Evaluating the State of Cyber Threat Intelligence
Evaluating the state of cyber threat intelligence
Cyber threat intelligence (TI), defined as data that offers insight into a threat actor’s motives, targets, and behaviours, has soared in popularity in recent years.
These factors have contributed to a TI boom where subscription data feeds proliferate.
In this environment, purchase of TI tooling and subscriptions to data feeds are more popular than ever, as more organisations seek to anticipate and defend against the latest offensive techniques and tooling, and react to the latest vulnerability disclosures.
While most TI subscriptions rely on the sheer volume of data as an indication of value, an experienced operator knows that the amount of truly actionable TI is small, and that ‘noisy’ data feeds can impair operations.
The utilisation of TI in principle enables an organisation to move from reactive to proactive security, promising foresight to global threats posed by advanced cyber attackers. However, organisations should not regard TI as a silver-bullet solution.
Ultimately, not all TI is good TI, and investing in a TI feed alone is not equivalent to developing a TI-led security operations function. We argue that:
- Investing in TI without possessing the foundational means to use it effectively will fail to deliver security advantages and can be actively detrimental to an organisation’s cyber defences.
- Organisations mistakenly prioritise external TI, but TI gathered internally is the superior option for an organisation to find actionable and relevant data.
- TI is most useful when applied in support of an established security operations function (e.g. to aid a dedicated threat hunting team) contextualising external TI with business processes and deployed digital technologies to ensure TI-led operations produce the intended security benefits.
This article explores the limitations of conventional TI data feeds and highlights the key characteristics of effective TI usage, making recommendations for organisations currently considering the purchase of a TI subscription.