Threat Intelligence May Not Be The Answer

Dow Jones’s Rob Sloan queries whether the vendor drive for threat intelligence is really what we need to focus on

Threat intelligence, according to many security vendors, is a key part of the solution to network defense. Organizations are encouraged to spend tens of thousands of dollars on intelligence feeds that will actually do very little to substantially improve their cybersecurity. For many, threat intelligence will be a complete waste of money.

The argument from the vendors is simple: knowing what threat actors are doing allows proactive protection of networks. To generate insight, vendors employ teams to analyze data from deployed security appliances or client networks where incident response work was conducted.

This is supplemented with open source information or third party data repositories such as VirusTotal and sold to subscribers, often with complementary public releases (minus the signatures) to generate PR and drive further sales. Research is expensive, in part because the human skills are in short supply and high demand, but also because organizations pay top dollar for any perceived defensive advantage. However, the return on investment from organizations consuming the feeds simply does not pay off.

Intelligence is information that has been assessed, but is interpretation, not necessarily fact. Intelligence plots dots on a blank sheet of paper, and may at best join some of the dots up, but it cannot give the rich picture. Most organizations are unable to add the expertise required to connect the dots. Just because an attacker used a technique once does not mean it will be used again.

"Threat intelligence vendors guard their research to the detriment of the wider community"

We constantly hear about ‘campaigns’ where industries are targeted with a common methodology. However, no single vendor ever has a complete view of a campaign, only the networks and connected infrastructure to which their visibility extends. A failure to note any activity in a particular sector resulting from ‘campaign blindness’ could give a client a flawed view of the picture and cause a low priority to be assigned to the threat, ultimately leaving the client no better off.

Threat intelligence vendors operate in contrast to anti-virus companies. When one AV company analyzes a new malware sample those signatures are shared with peer organizations, reducing the burden for individual companies and ultimately protecting the entire user community from known threats, regardless of size or budget. Organizations do not need the details of the attack; they just want to know they are protected.

Threat intelligence vendors guard their research to the detriment of the wider community, and prices ensure that only those companies able to pay the hefty subscriptions get access, leaving many SMBs and critical parts of the supply chain in the dark.

Networks, the solutions and resources defending them, and the data that resides on them vary greatly, and so too do attacks. Even within threat groups, skills and preferred tools can vary between operators and reusing malware and infrastructure for multiple targets carries risk: if a campaign is uncovered, the loss of tools and access takes time and expense to restore. Segregating infrastructure means one discovery does not risk a whole campaign and reduces political risk for state actors.

Even where an attack is identified or blocked through threat intelligence reporting, the attackers will return. The clue is in the ‘P’ of ‘APT’: sophisticated attackers are persistent and have a requirement for data, attacking until they get it. If an attacker tries a method that is detected, they will counter with something different until they are successful.

Regardless of the quality of the original analysis and intelligence report, the customer must extract value for their organization. This involves loading signatures into monitoring solutions, but it also means understanding the wider business context and having clarity on where sensitive data is being generated and stored. This is the role of a skilled intelligence analyst with reach across the business rather than an I.T. or SOC analyst responsibility, and few companies have this. Intelligence should also fulfill the organization’s requirements; relevance and quality greatly outweigh quantity.

Most organizations desperately want solutions to cyber-attacks and the sales pitch for threat intelligence promises a great deal. With pressure to provide assurances to executives that data is secure, many CISOs and security managers will attach significance to what they know, rather than what they do not, which could give a false sense of security.

At its best threat intelligence might provide occasional protection from attacks. At its worst it is an expensive source of information that bears no relevance to securing a network and may mislead decision-makers. Knowing the threat actors who are seeking to attack can be useful, as can identifying business critical data, but knowledge of other attacks is not required for that. Limited security budgets are better invested in resources and technology to strengthen defenses, identify and respond to attacks and to prevent damage rather than on cyber clairvoyance.


About the Author

Rob Sloan is head of cyber content and data at Dow Jones Risk and Compliance. His role focuses on providing thought leadership, developing new products and services, and advising internally on cyber risk. Previously, Rob was response director at Context IS in London and started his career in UK government, looking at attacks targeting the critical national infrastructure. 


What’s Hot on Infosecurity Magazine?