Is Threat Intelligence a Misnomer?
The bulk of what passes for “threat intelligence” is just ephemeral data, frequently changed by hackers, and only useful on short-lived blacklists. To improve their cybersecurity, organizations need to raise their “threat IQ”. The security ecosystem of vendors and service providers actually refines a great deal of threat intelligence (TI) out of raw data, but to really leverage TI organizations must develop sophisticated internal processes.
I’m Speaking at a Threat Intelligence Summit two weeks from now and therefore have been researching the literature and putting together some slides. I was struck by the following quote from an unknown author:
I won’t bore you with the formal definition of all these terms, just the one for intelligence – “The ability to acquire and apply knowledge and skills.”
That led me to put together two more slides explaining that threat “data” has to be refined before it can be of lasting use in detection or prediction, let alone in the more difficult problem of attribution to the real threat actors (people and organizations).
Threat data must be enriched, contextualized and leveraged
From the diagram on the left, you can see how “threat data” can be enriched and contextualized to become “threat knowledge.” The slide on the right refers to this as “threat intelligence fusion.” Threat fusion can create more useful and durable threat indicators; rather than just an IP address on a blacklist the target organization “Z” now can know that it is targeted by “Y” (say “a South Ossetian hacker group”) using X (say “Russian bulletproof hosting services and a specific variant of Zeus malware”). Hopefully, you can see how this threat knowledge could useful for weeks or months and might be leveraged in tools and analytics to become actionable intelligence.
The security industry ecosystem does a pretty good job of refining threat data into threat intelligence (TI). Vendors and managed security services providers (MSSPs) collect threat data or information and provide it to their threat-facing products or services in customer or cloud environments. These commercial providers, open source security communities and customers themselves circulate a great deal of data to public and private sector sharing communities through newly-minted STIX and TAXII protocols enabling continual enrichment and contextualization.
To validate that all this information or knowledge about threats is accurate and current, however, requires access to a bit more research, contacts and expertise. The best TI is acquired from specialist vendors, peers in your own industry and/or funded government working groups in the Department of Homeland Security (DHS) on the civilian side (in the U.S.) and other teams on the defense and intelligence side.
Customer organizations must invest some funds in private threat intelligence services and some efforts in public or private sector sharing communities in order to get access to the best TI from the security industry ecosystem. In follow-up posts we’ll cover questions on how much to invest in TI – and an enterprise approach to using it.