Threat intelligence is information about potential attacks. Threat intelligence helps organizations take action to defend themselves against these attacks.
After reading this article you will be able to:
Related Content
What is cross-site scripting?
What is buffer overflow?
What is SQL injection?
Firewall
Threat intelligence feed
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Threat intelligence is information about the potential attacks an organization may face and how to detect and stop those attacks. Law enforcement sometimes distributes "Wanted" posters with information about suspects; similarly, cyber threat intelligence contains information about what current threats look like and where they come from.
In digital security terms, a "threat" is an action with malicious intent that could result in data being stolen, lost, or altered without permission. The term refers to both potential and actual attacks. Threat intelligence enables organizations to take action against threats, rather than merely providing data. Each piece of threat intelligence helps make it possible to detect and prevent attacks.
Some types of threat intelligence can be fed into firewalls, web application firewalls (WAFs), security information and event management (SIEM) systems, and other security products, enabling them to more effectively identify and block threats. Other types of threat intelligence are more general and help organizations make larger strategic decisions.
Most threat intelligence fits into one of these three categories:
A signature is a unique pattern or sequence of bytes by which malware can be identified. In the same way that fingerprints are used to identify persons suspected of a crime, signatures help identify malicious software.
Signature detection is one of the most common forms of malware analysis. To be effective, signature detection needs to be constantly updated with the latest malware signatures identified in the wild.
An indicator of compromise (IoC) is a piece of data that helps identify whether or not an attack has taken place or is in progress. An IoC is like an item of physical evidence that a detective might collect to determine who was present at the scene of the crime. Similarly, certain digital evidence — unusual activity recorded in logs, network traffic to unauthorized servers, etc. — helps administrators determine when an attack has occurred (or is currently happening) and what kind of attack it was.
Without IoCs, it can sometimes be difficult to determine if an attack has taken place; it often benefits the attacker to remain undetected (for instance, if they want to use a compromised device in a botnet).
A threat intelligence feed is an external stream of threat intelligence data. Like an RSS feed for blogs, organizations can subscribe to a threat intelligence feed to provide constant security updates to their systems.
Some threat intelligence feeds are free; others cost money and provide proprietary intelligence not available from open sources.
Cloudflare is uniquely positioned to collect information about threats on a huge scale. Millions of websites are protected by the Cloudflare network. By analyzing traffic to and from these websites, Cloudflare can identify malicious traffic patterns from bots, vulnerability exploits, and other attacks.
Cloudflare uses this information to better protect customers. For example, Cloudflare creates WAF rules and deploys them for all WAF customers whenever a new threat is detected. Cloudflare Bot Management uses threat intelligence from the billions of requests Cloudflare sees each day to learn to identify malicious bots.
To learn more about cyber threats, see What is web application security?