1.1. Definition and Significance of Threat Intelligence
With the diversification, complexity and specialization of today's cyber-attacks, the passive protection methods of traditional security have gradually failed, and the defense against attacks has gradually turned to the active defense method based on detection and analysis. However, the current global detection of attacks is not optimistic. In order to effectively solve the problem of offensive and defensive information in the offensive and defensive process, more and more enterprises are beginning to pay attention to the construction of threat intelligence platforms, through the collection and sharing of threat intelligence. Improve the efficiency of the corporate security team (RFSID,2017).
The definition of threat intelligence in the industry is different. Most of the literature refers to the definition proposed by Gartner in the 2014 Market Guide for Security Threat Intelligence Service: Threat Intelligence is about IT. Evidence-based knowledge of existing or potential threats to information assets, including contexts, mechanisms, indicators, inferences, and feasible recommendations that can provide a basis for decision-making on threat response.
In the era of big data, any behavior can be recorded and analyzed. Once a cybersecurity incident occurs, the behavioral methods involved in the incident will be recorded and analyzed, and corresponding threat information will be generated for reference by other parties to avoid the trick. This is the meaning of threat intelligence. Threat Intelligence provides strong data support for all stages of security analysis with its highly standardized data format, high knowledge density of data content, high accuracy and strong correlation. As a result, security teams in various countries are actively exploring the value of threat intelligence data and researching threat intelligence analysis and sharing technologies(Solomon,2017).