques, Procedures), and threat actors, and listen in on dark web chatter for up-to-the-minute details on the threats your organization is facing. Discover all the latest information on threat actors and campaigns, then automate and streamline investigations via real-time visualization into related malware, threat actors, and targeted campaigns that could indicate potential threats. Perform incident response and threat detection automation within your own or a third-party security operations center (SOC).

The Wider Cybersecurity Picture

A TIP is not a replacement for the other core components that organizations should deploy to protect their networks, systems, and users. The TIP complements other security systems and proactively discovers threats at the planning stage to disrupt cyberattacks before they start. Robust and secure protection through firewalls and intrusion detection systems, SIEM solutions, endpoint protection, anti-malware software, anti-virus software, and other security tools are still needed.