Threat intelligence – myth vs. reality

Chris Pace, Technology Advocate at Recorded Future

Threat intelligence is one of the most important resources for defending against increasingly advanced cyber-attacks, but there are still several myths and misconceptions about how intelligence can be accessed and used. Many organisations still believe threat intelligence is something of a dark art, restricted to elite security pros retained only by the likes of the world’s leading banks, and too complex and costly for ordinary businesses.

We have heard many different misconceptions over the years, and most can be easily rebuffed.

Three of the most common assumptions are:

 “IT’S ONLY FOR ELITE ANALYSTS”

While access to good intelligence might once have been restricted to the elites, today a fast-growing market means it is easily accessible by security professionals with any amount of experience and in any role. The market focus is to provide contextualised information that will enable security teams to respond quickly and proactively as threats emerge.

 “IT’S JUST A BUNCH OF PDF REPORTS OR STREAMS OF DATA”

Threat intelligence is essentially a tool, and like any other tool the quality can vary. Some poor intel is indeed simply presented as a disorganised stream of data, but genuine threat intelligence is provided in real time, stripped of false positives, and presented in a format designed to drive effective decision making.

“IT CAUSES MORE PROBLEMS THAN IT SOLVES”

One of the key factors in making threat intelligence work is how it is implemented by the organisation. Intel that is poorly applied can end up being counterproductive by burying analysts under a mountain of false positives. Conversely, well-implemented threat intelligence will integrate with existing security technologies to provide analysts with crucial insights when and where they need them.

Operationalising threat intelligence

As a result of crucial misunderstandings like these, many security professionals believe that threat intelligence has nothing to offer their organisation. Even among companies that are open to exploring the use of threat intelligence, proper implementation is often a struggle. With thorough and systematic implementation, threat intelligence is difficult to use efficiently, and the true value will be missed.

When applied correctly, threat intelligence has a huge amount to offer security leaders and personnel, from informing investment decisions, to processing alerts more quickly, to reducing the threat window caused by the latest vulnerabilities.

The three edicts of threat intelligence

Finding a threat intelligence provider that will match the organisation’s specific structure and needs can be a complicated affair, and there are a huge array of choices, formats and vendors to choose from.

1.Threat intelligence is for everyone.

Threat intelligence has applications across all aspects of security. Even small organisations struggling with limited security budgets can access and utilise threat intelligence, enabling them to make better risk-based investment decisions and empower security personnel to maximise the value of their tools and processes.

Organisations that already have large and more well-established security capabilities meanwhile can use threat intelligence to respond to the latest incidents and attack tactics as quickly as possible. Alongside protecting the company from attack, well implemented threat intelligence can save a great deal of legwork for security practitioners, freeing them up for more high value tasks and allowing junior personnel to upskill more quickly.

2. Poor quality threat intelligence can hinder more than it helps.

The simplest function of threat intelligence is to enable informed decision making. If the intelligence received by a company is incomplete and contains a high number of false positives and inaccuracies, security decision makers will end up making bad choices.

In terms of daily security activity, vulnerability management teams could miss vital weaknesses that leave the company exposed to attack, while SOC and incident response analysts could end up missing genuine threats while wasting a great deal of time and resources chasing false leads. At a strategic level, security leaders may also make poor investment decisions that do little to improve the company’s security posture.

With this in mind, organisations need to ensure that the threat intelligence capability they implement will genuinely empower their security leaders and personnel.

3. Look for powerful threat intelligence characteristics.

With poor quality intelligence having the potential to drastically reduce a company’s security capabilities, it is essential that decision makers know what they should be looking for in a solution. The following four traits are essential components of genuine threat intelligence:

• Comprehensive – It must combine intelligence from a broad range of sources such as the dark web and threat actor forums.
• Relevant – A worthwhile threat intelligence capability must deliver only intelligence which is relevant to the individual user, cutting out irrelevant data and false positives that will waste valuable time and resources.
• Contextualised – The best threat intelligence solutions combine huge quantities of data, information, and intelligence to construct high-quality, actionable insights that are put into context against the wider threat landscape.
• Integrated – Threat intelligence should be easily accessible across all the different functions it connects to, such as vulnerability management scanners, SIEM and EDR technology.

By having these factors firmly in mind when investigating and assessing the many threat intelligence options available, companies can cast aside the myths and find the ideal solution for their operations. Armed with genuine threat intelligence, security personnel across all functions and experience levels will be able to work faster and more effectively.