Getting Smart About Threat Intelligence

Security vendors are creating a lot of noise about threat intelligence, bombarding the market with a deluge of sources and packages that promise to make sense of the threat landscape. Choosing the right one requires some intelligence of your own.

When evaluating your options, you should ask these questions:

• What are all these sources?
• Which can give me the most value in understanding my threats?
• How should I choose between different sources of threat intelligence?
• How do I ensure that I get the best coverage for my needs and maximize my return on investment?

But the first and most important question is what, exactly, does “threat intelligence” mean?

Threat intelligence is information that has been analyzed to discover informative insights. Actionable threat intelligence is insight you can act on — it enables informed decision-making that results in better outcomes. We see this type of intelligence when a business leader finds insights in market data to tune a product launch, or when a security analyst understands the extent and intent of an attack and take steps to limit its impact.

Security experts divide threat intelligence into five distinct classes:

1. Internal intelligence. This is the intelligence about your organization's own assets and behavior, based on analysis of your organization’s activities. The Mandiant for Security Operations solution is an example of this.
2. Network intelligence. This is intelligence gleaned from analyzing network traffic at your organization’s network boundary and on networks that connect you to the outside world. FireEye is a good example.
3. Edge intelligence. This is understanding what various hosts on the Internet are doing at the edge of the network. This in information comes from governments, ISPs, telcoms, and CDN's have. For example, Akamai has a lot of intel on the edge of the Internet.
4. Open-source intelligence. This comes from the plethora of information available on websites, blogs, Twitter feeds, chat channels, and news feeds. It’s available to whoever wants to collect and mine it for useful intel. Numerous companies offer open source intelligence, mostly differentiated by numbers of sources, language capabilities, and analytic tool support.
5. Closed-source intelligence. This is the most difficult to acquire — closed user group sharing (for example, FS-ISAC), authenticated underground websites and chat channels, information gleaned by intelligence and law enforcement operations, and human intelligence. A number of companies offer some closed-source intelligence, although coverage is often specific to a particular threat or geography.

When building your threat intelligence capabilities, you probably want good coverage of all these classes. Unfortunately, most commercial threat intelligence services can offer one, or at best two, of these sources. And they may not provide coverage that is directly relevant to your organization.

For that reason, I recommend the following:

• Leverage internal intelligence as your most directly actionable source.
• Augment this with network intelligence that relates to your assets (such as your network gateways and external networks).
• Use open source intelligence that covers your assets, brand, geography, and business type.
• Invest in closed-source intelligence only if you have a threat profile that demands this level of insight, or if a source caters to your specific industry (for example, one of the Information Sharing and Analysis Centers, or ISACs, in the U.S.)
• Seek relevant, actionable intelligence providers that enable you to make informed decisions on threat posture and response.

By asking the right questions, you can put together a threat intelligence plan that delivers the right insights — and that’s one of the most intelligent moves a security professional can make.