We Need Better Classification of Threat Intelligence
Lack of Clarity in the Threat Intelligence Space is Causing Confusion
The threat intelligence landscape has vastly changed over the years. While the term was originally used to refer to malware Indicators of Compromise (IOC) – lists of known malware signatures and the servers those malware communicate with, a method to identify infected devices within corporate networks – as time went by vendors have broadly expanded that concept to offer new types of intelligence. The term “Threat Intelligence” encompasses an ever-growing set of offerings that, on an operational standpoint, have different use cases.
For example, intelligence on external threats such as leaked documents or leaked source code has nothing to do with malware. Other examples may not even refer to malicious threats, where sensitive data can leak due to an error on one of the employees’ behalf. Intelligence can be in the form of feeds, mapping known “bad things” on the internet, or could be specific to an organization. Yet, all these intelligence deliverables are grouped together with malware IOCs as part of “threat intelligence”.
Adding to the complexity is the fact that some “threat intelligence” offerings are focused on detecting threats, while others are focused on enriching it. There are multiple popular threat intelligence solutions designed to help SOCs investigate potential incidents. In these use cases, the user already has an indicator – an IP address, a domain name, etc. – and they want to understand if it is legitimate or malicious. Intelligence offerings focused on detection aim to alert the users of the threats in the first place. In larger intelligence operations, a combination of both types of offerings is implemented.
Some intelligence services focus their efforts on identifying threat actor groups and attack methods, informing their customers whether they are targeted or not. The goal of such intelligence deliverables is to provide situational awareness to the security team of what is happening outside the organizations, not necessarily alerting them of an incident involving them. It is less actionable in nature, but serves a purpose for organization that wants to keep their security teams up to date with the current landscape. Such offerings are often time labeled “threat intelligence” as well.
When using the single term “threat intelligence” to describe so many offerings, it is impossible to understand if a certain intelligence service focuses on detection or enrichment, if the threats it addressed are broad or specific, and whether the intelligence is customer-specific or generic, as well as how actionable it really is. And this lack of clarity is causing confusion.
Some terms are beginning to emerge to better define intelligence offerings, with the most prominent one being Digital Risk Protection, or DPO. While it is used by many vendors to describe services designed to identify external threats, it does often time seem to include the traditional “threat intelligence” as part of the vendor’s offering, such as malware IOCs, blurring the lines between the two terms. Certain vendors have also adopted the term “external threat intelligence” to describe their service, while others went for a more descriptive tagline of what the threat intelligence offering includes.
The threat intelligence space definitely needs clearer terms. While DPO seems to emerge from this space as a way to more clearly describe certain intelligence offerings, each term’s boundaries should be better formed. Unfortunately, these things are usually the result of maturity and time – and until then vendors will need to be very mindful of their message to make sure potential customers understand what they’re signing up for.