Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

We Need Better Classification of Threat Intelligence

Lack of Clarity in the Threat Intelligence Space is Causing Confusion

Lack of Clarity in the Threat Intelligence Space is Causing Confusion

The threat intelligence landscape has vastly changed over the years. While the term was originally used to refer to malware Indicators of Compromise (IOC) – lists of known malware signatures and the servers those malware communicate with, a method to identify infected devices within corporate networks – as time went by vendors have broadly expanded that concept to offer new types of intelligence. The term “Threat Intelligence” encompasses an ever-growing set of offerings that, on an operational standpoint, have different use cases. 

For example, intelligence on external threats such as leaked documents or leaked source code has nothing to do with malware. Other examples may not even refer to malicious threats, where sensitive data can leak due to an error on one of the employees’ behalf. Intelligence can be in the form of feeds, mapping known “bad things” on the internet, or could be specific to an organization. Yet, all these intelligence deliverables are grouped together with malware IOCs as part of “threat intelligence”. 

Adding to the complexity is the fact that some “threat intelligence” offerings are focused on detecting threats, while others are focused on enriching it. There are multiple popular threat intelligence solutions designed to help SOCs investigate potential incidents. In these use cases, the user already has an indicator – an IP address, a domain name, etc. – and they want to understand if it is legitimate or malicious. Intelligence offerings focused on detection aim to alert the users of the threats in the first place. In larger intelligence operations, a combination of both types of offerings is implemented.

Some intelligence services focus their efforts on identifying threat actor groups and attack methods, informing their customers whether they are targeted or not. The goal of such intelligence deliverables is to provide situational awareness to the security team of what is happening outside the organizations, not necessarily alerting them of an incident involving them. It is less actionable in nature, but serves a purpose for organization that wants to keep their security teams up to date with the current landscape. Such offerings are often time labeled “threat intelligence” as well.

When using the single term “threat intelligence” to describe so many offerings, it is impossible to understand if a certain intelligence service focuses on detection or enrichment, if the threats it addressed are broad or specific, and whether the intelligence is customer-specific or generic, as well as how actionable it really is. And this lack of clarity is causing confusion. 

Some terms are beginning to emerge to better define intelligence offerings, with the most prominent one being Digital Risk Protection, or DPO. While it is used by many vendors to describe services designed to identify external threats, it does often time seem to include the traditional “threat intelligence” as part of the vendor’s offering, such as malware IOCs, blurring the lines between the two terms. Certain vendors have also adopted the term “external threat intelligence” to describe their service, while others went for a more descriptive tagline of what the threat intelligence offering includes. 

The threat intelligence space definitely needs clearer terms. While DPO seems to emerge from this space as a way to more clearly describe certain intelligence offerings, each term’s boundaries should be better formed. Unfortunately, these things are usually the result of maturity and time – and until then vendors will need to be very mindful of their message to make sure potential customers understand what they’re signing up for. 

RelatedGraduation Day – From Cyber Threat Intelligence to Intelligence

RelatedMisconceptions of Cyber Threat Intelligence

Written By

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.


Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Threat Intelligence

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.