Threat Intelligence

Minimize Detection and Response Times While Enhancing Overall Network Security

The number and sophistication of cybersecurity attacks are growing rapidly. Augmenting your security approach with sophisticated threat intelligence provides vital insight to help mitigate harmful events.

What is Threat Intelligence?

Threat intelligence is defined as the evidence-based knowledge used to inform decisions and prioritization efforts for organizational response to known or potential cyberattacks. This includes a broad application of information, tools, and policies that allow an organization to minimize the risk presented by cybersecurity threats.

Unlike other more standardized cybersecurity disciplines like endpoint security, threat intelligence definition and practice may vary by organization. In general, the concept encompasses all efforts to bolster security posture through incident response, reporting, and compliance remediation. Common elements of threat intelligence focus on data collection to prepare for, prevent, identify, and remediate security events that can compromise valuable resources.

Cyber Castle Security

Key Threat Intelligence Phases

To effectively leverage threat intelligence in cybersecurity, one must adopt a holistic approach with multiple phases. Within each phase, a similar dedication to comprehensive data collection and analysis is required.

  • Protection

    Protection might be thought of as the fortification that every organization establishes to defend themselves from the brute force attacks, advanced persistent threats (APTs), and malware intrusions that continually grow in number and sophistication. Deploying solutions from multiple vendors has become a common approach for establishing both strength and depth of protection. Despite this emphasis on prevention, just one successful breach out of millions of attempts is enough to wreak havoc. With these insurmountable odds, it is more a question of when rather than if a breach will occur.

  • Detection

    The detection phase of threat intelligence begins once an intrusion has successfully circumvented protection efforts and anomalous behavior must be uncovered. Obfuscation tactics used by hackers to conceal their presence in the network are often well camouflaged. For example, they may delete ARP/CAM tables to cover their tracks when they access the switch. Typical lateral movement by bad actors as they move through the network includes scanning IP addresses or DNS names to see what responds and sniffing packets to discover what valuable data is nearby.

    Effective threat intelligence detection strategies utilize the power of recorded data to map the unabridged history of what the suspect machine or user has done. By capturing enriched flow records, MAC addresses of compromised machines can be entered into IP viewers to detect where else the hacker may have gone and what data could be compromised.

  • Response

    The threat intelligence response phase encompasses the actions after detection to correct the problem, contain the impact, and stop additional data from being exfiltrated. Once again, robust data capture, recall, and analysis are essential for responding to security breaches quickly and using threat intelligence to minimize the impact.

    Full-fidelity packet capture and enriched flow lets you conduct rapid historical analysis to determine the full extent and consequences of a system breach, despite any distributed denial-of-service (DDoS) attacks or other data corruption. Effective threat intel also creates a continuous improvement loop where response information and evidence from each event are used to bolster future protection and detection strategies.

How Can Your Organization Benefit From Cyber Threat Intelligence?

Threat intelligence can produce quantifiable, ongoing benefits for any organization. This is especially true during detection and response. By leveraging enriched flow records and ready access to individual packets, anomalous activity and lateral movement patterns can be identified quickly during the detection phase. High visibility into user, IP, and MAC relationships means other impacted devices can be assessed and customer exposure minimized.

Investigation efficiency translates directly into cost savings during the response phase. Studies have shown that breach response cycles of less than 200 days are on average $1.2M less costly than those spanning 200 days or more. Information is at the heart of this improved efficiency. Recorded threat intelligence data is proof of what was exfiltrated, when, and how much. Reporting costs and regulatory fines from privacy legislation like GDPR and CCPA are also minimized through detailed data capture and expedited response times.

What Does Threat Intelligence Data Show You?

Threat intelligence using flow-based solutions goes far beyond basic status report generation. Optimized threat intel adds a layer of analytical sophistication to the flow-based capture, leveraging multiple techniques to produce complete solutions.

Integrating authentication details from Active Directory, IP addresses from NetFlow, MAC addresses from ARP tables, and cloud data provides unprecedented network visibility. Backed by full fidelity forensics, enriched flow-based data also enables IP blacklists and traffic profile baselines to be continually updated and improved.

Enriched Flow

Cybersecurity intelligence data can be used to produce real-time threat maps that drill down to specific network monitoring use cases. This includes threat intel on who is (or was) using the rogue device and where it is located. Threat maps also provide insight into the communication history of the rogue device that point to root cause and exposure levels. Full packet capture can be used to “rewind” directly to critical moments in the breach or malicious event history so that detailed network conversations can be analyzed.

How Is Vulnerability Threat Intelligence Different from Basic Threat Intel?

Vulnerability management is closely related to threat intelligence. Specific vulnerabilities inherent to web applications or network infrastructure are what bad actors rely on for their mode of entry. Although vulnerability threat intelligence is an important subset of a holistic strategy, the two concepts differ in focus and scope.

Vulnerability threat intelligence is integral to protection and detection efforts. Penetration testing or pen testing is a common practice for subjecting the network to attempted breaches that simulate real world hacking. Appropriate security patches and other vulnerability remediation tasks are prioritized and deployed in a continuous fortification cycle.

By using threat intelligence to develop threat actor profiles, IP blacklists, and rich historical context on the tactics, techniques, and procedures (TTPs) of intruders, vulnerability prioritization can be better aligned with emerging trends. This application of informed decision making underscores the potential of data-centric cyber threat intelligence.

Service Profiles


Threat Intelligence Tools from VIAVI

A combination of user-centric flow analysis and deep packet capture enables the full power of threat intelligence to be leveraged. VIAVI has developed industry leading tools to optimize detection and response cycles while enhancing overall network security.

Observer GigaFlow
Using a mixture of authentication tools makes it difficult to quickly trace host device identification, location, and communication channels during detection. Observer GigaFlow bolsters threat intelligence by combining infrastructure, network, and user data into enriched flow records that are stored for convenient recall and analysis. Unauthorized device infiltration, lateral movement, or other rogue activities are identified in seconds rather than hours or days.  

The GigaFlow interactive IP Viewer provides a window into the network application, user, IP, and MAC relationships. Simply entering a host device or username produces an instantaneous trace of associated Layer 2 and 3 device and application usage details. This capability extends to all network infrastructure including elements not generating conventional flow data.

IP Viewer


Observer GigaStor
Packet capture is an invaluable threat intelligence detection and response tool that streamlines troubleshooting and significantly reduces dwell time. The VIAVI Observer GigaStor is the industry leading packet capture appliance with blazing wire capture and data mining speeds to keep up with the fastest enterprise networks. Each stored packet contains detailed breakouts of network conversations and transactions that can be recalled during the security breach response phase.

Once intrusive software or malware has eluded the intrusion detection system (IDS), it often moves rapidly throughout the network as it probes internally. Backdoors that bypass normal authentication might be used to leave without a trace. Using packet capture, a permanent and complete historical record of this activity can be recalled days or weeks later with precision. The location and impact of the initial breach can be identified quickly, minimizing dwell time and user impact.

Why is Having Comprehensive Network Visibility Critical to Threat Intelligence?

When solving a crime, multiple eyewitnesses, forensic evidence, and fingerprinting are the typical precursors of an open and shut case. These same principles apply to cybersecurity intelligence. Enriched flow data and packet capture combine to form a big picture view that identifies bad actors and their tactics. Comprehensive threat intelligence data is equally useful for breach remediation and repair.

Threat intelligence Fingerprints


Events like DDoS attacks leave distinctive fingerprints, with thousands of connection attempts flooding a service simultaneously. Packet capture produces permanent forensic records of these events that can be reconstructed to analyze the attack and prevent future occurrences. Combined enriched flow data and packet capture can be used to pinpoint with certainty where the bad actor got in, whether they are still there, and how the problem can be fixed efficiently.

Why Threat Intelligence Tools for Network Detection and Response are So Critical for Securing Your Organization

Office communication and networking are morphing into a conglomeration of commercial networks, private users and devices, and an increasing reliance on cloud computing. This new reality leads to a mixture of private/personal application usage, unprecedented geographical disparity of network users, and more unsecured endpoints. These endpoints are ready opportunities for hackers, accelerating the need for comprehensive threat intelligence in cybersecurity.

The cost of a cyber threat intelligence failure can be measured in stolen data, regulatory fines, and system downtime. Less quantifiable is the potential loss of hard-won reputation and consumer confidence. With cyber-attacks now a continuous and unavoidable reality, having the right threat intelligence tools to mitigate customer perception through rapid containment and remediation makes good business sense.

The Future of Threat Intelligence in Cybersecurity

The unexpected acceleration of the remote workplace is an example of unplanned change stacked upon planned titanic shifts in the network landscape. The IoT is introducing a new layer of endpoints for objects ranging from medical devices to automobiles and trains. Cyber threat intelligence will be relied upon to protect users and their data, along with the objects and services subject to theft, tampering, and privacy intrusion.

One certainty in the near term is that cybersecurity attacks will continue to grow in number and sophistication. Telecommuting has coincided with a spike in malicious cyber-attacks, and this uptick in activity is not expected to abate any time soon. Socioeconomic conditions, access to technology, and anonymity continue to incentivize bad actors to join the fray with new attacks occurring every 39 seconds. However, when enriched flow records and packet data are utilized to their fullest potential, the enormous threat posed by these trends can be mitigated significantly.

  • Analyst Paper

    2020 State of the Network Study

    Dynamic Disruption Everywhere

    Over 400 IT professionals weigh in on the unprecedented challenges being faced in maintaining optimal service delivery and safeguarding critical assets.

  • Webinar

    4 Gaps to Fix in Your Security Detection and Response

    Strategies from expert threat hunters designed for NetOps & SecOps teams

  • Product Release

    Introducing Observer GigaFlow

    Master performance and security challenges with insight from every perspective.

Explore More


Threat and Performance Management: 2 Key Data Sources


4 Gaps to Fix in Your Security Detection and Response


Introducing VIAVI Observer v18

Let Us Help

Contact us for more information, receive a price quote, or watch product demonstration videos. We’re here to help you get ahead.