Skip to main content


Threat Intelligence – What Does it Look Like?

Threat Intelligence – What Does it Look Like?

Not only are today’s cyber attacks occurring more frequently, but they are also constantly changing and evolving. To protect ourselves from these threats, we need to stay aware and pay attention to emerging new threats. One of the things that you can do for your business is to invest in threat intelligence; this not only helps you stay aware of any new and emerging threats making their way across the internet, but also monitor potential threats targeting your business network. Developing a Threat Intelligence Plan that outlines how you plan to monitor new cyber threats and attacks can provide great benefit to your business, and it doesn’t have to be a huge undertaking. Below are a few considerations for building out your own Threat Intelligence Program, as well as some examples sources that may be useful for you to monitor going forward.

Developing your Threat Intelligence

While everyone’s Threat Intelligence Program is going to be different in some way, there are going to be certain things that everyone should consider when putting together such a program. Threat Intelligence components are going to fall into one of two categories: external or internal sources. While most businesses are more comfortable and familiar with external threat intelligence, both external and internal sources could be of significant use for any business looking to better secure its network.


External sources include any threat intelligence information gathered from an external source. The SANS Institute has a great summary of the sub-groups that we may use to better understand where we can be pulling this information from, which includes the following:

  • Data subscriptions, also known as feeds
  • Commonalities, such as by industry or geographic location
  • Relationships with government and law enforcement
  • Crowdsourced platforms


Now you may still be wondering, how can we use these type of subscriptions or platforms, or how can we benefit from these information sources? Your answer could range from bad-actor IP ranges and domains to add to your firewall’s blacklist, fresh vulnerabilities discovered recently that your IT department might address, or even phishing emails that are targeting your industry. FS-ISAC is going to be a familiar example for most financial institutions, as it is fairly unique in that a subscription to FS-ISAC is a Baseline Cyber Maturity control in the FFIEC Cybersecurity Assessment Tool. The following sources are good examples to include in your Threat Intelligence Program:

Internal sources include monitoring any or all data from the perimeter of or inside your network. Rather than the subscription-based sources noted previously, internal sources might include items such as logs from your Firewall, SIEM system, or Intrusion Prevention or Detection system. Internally sourced threat intelligence is often discussed in the manner of assessing malicious attacks directed at the network, as well as identifying what was targeted and how. Once you are able to detect an attack and determine what it’s trying to do, you can determine whether the attack exploited specific vulnerabilities or used certain attack vectors used to initiate the attack, then use that information to improve the network’s security stature.


Internal threat intelligence sources can also be used to identify potential anomalies on the network, which often start by asking the question, “what does our normal network activity look like?” You cannot identify abnormalities on your network if you do not first understand the normal activity of your network. Internal sources that should be considered in your Threat Intelligence Program include, but are certainly not limited to, the following:

  • Total Network Logs per Second
  • Patch Management % / Known Vulnerabilities
  • Denied FTP Requests
  • Denied Telnet Requests
  • Failed Remote Logins
  • VPN Connections / Failed VPN Connections
  • Blacklisted IP’s Blocked
  • New Admin Credentials created
  • Threshold for successive account lockouts
  • VLAN ACL violations
  • Changes to Group Policy
  • Increase in network bandwidth
  • Increase in outbound email traffic
  • DNS Request anomalies


Where does our Threat Intelligence Program belong?

Now that you have established external and internal sources for your Threat Intelligence Program, where does your Threat Intelligence Program belong? While there is no one correct answer to this, a great place to integrate this information is in your Incident Response Plan. Not only does adding Threat Intelligence to your Incident Response Program cut out the need to manage another document separately, it also fits well with the theme of your Incident Response Plan. In the end, the location of the document is of little consequence; the proper creation of the document itself and the utilization of the information gathered will ultimately be what determines the usefulness of the program.

Written by: Cole Ponto
Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

  • {Service} Incident Response Planning: An SBS consultant can assure your well-structured Incident Response Plan (IRP) will help mitigate the negative effects of a security breach, as well as demonstrate to examiners that your organization is properly prepared to handle such an event.
  • {Free Download} 50+ Incident Response Preparedness Checklist Items: If you are uncertain how to go about preparing for and detecting an incident on your network, you are certainly not alone, this checklist will get you started. This list contains over 50 items in the areas of configurations, logging , vendor information, key personnel, and detection monitoring that should be prepared ahead of time.
  • {Hacker Hour} Incident Response Round Table: Join SBS for this free webinar in which we will discuss best practices to write and test your incident response plan.  We will also walk through some common scenarios that should be considered in your plan.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Incident Handler   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, April 25, 2018
Categories: Blog