Threat intelligence is currently the trendy thing in information security, and as with many new security trends, frequently misunderstood and misused. I want to take the time to discuss some common misunderstandings about what threat intelligence is and isn’t, where it can be beneficial, and where it’s wasting your (and your analysts’) time and money.

To understand cyber threat intelligence as more than a buzzword, we must first understand what intelligence is in a broader sense. Encyclopedia Britannica provides this gem of a summary:

“… Whether tactical or strategic, military intelligence attempts to respond to or satisfy the needs of the operational leader, the person who has to act or react to a given set of circumstances. The process begins when the commander determines what information is needed to act responsibly.”

The purpose of intelligence is to aid in informed decision making. Period. There is no point in doing intelligence for intelligence’s sake.

Cyber threat intelligence is not simply endless feeds of malicious IP addresses and domain names. To truly be useful intelligence, threat Intel should be actionable and contextual. That doesn’t mean attribution of a set of indicators to a specific country or organization; for most companies that is at the best futile and at the most, dangerous. It simply means gathering data to anticipate, detect, and mitigate threat actor behavior as it may relate to your organization.  If threat intelligence is not contextual or is frequently non-actionable in your environment, you’re doing “cyber threat” without much “intelligence” (and it’s probably not providing much benefit).

Threat intelligence should aid you in answering the following six questions:

1. What types of actors might currently pose a threat to your organization or industry? Remember that for something to pose a threat, it must have capability, opportunity, and intent.
2. How do those types of actors typically operate?
3. What are the “crown jewels” prime for theft or abuse in your environment?
4. What is the risk of your organization being targeted by these threats? Remember that risk is a measure of probability of you being targeted and harm that could be caused if you were.
5. What are better ways to detect and mitigate these types of threats in a timely and proactive manner?
6. How can these types of threats be responded to more effectively?

Note that the fifth question is the only one that really involves those big lists of Indicators of Compromise (IoCs). There is much more that goes into intelligence about the threats that face us than simply raw detection of specific file hashes or domains without any context. You can see this in good quality threat intelligence reports – they clearly answer “what” and “how” while also providing strategic and tactical intelligence.

I’m not a fan of the “throw everything at the wall and see what sticks” mentality of using every raw feed of IoCs available. This is incredibly inefficient and difficult to vet and manage. The real intelligence aspect comes in when selecting which feeds of indicators and signatures are applicable to your environment, where to place sensors, and which monitored alerts might merit a faster response. Signatures should be used as opposed to one-off indicators when possible. Indicators and signatures should be vetted and deduplicated. Sensibly planning expiration for indicators that are relatively transient (like compromised sites used in phishing or watering hole attacks) is also pretty important for your sanity and the health of your security appliances.

So, how do you go about these tasks if you can’t staff a full time threat intelligence expert? Firstly, many of the questions about how you might be targeted and what might be targeted in your environment can be answered by your own staff. After your own vulnerability assessments, bring your risk management, loss prevention, and legal experts into the discussion, (as well as your sales and development teams if you develop products or services). Executive buy-in and support is key at this stage. Find out where the money is going to and coming from, and you will have a solid start on your list of crown jewels and potential threats. I also highly recommend speaking to your social media team about your company’s global reputation and any frequent threats or anger directed at them online. Are you disliked by a hacktivist organization? Do you have unscrupulous competitors? This all plays into threat intelligence and security decisions.

Additionally, identify your industry’s ISAC or equivalent, and become a participating member. This allows you the unique opportunity to speak under strict NDA with security staff at your competitors about threats that may impact you both. Be cognizant that this is a two way street; you will likely be expected to participate actively as opposed to just gleaning information from others, so you’ll want to discuss this agreement with your legal counsel and have the support of your senior leadership. It’s usually worth it.

Once you have begun to answer questions about how you might be targeted, and what types of organizations might pose a threat, you can begin to make an educated decision about which specific IOCs might be useful, and where to apply them in your network topology. For instance, most organizations are impacted by mass malware, yet if your environment consists entirely of Mac OS, a Windows ransomware indicator feed is probably not high in your priorities. You might, however, have a legacy Solaris server containing engineering data that could be a big target for theft, and decide to install additional sensors and Solaris signatures accordingly.

There are numerous commercial threat intelligence companies who will sell your organization varying types of cyber threat intelligence data of varying qualities (in the interest of affability, I’ll not be rating them in this article). When selecting between paid and free intelligence sources (and indeed, you should probably be using a combination of both), keep the aforementioned questions in mind. If a vendor’s product will not help answer a few of those questions for you, you may want to look elsewhere. When an alert fires, a vendor who sells “black box” feeds of indicators without context may cause you extra time and money, while conversely a vendor who sells nation state attribution in great detail doesn’t really provide the average company any actionable information.

Publicly available sources of threat intelligence data are almost endless on the internet and can be as creative as your ability to look for them. Emerging Threats provides a fantastic feed of free signatures that include malware and exploits used by advanced actors. AlienVault OTX and CIRCL’s MISP are great efforts to bring together a lot of community intelligence into one place. Potentially useful IoC feeds are available from many organizations like abuse.ch, IOC Bucket, SANS ISC DShield and MalwareDomains.com (I recommend checking out hslatman’s fairly comprehensive list.). As previously noted, don’t discount social media and your average saved Google search as a great source of Intel, as well.

The most important thing to remember about threat intelligence is that the threat landscape is always changing – both on your side, and the attackers’. You are never done with gathering intelligence or making security decisions based it. You should touch base with everybody involved in your threat intelligence gathering and process on a regular basis, to ensure you are still using actionable data in the correct context.

***

In summary, don’t do threat intelligence for the sake of doing threat intelligence. Give careful consideration to choosing intelligence that can provide contextual and actionable information to your organization’s defense. This is a doable task, possible even for organizations that do not have dedicated threat intelligence staff or budgets, but it will require some regular maintenance and thought.

Many thanks to the seasoned Intel pros who kindly took the time to read and critique this article: @swannysec, @MalwareJake, and @edwardmccabe

I highly recommend reading John Swanson’s work on building a Threat Intel program next, here.