Cyber threat intelligence (TI), defined as data that offers insight into a threat actor’s motives, targets, and behaviours, has soared in popularity in recent years.
These factors have contributed to a TI boom where subscription data feeds proliferate.
In this environment, purchase of TI tooling and subscriptions to data feeds are more popular than ever, as more organisations seek to anticipate and defend against the latest offensive techniques and tooling, and react to the latest vulnerability disclosures.
While most TI subscriptions rely on the sheer volume of data as an indication of value, an experienced operator knows that the amount of truly actionable TI is small, and that ‘noisy’ data feeds can impair operations.
The utilisation of TI in principle enables an organisation to move from reactive to proactive security, promising foresight to global threats posed by advanced cyber attackers. However, organisations should not regard TI as a silver-bullet solution.
- Investing in TI without possessing the foundational means to use it effectively will fail to deliver security advantages and can be actively detrimental to an organisation’s cyber defences.
- Organisations mistakenly prioritise external TI, but TI gathered internally is the superior option for an organisation to find actionable and relevant data.
- TI is most useful when applied in support of an established security operations function (e.g. to aid a dedicated threat hunting team) contextualising external TI with business processes and deployed digital technologies to ensure TI-led operations produce the intended security benefits.