The Term “Threat Intelligence” is Poisoned. It Does Not Mean What You Think it Means.
I’m guessing the creators of the movie The Princess Bride had no idea that Inigo Montoya’s quote – You keep using that word. I do not think it means what you think it means. – would be widely quoted for years to come. It captures a disconnect that I believe is at the heart of many human interactions: the assumptions we all have when we enter discussions that can prevent us from truly listening and understanding. These preconceived notions can be so engrained that we don’t even realize the impact they have on our ability to engage in meaningful discussions.
One example of this from the cybersecurity world is when people talk about threat intelligence. It’s a loaded term, even poisoned. I know this is an extreme word and position, but hear me out. People have preconceived notions of what threat intelligence is, so they make assumptions in conversations and those assumptions are rarely thought about, much less discussed. For the sake of improving security operations, this is a subject we cannot avoid. We need to open our minds and explore these underlying assumptions.
So, let’s start with Gartner’s definition of threat intelligence and go from there:
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
However, many equate this definition to external sources of threat data only. The assumption and filter is that threat intelligence equals external threat data. But what about internal data – the telemetry, content and data created by each layer in our security architecture which, by the way, is free? Re-read the Gartner definition. It does not talk about external or internal data in the definition, instead focusing on knowledge and context.
Defining threat intelligence as external data makes it impossible to fully appreciate or reap the value of threat intelligence. Think about it. Companies use multiple external feeds within their security operations environment and, as demonstrated by two separate reports, a Carnegie Mellon University study I’ve discussed before and new research presented at the 29th USENIX Security Symposium, there is little overlap in content. In fact, the recent research found almost no overlap between two leading vendors nor with four large open threat intelligence feeds. Even for 22 specific threat actors – which both vendors claim to track – there was only 2.5% to 4.0% overlap between indicator feeds. With no way to filter all this disparate content, security analysts end up drowning in data. But if you start with internal data, events and telemetry, and supplement with external data to contextualize information from internal systems, something special occurs. You understand relevance and can focus on what’s high priority for your organization. With a better, more complete picture of what is happening in your environment, threat detection becomes more efficient and response becomes more effective. The value of threat intelligence is undeniable. This simply isn’t possible when external threat data is viewed in isolation.
Combining internal and external threat data allows you to create a customized data set for your company. You can start thinking about curated threat intelligence as a capability – and not just a feed – that you can build out within your Security Operations Center (SOC). This intelligence capability becomes the foundation for a range of use cases, like spear phishing, threat hunting and incident response, to deliver exponentially more value.
Let’s take a simple incident response scenario as an example. An alert from the SIEM indicates communications from a device to an unknown IP address. You can find out context about the device and user of the device based on querying active directory. If the device belongs to a C-level employee, that can raise the incident priority. You can also check your ticketing system, endpoint detection and response (EDR) tools, sandbox or other systems to determine if the indicator has been seen, increase priority and also gather related information. Then, additional external data can provide context including that this IP address is associated with a specific campaign, the related tactics, techniques and procedures (TTPs) used, other artifacts to look for and courses of action to take. Analysts can quickly build a broader picture, gain a deeper understanding of the incident, respond more effectively and strengthen security posture.
We need to dispel the assumptions that are limiting what threat intelligence can be and, thus, the effectiveness of the SOC. When intelligence becomes a capability and not just subscriptions to feeds, we can gain the full value of intelligence as the foundation to security operations. And it all starts with internal data – that’s free!