Connect with us

Hi, what are you looking for?


Incident Response

How Threat Awareness is Different From Threat Intelligence

As I wrote about last month, there is an increasing interest by a wide range of organizations to acquire access to external threat intelligence or feeds.  While this is potentially a good thing, it needs to be seen within

As I wrote about last month, there is an increasing interest by a wide range of organizations to acquire access to external threat intelligence or feeds.  While this is potentially a good thing, it needs to be seen within the context of what an organization can actually do with such information once acquired. 

There are a number of challenges organizations need to address to make effective use of threat intelligence data. One major challenge is simply working around existing internal separations of roles or responsibilities (i.e. the network team, the server team, and the security team are essentially completely autonomous from each other). This can prevent, or at least make difficult, taking direct action based on gathered data.

For example, threat intelligence might indicate that there is an increased likelihood of a targeted attack designed to exploit an unpatched vulnerability.  However, what happens when those devices are managed by another team? They are now forced to perform an “off schedule” patch, possibly with limited testing, while interrupting other ongoing scheduled tasks. Without a sense of cooperation or teamwork, and the ability to rate risk against business impact, over time this is likely to become a “boy crying wolf” scenario.

Cybersecurity Threats

One excellent method for bridging this divide is to begin thinking and talking about risk from a threat awareness perspective.

You might be wondering what I mean by threat awareness, and how this is different from threat intelligence. Threat awareness is the process of identifying the systems, services, and applications that are essential to the operation of your organization, assessing the current controls and protections that have been implemented for them, identifying the areas where new and/or improved controls are needed, and then developing a prioritized plan to address those gaps.

Historically, this approach was applied to the physical elements of organizations, particularly those that dealt with high-risk products, such as chemical plants, transportation, and similar critical infrastructure industries.

These same concepts need to be applied by all organizations to the security of their information technology systems as well, particularly as ever-increasing numbers of these systems are exposed to external users rather than the more traditional (and hopefully, more closely monitored) internal users – i.e. the security nemesis that is the Internet, or increasingly, systems that have been moved completely outside of our physical control, such as migration to cloud services.  This latter trend may also change threat awareness prioritization. For example, data at rest in our own data centers may be viewed as secure. However, when it is sitting in an external, shared storage system, then encryption of this data may need to be a much higher priority.

Advertisement. Scroll to continue reading.

A complementary component of threat awareness is having a plan, or at least a framework, in place to deal with a threat once you become aware of it. Each element identified in your threat awareness evaluation should have a related plan of action that is triggered when that particular element appears to be under attack.

For example, let’s consider a simple internally developed Internet application delivered via a Cloud Services (IaaS) deployment.  Do you know what steps your IaaS provider is taking (if any) to prevent attacks such as DDoS, or even a simple port scan? If the application was deployed in-house, you could ask your security or network team. Who is the equivalent resource at your provider? The answer to that question will determine what additional protections you may want to build into your application stack. Then of course, the application itself should be reviewed for potential weakness. You may want to consider, for example, if your application is better protected by a WAF (Web Application Firewall) as compared to a more typical Firewall (whether a NGFW, enterprise, etc.).

A critical part of threat awareness is also having visibility into the events and exploit attempts against the systems you are tracking. This analysis traditionally falls within the realm of SIEM and SIEM-like products. The best of these accept input from a wide range of vendors using a wide variety of mechanisms, and then correlate those events together looking for sophisticated and multi-vector threats. This can significantly reduce the amount of information that needs to be consumed or hand-correlated by your SOC or NOC.

Another key consideration of an effective threat awareness implementation is looking at solutions that have the potential to take mitigation actions without administrative intervention. Next generation SIEM solutions become a key component of implementing an effective multi-vendor security fabric architecture.

Finally, information generated by SIEM tools is also critical to the continuous refinement of your threat awareness positioning. These systems can inform IT organizations of critical issues they may not have previously been aware of, allowing them to take countermeasures before a breach occurs.

Once you have an understanding of where your risks are, you can make better choices about what types – and more importantly, what sources – of threat intelligence are most applicable, and hopefully, most useful to your organization.

Here are three critical takeaways from this discussion:

• Identify your threats, and take into consideration that they may be different for different platforms

• Evaluate your capability to be informed that a threat is taking place, who gets this information, and whether they are empowered to act on that intelligence

• Develop a plan to implement compensating controls to fill identified gaps in your threat awareness strategy.

Related: Distinguishing Threat Intelligence From Threat Data

RelatedWhat is the Difference Between Information and Intelligence?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...