Demystifying Threat Intelligence

‘Threat intelligence’ could be the answer to defeating dangerous cyber-threats. But what does it really mean? asks Adam Schoeman

Threat intelligence’ has become a catchall term for a vast array of different technologies, methodologies and ideas. Meanwhile, the use of different prefixes has become little more than a marketing tool. But if we can’t classify threat intelligence products by naming conventions, how can we evaluate them? Perhaps some of the industry’s biggest research firms can help.

What the Analysts Say

For Forrester, threat intelligence is not a single product or service, but a framework constructed around high-quality information sources and skilled analysts. In Five Steps to Build an Effective Threat Intelligence Capability, Forrester shows that five distinct focuses need to be combined to harness it effectively: laying the foundation; establishing buy-in; staffing the team; establishing sources; deriving intel.

Gartner defines threat intelligence as, “evidence-based knowledge… about an existing or emerging… hazard to assets that can be used to inform decisions regarding the subject’s response to that… hazard.” At first glance, this could be a definition for a single black-box product, but it’s likely that it would actually need to exist inside a framework in order to contextualize the knowledge that originates from third parties.

To understand if a potential adversary has the opportunity, capability or intent to attack an asset, the asset itself needs to be understood. This is difficult to achieve from a black box point of view, where the system has no knowledge of the environment in which it is deployed.

In all these definitions, there is one constant: threat intelligence cannot simply be deployed in a way that adds value as a black box system. Any threat feed that is built to be scaled across many organizations must, by definition, deliver generic insights. Without local contextualization, an information feed can never truly be described as threat intelligence.

Product Proliferation

There is an explosion of threat intelligence products on the market today, but they can all broadly be split into three groups – feed-, research- and platform-driven products.

Feed-driven products convert traditional security logs into an information feed. Generally, the provider gathers information through an array of collection points (often referred to as ‘sensors’) and transforms that information into a consumable feed.

Research-driven products rely on analysts to distil information into a research report that can be delivered to a specific audience. Although they follow the same steps as feed-driven products, they are built on the premise that human analysts will rigorously interrogate the information that they retrieve, generating value for the target audience.

Platform-driven products do not provide threat intelligence per se, only a way to house and share it. There aren’t any definable steps in delivering information, since the platform is always available, and any data stored within it must be added by the end-user.

Applying Threat Intelligence

Threat intelligence products have evolved rapidly, creating offerings that have huge visibility. Yet there is still a significant piece missing: localized knowledge of the target environment.

While feed and research-driven products have the potential to add value, such as offering an outsourced information gathering or analyst function, they lack the ability to contextualize knowledge with local information. This dramatically limits their ability to deliver actionable intelligence to organizations.

It could be possible to overcome this limitation on the end-user side through rigorous evaluation of threat intelligence products before purchase, and then using internal analysts to mutate the incoming intelligence to better suit the consumer architecture. However, there would be a significant cost involved.

An alternative would be for a consumer to have direct access to a threat intelligence provider’s backend storage and transform functions so that they could pull out intelligence based on their localized knowledge. Unfortunately that’s unlikely to be possible when these products deliver generic information to numerous end users rather than harvesting local knowledge about individual environments.


Adam Schoeman is a senior intelligence analyst at SecureData 

What’s Hot on Infosecurity Magazine?