Connect with us

Hi, what are you looking for?


Incident Response

We Need Better Classification of Threat Intelligence

Lack of Clarity in the Threat Intelligence Space is Causing Confusion

Lack of Clarity in the Threat Intelligence Space is Causing Confusion

The threat intelligence landscape has vastly changed over the years. While the term was originally used to refer to malware Indicators of Compromise (IOC) – lists of known malware signatures and the servers those malware communicate with, a method to identify infected devices within corporate networks – as time went by vendors have broadly expanded that concept to offer new types of intelligence. The term “Threat Intelligence” encompasses an ever-growing set of offerings that, on an operational standpoint, have different use cases. 

For example, intelligence on external threats such as leaked documents or leaked source code has nothing to do with malware. Other examples may not even refer to malicious threats, where sensitive data can leak due to an error on one of the employees’ behalf. Intelligence can be in the form of feeds, mapping known “bad things” on the internet, or could be specific to an organization. Yet, all these intelligence deliverables are grouped together with malware IOCs as part of “threat intelligence”. 

Adding to the complexity is the fact that some “threat intelligence” offerings are focused on detecting threats, while others are focused on enriching it. There are multiple popular threat intelligence solutions designed to help SOCs investigate potential incidents. In these use cases, the user already has an indicator – an IP address, a domain name, etc. – and they want to understand if it is legitimate or malicious. Intelligence offerings focused on detection aim to alert the users of the threats in the first place. In larger intelligence operations, a combination of both types of offerings is implemented.

Some intelligence services focus their efforts on identifying threat actor groups and attack methods, informing their customers whether they are targeted or not. The goal of such intelligence deliverables is to provide situational awareness to the security team of what is happening outside the organizations, not necessarily alerting them of an incident involving them. It is less actionable in nature, but serves a purpose for organization that wants to keep their security teams up to date with the current landscape. Such offerings are often time labeled “threat intelligence” as well.

When using the single term “threat intelligence” to describe so many offerings, it is impossible to understand if a certain intelligence service focuses on detection or enrichment, if the threats it addressed are broad or specific, and whether the intelligence is customer-specific or generic, as well as how actionable it really is. And this lack of clarity is causing confusion. 

Some terms are beginning to emerge to better define intelligence offerings, with the most prominent one being Digital Risk Protection, or DPO. While it is used by many vendors to describe services designed to identify external threats, it does often time seem to include the traditional “threat intelligence” as part of the vendor’s offering, such as malware IOCs, blurring the lines between the two terms. Certain vendors have also adopted the term “external threat intelligence” to describe their service, while others went for a more descriptive tagline of what the threat intelligence offering includes. 

Advertisement. Scroll to continue reading.

The threat intelligence space definitely needs clearer terms. While DPO seems to emerge from this space as a way to more clearly describe certain intelligence offerings, each term’s boundaries should be better formed. Unfortunately, these things are usually the result of maturity and time – and until then vendors will need to be very mindful of their message to make sure potential customers understand what they’re signing up for. 

RelatedGraduation Day – From Cyber Threat Intelligence to Intelligence

RelatedMisconceptions of Cyber Threat Intelligence

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.