New threat intelligence report skewers industry confusion, charlatans

Are you getting threat intel -- or just antivirus software? A government-backed report designs a framework for threat intelligence that can be scaled to different sectors, sizes of organization, and organizational goals.
Written by Violet Blue, Contributor
Cyber threat intelligence

In the young, billion-dollar growth sector of threat intel, vendors are falling over themselves to offer a confusingly diverse array of threat intelligence products.

That's because right now, organizations know they need to 'do' threat intelligence -- yet few understand, or can agree on what that means.

A new threat intelligence whitepaper backed by the UK government waded through the confusion and snake oil salesmen to design a framework for threat intelligence that can be scaled to different sectors, sizes of organization, and organizational goals.

Threat Intelligence: Collecting, Analysing, Evaluating does exactly that, and may wind up as a modern handbook of threat intel consumer awareness for IT and management.

The research was conducted by U.K.-based Cyber Incident Response (CIR) company MWR InfoSecurity, and commissioned by CPNI (Centre for the Protection of National Infrastructure), in addition to CERT-UK.

The report encompasses what every CIO should know, and is key for how CIOs talk to their IT security teams, as well as how to bridge the often-disastrous communication gap between a threat intel team and a company's decision makers.

Don Smith, Technology Director at Dell SecureWorks, was one of the outside consultants on Threat Intelligence. Smith told ZDNet, "The paper does a good job of defining what threat intelligence actually is -- this is something which the market definitely needs, it's a growing sector with lots of new entrants of varying maturity."

On the necessity of the report Smith added, "The paper should help organisations better understand their approach to threat intelligence -- which will in turn allow them to ask the right and relevant questions of potential or current threat intelligence service providers."

"We don't know what it is, but we need it."

The paper also tells us how not to build a threat intel team.

What many of us felt, turns out to be true. "The majority of TI programmes that are failing to provide meaningful intelligence and business value have factors in common when it comes to how they were built. Typically, senior management decided that a threat intelligence team was necessary, a decision based on interactions with peers, writings in the field or even vendor pitches. Rather than the requirements driving the establishment of teams, the perceived need simply to have a team drove the whole process."

The researchers add, "It's not unknown for senior staff to muse, "We don't know what threat intelligence is, but we know we need it.""

The paper begins by facing off with conventional wisdoms, or beliefs, around how cyber threat intel is defined -- or not defined, often to the advantage of unscrupulous intel vendors.

It establishes a stance some may find controversial but results in a relevant and practical outcome: Transposing a traditional framework definition set of threat intelligence (government) and carefully, specifically tailoring it to the tempestuous threat landscape of information security. Taking intel back to its roots, as it were.

The team and its consultants created a modern, modified model for threat intelligence flow, and left no detail or implementation unexplained throughout the rest of the paper.

In 1996, the United States Senate Select Committee on Intelligence published a study on how the intelligence community might look in the 21st Century if it were redesigned from scratch. This study proposed a functional flow for intelligence that can be used as the basis for a mature, scalable TI programme, as shown in figure 4.

(...) An important departure from the traditional threat intelligence cycle is that resources can be used to develop systems and capabilities of potential use to both collection and analysis, based on advice from the collection and analysis functions.

Cyber threat intelligence function flow

Are you getting threat intel... Or just antivirus software?

The paper is a must-read for anyone who needs to understand what they're buying when they buy threat intel feeds.

Today, there are large numbers of TI vendors and advisory papers (often issued through vendors' marketing departments) that describe extremely different products and services, all under the banner of threat intelligence.

The research explains, "For example, at a high level, some products come in the form of prose that explains developments in a particular area, while at a lower level, others might be a stream of XML-formatted indicators of compromise, such as IP addresses or binary hashes."

What's worse, "Even within similarly placed sources, such as feeds of indicators of compromise, there is very little overlap between competing products. Recent research suggests that in three popular feeds of flagged IP addresses, containing more than 20,000 IP addresses in total, there was as little as a 1% overlap."

As market demand for threat intelligence grows, with a large number of organizations either interested in products or actively building programs, some vendors are offering existing products - or subtly reworked versions of existing products - as 'threat intelligence'.

At the more cynical end of the spectrum, it's been suggested that threat intelligence is at a threshold where it could become either useful, or simply antivirus signatures by another name... and at a higher price.

Types of cyber threat intelligence

Four clear categories

The report outlines the four subtypes of threat intelligence, and clearly explains what to do with them (and what not to do with them) -- namely, how to collect, use and share the information so it can be acted on when it matters most.

Strategic threat intelligence is consumed by high-level strategists. The paper notes, "It deals in such high-level concepts as risk and likelihoods, rather than technical aspects; and it is used by the board to guide strategic business decisions and to understand the impact of the decisions that are made."

C-level executives (CEO, CFO, CIO, etc.) and the board require a level of understanding as to which decisions might be linked to cyber risks.
In lieu of this understanding, threat intelligence team members need to ensure that they are themselves aware of the sorts of decisions being made, and proactively advise senior management and the board. Decisions that might have cyber risk implications should be used for setting requirements.

After providing examples of what these decision situations are, the paper then conveys exactly how to bridge this communication gap, and critically, exactly how to share information between both sides without compromising any aspect of the exchange.

Operational threat intelligence is "actionable information on specific incoming attacks."

Demystifying the human intelligence gathering angle and how organizations can do it (and evaluate the information) effectively and safely, the paper also fully explains information gathering for organizations from news sources, social media, chat rooms, business contacts, and official sources.

Tactical threat intelligence, the report defines, "is information that concerns the tactics used by threat groups - including their tools and methodologies - and is often referred to as Tactics, Techniques, and Procedures (TTPs)."

But one of the biggest problems in this area, as seen in recent surveys, is avoiding unnecessary work and producing viable results. "Setting team requirements in this area is key," the researchers explain, "covering attack group reports, malware analysis, incident reports, and how effective tactical intelligence can aid incident response."

Technical threat intelligence comprises technical details of an attacker's assets, such as tools, command and control channels, and infrastructure.

The paper notes, "A key failing of technical threat intelligence is that it's relatively simple for an attacker to target a specific organisation in a way that ensures no pre-existing indicators will have been available. Modified malware, custom network infrastructure and obscured C2 communications do not require great skill or resources, but still bypass technical threat intelligence efforts."

The researchers address this issue in detail. Helpfully, a number of free, reputable technical threat intel feeds are included in the report, as well as thorough resource, glossary and citation sections.

To share, or not to share

No area seems more fraught with confusion and fear of disaster than cyber intel's constant balancing act between the need to keep secrets, and the need to share attack information to protect secrets.

That's why the most interesting part of the report, at least to this reporter, is the lengthy dive into information sharing.

For instance, the paper explains, "In some industries, even the faintest whiff of suspicion that a company has been compromised is likely to influence buyers to go elsewhere."

It adds, and later unpacks, that "In these cases, organisations might do well to use trusted third parties to anonymise and distribute the information, so that communal benefit can be gained with minimal reputational risk."

While the research applies evaluation parameters and formal ways to safely share information within the four different threat intel categories, the overall arena of sharing is wholly demystified (even down to personal relationships).

The importance of its sections on intelligence sharing on a personal level can't be understated; its guidance would likely have averted some of the most recent headline-making cybersecurity disasters.

The paper's "Quick Wins" section also ensures that anyone reading it will have something to take back to work and implement immediately.

The easy to understand paper, with its complex analysis of threat intelligence teamwork, is a bold statement against threat intel snake oil, and may be one of the most useful cybersecurity enterprise whitepapers to come out in years.

See also:

All images and text reproduced with the express permission ofMWR InfoSecurity. The Threat Intelligence report was culled from literature reviews, internal experience, and interviews with professionals involved in threat intelligence and related fields across a range of organizations and sectors.

The version of Threat Intelligence: Collecting, Analysing, Evaluating discussed here is a pre-launch version and is open for comments and questions (which can be sent to enquiries@cpni.gsi.gov.uk).

Editorial standards