Choosing the Right Threat Intelligence Mix
Cybersecurity is the Never-Ending Battle Against Ignorance and Time
Recently, Gartner published its annual report about the threat intelligence market, which identified numerous products and services vendors competing in the space. Beyond Gartner, IT-Harvest, Frost & Sullivan, Forrester, ESG and many others also do a considerable amount of market watching and reporting about the latest innovations in the sector. In fact, if we count all of the providers mentioned across various reports, you’d quickly cross the “100” threshold. The market is dense, to say the least.
In just a few short years, the threat intelligence space has grown from being valued at a few hundred million dollars to upwards of $2.5 billion, according to Gartner. The reason demand has skyrocketed is simple, it’s proving its value. Organizations recognize that intelligence improves security and reduces risk across all critical operations. It’s no wonder thought leaders in the field are making the case for integrating it more widely.
Knowing that threat intelligence is readily available and proving its worth is one thing, understanding how to use it within your security operations program is quite another. Whether working within a company that has deployed an advanced intelligence program or in one just getting started, there are steps we can take to ensure we’re investing in the right mix of products, services and feeds.
Data is the lifeblood of threat intelligence programs, but we can’t implement a successful program based on feeds alone. Technology layers that enable the collection, integration and management of threat data are critical. They make it possible to convert data into intelligence and to then operationalize it within our security infrastructure for detection, blocking, investigations and other processes. After we’ve laid the groundwork with a platform, we can move to integrating the feeds needed to address the most serious threats facing our organization.
There are hundreds, maybe thousands of open source and commercial threat feeds available. The various feeds out there supply a range of information, including everything from what’s taking place on dark web crime forums to what nation-state actors are up to. To make a smart choice about which information is key to protecting our business, it is important to understand what is provided by the different feeds out there. While some apply universally, others deliver more focused data about adversaries we may need to be most concerned about.
All businesses have a stake in protecting their brand, but not all lead with it as a key selling point. If a business relies on its brand reputation, we’ll want to consider feeds that monitor what’s being said about the organization on social media platforms and within dark web forums. Much of the illicit activity taking place in both of these realms can lead to severe reputation damage. Understanding what’s taking place in these areas empowers us to respond quickly or even act proactively.
Enterprises that run on consumer payment card transactions can’t go without deep and dark web monitoring, where many breaches involving cards are first detected. Fraud information plays a critical role for ecommerce businesses as well, which is why they need to have access to premium threat intelligence vendors that focus specifically on fraud-related concerns such as carding, the trading of “fulz,” rewards fraud, and more.
Frequently the subject of targeted attacks, government agencies have found themselves under siege from things like random ransomware campaigns, COVID-related unemployment fraud, and election interference. To keep ahead of these types of malicious activities, agencies need to consider feeds providing data about what’s taking place on the dark web, the latest phishing campaigns, ransomware, and in some cases, what nation-state actors and other APTs are up to.
Banks are among the most targeted organizations globally. As I have written about in the past, this is because … well … banks are where the money is. Some banks utilize hundreds of threat feeds, which include a mix of commercial and open source. Deep and wide access to feeds focused specifically on carding, “fulz,” credential compromises and credential stuffing, ATM-hacking, and fraud are indispensable. They also need insights into the wide assortment of tools and techniques known to specifically target financial institutions, such as banking trojans, for example.
In addition to open source and commercial feeds, there are also “open web” sources of threat information provided by news outlets, research reports, blogs, and even social media platforms such as Twitter. These are data sources that any business can use to further inform their threat intelligence programs. To gain access to more focused threat content, organizations often join information sharing and analysis centers (ISACS), which are intelligence sharing communities that circulate information about attacks and IOCs detected in members’ networks.
Long before threat intelligence became a “practice,” security professionals knew that relevant information was critical to their success. What has changed in the past several years is the power we have to leverage information to our advantage. Through advancements in technologies specifically designed to process large amounts of data, information, and intelligence — and add context while removing duplications and low confidence content — we are finally reaching the point where we can capitalize on all of this access without simply being overwhelmed or confused. Where, previously, many organizations might have been forced to limit their access, and accept knowledge gaps, because they couldn’t process it all, today we can consume enough to close more of those openings. With increased capacity to consume outside sources, we can capitalize on that access to move from a reactive to an increasingly proactive state of security. Integration of technologies like SIEM, TIP, and SOAR can even empower us to automate many of our responses with intelligence-driven changes that can be confidently accomplished with limited human effort.
Cybersecurity is the never-ending battle against ignorance and time. As we consume more reliable content and are able to speed intelligence-driven prevention or responses, we close the gap between ourselves and those who wish to compromise our systems, steal our data, or profit from our weaknesses. If we make the right assessments of our collection needs and have the right system of tools working together to capitalize on those collection requirements, we become the hard target that adversaries are less likely to find appealing.