Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Security Infrastructure

Don’t Search for a Needle in a Haystack: Use Cases for Threat Intelligence

Threat Intelligence Can be Used to Support Effective and Automated Incident Response

Threat Intelligence Can be Used to Support Effective and Automated Incident Response

Threat intelligence is an increasingly prominent element of security operations. In fact, back in 2017 Gartner predicted a 15x increase in the number of large enterprises using commercial threat intelligence by 2020. Threat intelligence comes in many forms, from a variety of vendors, and serves several distinct use cases. In this article, we will explore some of the use cases for threat intelligence that are especially relevant to the aspects of security operations with which I work most closely: security orchestration, automation, and response, otherwise known as SOAR.

Automation tools have changed the way that security teams turn information into action, with the ability to automatically search and collect threat intelligence from a variety of third-party sources. This reduces the burden on analysts who are tasked with sifting through the vast amounts of complex information produced by threat intelligence platforms, allowing threat intelligence to play a more important role in day-to-day incident response.

Automated Alert Enrichment

Incident response and SOAR platforms can interface with threat intelligence platforms to enrich event-alerts from a variety of tools—including SIEM—with contextual data that helps eliminate false positives, and identify and convict real incidents. In automated platforms, potential threat indicators from a SIEM alert are automatically looked up in integrated threat intelligence platforms, giving analysts a full picture of the threat by the time they open the incident report.

Threat intelligence lookups can also be done as a proactive step during an investigation. Analysts can manually conduct queries about entities while evaluating an incident. For example, an IP address from a historical incident could be checked against a threat intelligence database and blacklisted if it is known to be malicious.

Phishing Response

Not all incidents start as SIEM alerts. Phishing attempts, for example, often come to the attention of the security team via a report by someone else in the organization. Threat intelligence can be valuable in this instance as well. If an employee receives a suspicious email and reports it as an incident, the security team can assess the email by querying threat intelligence sources to check the domain reputation, identify the domain owner, find connections to internet service providers that are known to host malicious content, and more. 

Proactive Investigation

Beyond helping to manage the immediate risks of incoming security incidents, threat intelligence can be used to investigate all kinds of unwelcome activity in the online world. Examples might include unauthorized parties posing as your brand online, posting malicious links on your social media, or violating your copyrights. When an organization comes across this type of unwanted activity, the security team will want to find out who is behind it, how dangerous they are, and in which legal jurisdiction they are located. Querying threat intelligence sources can provide this valuable context, by identifying known malicious actors and domains that are involved, as well as geolocating the source of the activity. This information can tell you whether you’re dealing with a teenage prankster or a sophisticated scammer, allowing you to employ the most appropriate risk mitigation strategy moving forward. 

Intelligence Sharing

Sharing threat intelligence is an important way for organizations to stay one step ahead of (or at least not too far behind) attackers. There are many different networks that bring new threats to light by facilitating the sharing of information. Some of the most useful include Spamhaus, SANS’ Internet Storm Center, and the Financial Services Information Sharing and Analysis Center (FS-ISAC). In addition to industry-specific sharing networks, some threat intelligence providers actively promote the bidirectional flow of data so that users can contribute information to their database of threat indicators.


Given that most SOC analysts are already too busy chasing after security alerts to take a proper lunch break, no one has the time to stay perfectly up-to-speed on the latest threats and attackers. There is simply too much relevant information for one person to make sense of on their own. That’s one of the reasons why threat intelligence adoption is expected to grow so rapidly in enterprises. 

I’ve just covered a small range of the ways threat intelligence can be used to support effective and automated incident response, but there are many other use cases across security operations. If you aren’t leveraging threat intelligence in your security operations, you’re depriving yourself of a valuable tool. To explore the usefulness of threat intelligence without having to take a hit to your budget, start by experimenting with one of the many free sources provided by trusted organizations and government entities.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Threat Intelligence

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.