The current state of threat intelligence

As the threat landscape evolves, threat intelligence must work harder and faster to anticipate emerging, dangerous threats. Cyber Security Hub research has found that globally, 84 percent of companies have experienced a cyber attack in the past 12 months. 

In this report, Cyber Security Hub explores the current state of threat intelligence, how threat intelligence is evolving and the future of threat intelligence. It offers relevant statistics, expert insight and case studies that highlight the importance of threat intelligence to good cyber security.

Key takeaways:

• The current state of threat intelligence.
• How to overcome common threat intelligence issues.
• The future of threat intelligence.

The current state of threat intelligence

Threat intelligence covers investigation, data collection and attack analysis with the aim of understanding why and how an attack was launched. It helps cyber security professionals understand why malicious actors target certain people or organizations.

Based on their own threat intelligence analysis, cyber security professionals told Cyber Security Hub they expect key employee/role targeting, malware and ransomware to be the threat vectors that will have the biggest impact in 2023.

These threat predictions seem set to become reality: 81 percent of companies reported they experienced cyber attacks that directly targeted employees, eight in 10 cyber security professionals said ransomware is a “danger” and a “threat” to public safety, and more than one billion malware programs are believed to be active around the world.

Research by Cyber Security Hub found that 25 percent of cyber security professionals believe threat intelligence is the most important priority for cyber security investment in 2023, with the threat intelligence market predicted to grow from US$4.93 billion in 2023 to $18.11 billion in 2030.

Jojo Nufable, group IT infrastructure and cyber security head at Philippines-based hospital operator Metro Pacific Health Solutions, notes that threat intelligence is integral to ensuring that companies can withstand and recover from cyber attacks. 

“Threat intelligence encourages the use of applying best practice, paving the way for cyber security teams to see threats and risks before they are realized,” he explains. “This is the best course of action as it means they are able to remediate before an attack is in full swing. 

“Threat intelligence also helps to minimize false positive and high noise feeds of security events and information and streamlines threat response by having an adaptive and agile incident response management system,” he adds.

By focusing on threat intelligence, companies ensure that they are in a better position to respond to threats as they are being proactive rather than reactive. This allows them to stop malicious actors before they cause damage to their networks.

What prevents threat intelligence from being effective?

There are numerous challenges cyber security professionals encounter when collecting and applying data used to inform threat intelligence.

When surveyed by Cyber Security Hub, 38 percent of cyber security professionals said their biggest non-threat-based challenge was a lack of company-wide training/understanding of cyber security, and 37 percent cited the integration of cyber security into company culture. The impact on threat intelligence from both challenges means cyber security teams need to be extra vigilant in the face of other employees who will not understand how to safeguard against the cyber attacks their organizations are most likely to face. Telecommunications company Verizon found that 74 percent of all data breaches include a human element. Whether through human error, privilege misuse, the use of stolen credentials or social engineering-based attacks, the importance of properly educating employees cannot be understated.

Kim Crawley, cybersecurity expert and author of upcoming book Hacker Culture: A to Z (set to be published in October 2023), says that threat intelligence can help companies ensure that the right incident detection, response and recovery process is in place for the threat vector they are facing. 

“Threat intelligence is most effective when an organization can determine that "x" is a vulnerability in their networks and threat modelling determines that attackers would exploit "x" by doing "y". Then you look for intelligence pertaining to "x" being used for "y." That way you can gather threat intelligence that's actually useful and relevant,” she explains.

Anthony Lim, fellow of cyber security and governance at Singapore University of Social Sciences, notes that threat intelligence must be used to create a proper, working and tested incident response plan.  

Lim explains that this was seen in the inquiry report for the biggest data breach case in Singapore to date.

The 2018 cyber attack saw unknown state actors steal the data of 1.5 million patients from the country’s largest healthcare group, SingHealth. The breach took place between June 27 and July 4, 2018, and was committed by hackers directly targeting Prime Minister Lee Hsien Loong. An investigation into the breach revealed that the malicious actors had created and deployed custom malware with the aim of circumventing SingHealth’s cyber security tools. It was also revealed that cyber security vulnerabilities flagged in a 2016 internal audit had not been rectified prior to the attack.

Lim explains that the investigation also found that the company’s incident response management was broken and if it had not been, the attack could have been prevented.

“Although [SingHealth] did have an incident response plan, it fell short in three critical ways: staff were unaware of what to do, including how or when to report a cyber security incident and to whom. Instead of escalating the incident up the chain of command, it went unreported as employees tried to deal with it on their own; staff did not have adequate cyber security awareness and training, meaning they were unable to understand the severity of the attack or how to respond effectively to it; and though there was a framework in place to report cyber security incidents, employees were not sufficiently trained on how to use it,” Lim further explains.

How has threat intelligence evolved?

As threat vectors have evolved, so has threat intelligence. With the progress the digital age has brought, cyber security professionals have harnessed new technologies like artificial intelligence (AI) and machine learning (ML) to prevent malicious actors from gaining access to their networks.

Additionally, cyber security professionals have changed their threat defense strategy from reactive to proactive. Instead of mitigating threats, cyber security professionals are working to wholly prevent them by using threat intelligence to inform a proactive incident response plan.

This section will explore how threat intelligence is evolving with the introduction of new technologies and attitudes, including artificial intelligence and a move from reactive to proactive threat detection and response strategies.

The adoption of AI and ML

Artificial intelligence (AI) in cyber security was valued at US$10.5bn in 2020, has been forecast to increase to $46.3bn by 2027 and is fundamentally changing the way threat intelligence operates. By using AI, cyber security teams can solve common threat intelligence issues like lack of time, competing priorities and a lack of cyber security knowledge or expertise. For example, Google has introduced AI-powered threat intelligence to address “threat overload, toilsome tools and the talent gap”.

Information technology and cybersecurity expert Amanda Fennell, an adjunct professor in the Tulane School of Professional Advancement, notes that there are many applications of AI within the realm of threat intelligence.  

“From the lowest level of chip design to programming interfaces, there are optimization problems that AI may be able to find the information to solve. We are all on the lookout for those products that are linking as much telemetry as possible and learning from it in real time to prevent adversaries from gaining traction in the cyber realm,” she notes.

Crawley shares that she believes the future evolution of cyber threats is being driven through more sophisticated and publicly accessible AI technologies, for example cyber criminals utilizing generative AI chatbot ChatGPT in a range of ways. She notes, however, that this does not mean the technology should be outlawed but that the cyber security community will need to pay better attention to how malicious actors use AI so they can stay a step ahead of them.

Moving from reactive to proactive threat intelligence

As threat intelligence technology has evolved, so has the approach to threat intelligence. Instead of creating a reactive incident response plan, which explains how to respond to current or ongoing cyber attacks, cyber security professionals are instead looking to create a cyber resilient culture. 

Irina Tsukerman, US national security lawyer and geopolitical analyst, says: “The threat intelligence market is still ballooning. Research suggests the market size of global threat intelligence is expected to be at $16.1 billion by 2025. As the role of security teams will become bigger, their approach to incident response will move from reactive to proactive. They will collaborate and interact more at different levels and be responsible for offering threat intelligence that identifies risks and defines business goals. Moving forward, threat intelligence will enable security teams to effectively predict and prevent threats at the earliest and promote proactive threat response.”

Cyber resilience revolves around detection and response, while cyber risk management means that companies make decisions on their threat intelligence strategy based on the company as an individual entity. By doing this, organizations identify the threat vectors they are most likely to come up against and make an incident response plan based on this.

Final remarks

Threat intelligence is an undeniably important part of cyber security. Only by investigating and analyzing cyber attacks can cyber security professionals form a proactive and effective incident response plan.

Threat intelligence has grown and developed in tandem with the threat landscape; as malicious actors have started to utilize technologies like AI and ML, cyber security professionals have further developed their threat intelligence strategies. Likewise, as the rate and volume of cyber attacks increase, threat intelligence has moved from purely reactive to proactive. This helps both prevent attacks and mitigate them if they do occur.

The internal culture of organizations has also changed, with those outside of cyber security teams recognizing the danger cyber security threats pose to the business as whole. This means that even those outside of the cyber security team are looking at how threats affect them and what they can do to prevent cyber attacks.

It is important that current research into threats is used to inform threat intelligence strategies and that innovation continues in this area, thereby offering organizations the best chance of preventing and mitigating cyber security threats.