Threat intelligence is more abundant than ever. The information defenders can use to hunt, prepare for and counter potential threats isn’t hard to find, but it is fragmented.
On the public side, the Cybersecurity and Infrastructure Security Agency and other federal agencies regularly release advisories to alert organizations to malicious activity. Privately, and at a cost, threat intelligence firms publish thousands of pages of data and analysis on the most common and unique threats every month.
CISOs and security practitioners are left to make sense of it all — crowdsourcing intelligence from research firms and cybersecurity authorities. Turning those disjoined insights into actions that bear results isn’t an easy endeavor.
“The different threat reports are useful, but it would be much more useful if we had a more centralized repository of that information that everyone could draw from and make their own intelligence on,” Arctic Wolf CISO Adam Marrè said during an interview at Black Hat USA 2023.
“If we could learn more from each other, if we could learn more from those attacks that we’re seeing happening, we would do a lot better to defend against them,” Marrè said.
The fragmentation of threat intelligence can put organizations on unequal footing with their adversaries.
Indicators of compromise don’t follow a common language and naming taxonomies vary wildly from one research firm to the next, making it difficult to determine when analysts are describing activities of the same threat actor.
“For a CISO, it can be hard to understand what’s the ROI, what’s the value of this, of investing in threat intelligence,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, told Cybersecurity Dive. “It is typically for more resourced organizations.”
Cyber threat intelligence is a multibillion-dollar industry. Fortune Business Insights in March estimated the market will reach nearly $5 billion in revenue this year and surpass $18 billion by 2030.
CrowdStrike and others in the threat gathering and analysis space provide varying levels of research. This includes external attack surface management, dark web monitoring, stolen credentials, and deep reports on hundreds of threat actors, describing how they operate, who they target and how organizations compare to peers in their industry.
Where to start
Many organizations that don’t know how or where to start with threat intelligence have a bad experience and conclude it’s useless, Meyers said. “But the reality is they tried to do Olympic skiing when they should be on the bunny slope.”
“It’s OK to be on the bunny slope,” Meyers said. “We’ll get you on the black eventually, but you’ve got to build and develop processes and your people as well as bringing in this external intelligence.”
For many organizations, the most helpful starting point can be found within.
“The best source of intelligence that you have is from your own incidents,” said Rick Holland, VP and CISO at Reliaquest.
Organizations need to properly mine internal data before they spend a dollar on threat intelligence, Holland said.
Too often organizations don’t have logging set up, or fail to back up their logs, which limits their ability to confirm how attackers intruded their system.
While monitoring for known IOCs is a bare minimum, tactics, techniques and procedures help organizations understand the tools and commands attackers are using, and how they are moving through their network, Holland said.
“Before you spend any money, do people and process internally, and then go out and complement your gaps,” Holland said. “Most people don’t know their gaps.”
Disclosure: Black Hat and Cybersecurity Dive are both owned by Informa. Black Hat has no influence over Cybersecurity Dive’s coverage.