What is Cyber Threat
Intelligence
and why do
I
n
eed it
?
Global Cyber Threat Intelligence –
much ado about something…
The Information Security market is buzzing about cyber threat intelligence. Following all of the ‘Big Data’ discussions that gripped the security market in 2013, cyber threat intelligence has become one of the hot topics in the industry for 2014–a natural evolution as mining all of your data and incorporating data from outside sources should result in some form of newfound intelligence. Running a simple Google search will deliver more than 5 million results and walking any security trade show floor will have you running into the word “Intelligence” at every turn.
But why? Is there really a gold mine of
value waiting for your organization in
the form of Cyber Threat Intelligence?
A resounding “yes” is the answer. But that answer, and the real value derived, depends largely on the definition of cyber threat intelligence. It also depends on how well you integrate cyber threat intelligence into your existing workflows, create new workflows around it and fuse it with new and existing defensive technologies.Leading organizations already know that cyber threat intelligence, from both internal and external sources, can
provide value when it is researched, analyzed and disseminated correctly. Benefits include:
• Changing the security model from reactive to proactive–if you understand your adversaries you can develop tactics to combat current attacks and plan better for future threats.
• Shrinking the security alert problem that is overwhelming most security teams. • Driving better, more informed responses to security incidents.
• Extending the life of aging security technologies and turbo charging new defenses by feeding them real-time intelligence updates to enable blocking of rapidly emerging threats.
• Enhancing communications between the security team, management and board members. • Driving better investment strategies and more directly connecting security priorities with business risk management priorities
Definitions matter–especially in a rapidly emerging segment of the cyber security industry where vendors often twist the latest terms to fit their marketing efforts.
We’ve put together this brief to help you better understand cyber threat intelligence–what it is, why it is important and why you should be considering its use in your security practice. In follow-on briefs we will discuss methods for integrating cyber threat intelligence into your workflows and provide detailed case studies (including ROI) from our clients across the Global 2000.
CISO Recommendation:
“Use a commercial threat
intelligence service to
develop informed t
actics
for current threats, and
plan for threats that may
exist in the midterm
future.”
Rob McMillan & Kelly Kavanagh
Technology Overview for Security Threat Intelligence Service Providers
What is Cyber Threat Intelligence?
Filtering the market noise…
Unfortunately many definitions exist for cyber threat intelligence. Because it is an emerging and very promising new space, security vendors are trying to carve out their lanes and capitalize on the buzz. When considering this space, it is vitally important to know that cyber threat intelligence offerings are not created equal. In fact, many are not intelligence offerings at all.
What you will find is that most vendors are equating cyber threat intelligence with raw
information–for example data feeds with bad IP addresses or other unwashed indicators that are dumped into your environment for machine to machine
consumption or for your security team to sort out. These vendors are confusing “information” with “intelligence.” More raw “information” is not what your teams or your security technologies need–they’re already swimming in data. A data feed with a mountain of raw, unfiltered information will only exacerbate the alarm overload and false positive issues security teams face today.
A useful comparison of the difference between
“information” and “intelligence” is summarized below. It is
largely driven from the pioneers in the field of Intelligence–the global Military Intelligence and National Intelligence communities where a number of iSIGHT’s 200+ experts come from:
Information versus Intelligence
Information
Intelligence
- Raw, unfiltered feed - Processed, sorted information - Unevaluated when delivered - Evaluated and interpreted by trained
Intelligence Analysts
- Aggregated from virtually every source - Aggregated from reliable sources and cross correlated for accuracy
- May be true, false, misleading, incomplete, relevant or irrelevant
- Accurate, timely, complete (as possible), assessed for relevancy
- Not actionable - Actionable
“Many vendors can
provide raw information,
but there are only a
comparative few that
provide true intelligence
capabilities.”
Rob McMillan & Kelly Kavanagh
Gartner on Threat Intelligence…
In an October 2013 report on Threat Intelligence, Gartner essentially points out that most vendors are offering Cyber Threat information–not cyber threat intelligence and that “only a comparative few (vendors)…provide true intelligence capabilities.”Gartner defines cyber threat intelligence as follows, and we think this is the bar by which all vendors claiming to offer these services should be measured:
“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Simply providing a dump of raw data into an already strained organization doesn’t help to narrow the security problem, it actually compounds it. Gartner has it right. Cyber threat intelligence needs to include much more than raw data. It requires rich contextual information that can only be created with the application of human analysis. This contextual information includes an understanding of the past, present and future tactics, techniques and procedures (TTPs) of a wide variety of adversaries. It must also include the linkage between the technical indicators (e.g., IP addresses and domains associated with threats or hashes that “fingerprint” malicious files), adversaries, their motivations and intents, and information about who is being targeted.
This level of contextual understanding can only be
gathered through a research process that involves the identification and on going monitoring of threat actors and the global threat ecosystem. It also requires a fusion center with very
experienced analysts using a formal process and sophisticated tools to merge this disparate research information into finished intelligence. This is precisely why iSIGHT has located a large team of researchers across 16 countries and built a state-of-the-art fusion center in the Washington DC area.
By fusing human gathered intelligence with timely and accurate technical intelligence, you get what you really need–rich, accurate and actionable intelligence that can inform your planning efforts, improve decision making, and help you prioritize and respond to existing or emerging
“Evidence-based knowledge,
including context, mechanisms,
indicators, implications and
actionable advice about an
existing or emerging menace or
hazard to assets that can be
used to inform decisions
regarding the subject’s
response to that menace or
threats. To get this accurate technical intelligence, a large corpus of data is required. This should include open-source data, indicators scraped from the underground and analysis of various malware toolkits to understand their broad capabilities, information from your own proprietary logs, information shared from various industry groups or sharing platforms, and information collected from a broad network of security and technology partners.
When looking for a cyber threat intelligence solution you need to understand that you aren’t buying technology so much as engaging with a long term partner that extends the size of your team and strengthens your defenses both from a human and technological perspective.
At iSIGHT Partners we understand these requirements and we’ve spent the past 7+ years developing our Intelligence capabilities around:
• Threat Actors: Tracking nation-state activities, organized cyber criminals and hacktivists • Vulnerabilities and Exploitation: Uncovering zero-days on a daily and weekly basis,
monitoring CVEs and tracking exploitations in the wild
• M echanism s and Indicators: Analyzing malware family derivatives, tracking DDoS technology and its evolution, monitoring command and control infrastructures, etc.
• Actionable Advice: Providing clients with ongoing, daily stream reporting to filter the noise and drive decision advantage over the adversaries that confront them
Actionable Intelligence –
Signal vs. Noise
As further indication that this is a rapidly emerging market that you should be focused on,
Forrester Research is also following the cyber threat intelligence space. In their research, they place a heavy emphasis on making sure that cyber threat intelligence is actionable. So does iSIGHT. In a pre-RSA 2014 blog post, their lead analyst on the subject–Rick Holland–laid out seven specific criteria that cyber threat intelligence must address to be
considered actionable.
Below are excerpts of that blog along with iSIGHT’s thoughts on how we meet these criteria.
Forrester: Actionable intelligence is ACCURATE
Credibility is the currency of the CISO. To protect that credibility, iSIGHT Partners has built (and refined for nearly a decade) a government-standards, yet commercial-speed, model for intelligence analysis. The result is enduring high fidelity, contextual insight with exceptionally rare
inaccuracies.
Forrester: Actionable intelligence is ALIGNED W ITH YOUR INTELLIGENCE REQUIREM ENTS and TAILORED
At iSIGHT we help our clients identify their requirements as part of our initial consultation process. Many of these requirements already fall into our existing body of research and analysis. Where more specific needs are identified–based on a client’s unique risk profile–we drive our research teams to those requirements and incorporate those needs into the outputs we provide.
Forrester: Actionable intelligence is INTEGRATED
Relevant intelligence demands a response, often by changing existing systems to protect against a specific threat. With manual intelligence evaluation, these changes can be exhaustively time consuming and potentially cost prohibitive (at least from the CFO’s perspective). Time and cost saving integrations with existing systems are absolutely critical. iSIGHT offers a number of ‘out of the box’ integrations driven through our Technology Alliance Partnerships. Our ThreatScape API solution enables customer driven integration where ‘out of the box’ integration is not yet available.
Actionable Intelligence is:
• Accurate
• Aligned with your
intelligence requir
ements
• Integrated
• Predictive
• Relevant
• Tailored
• Timely
Rick Holland
Blog: Actionable Intelligence, Meet Terry Tate,Office Linebacker Published: 11 February 2014
Forrester: Actionable intelligence is PREDICTIVE
At the very basic level, intelligence must be forward-looking. Forensics and “digital dumpster diving” can provide pathology, but cyber professionals need to know what the next attack will likely be, not a rear view mirror understanding of what attacks already happened. iSIGHT Partners has 200+ people in 16 countries focused on the cyber underground. We see what the threats are before they materialize into active events.
Actionable intelligence is RELEVANT
Knowing what threat capabilities are out there is critical, but understanding groups, actors and motivations is vitally important also. Most of our clients (and cyber security professionals) have too much unfiltered threat data, so iSIGHT Partners segments threat activity by actor, area, industry, intent, etc. We go through the haystack, sending just the needles to the client.
Actionable intelligence is TIM ELY
Recognizing that reality, iSIGHT Partners speeds insight to customers, reducing the cost to mitigate and ensuring that threat information beats the onset of an attack.
The core truth is that cyber security professionals already have too much unfiltered data causing too many false alarms. What they need is predictive, accurate insights on the real threats relevant to them delivered at a speed and format that enables an efficient, effective response.
The bottom line: There is a world of difference between basic cyber threat information and actionable cyber threat intelligence and iSIGHT Partners is at the forefront of the cyber threat intelligence market.
Cyber Threat Intelligence –
From the Board Room to the Security Operations Center
When correctly implemented in your organization, cyber threat intelligence is a game changer–not only for the men and women in the Security Operations Center trenches, but for the business as a whole.
Our clients are using cyber threat intelligence to revolutionize and reinvigorate the relationship between security and the business–changing their operating models from reactive and threat based to proactive and risk based. Cyber threat intelligence helps them drive rapid response to threats that matter (supporting the mission of the SOC) and helps them get ahead of the curve on threats over the horizon by making the right investments–driving the risk-based security decisions that map to the needs of the business.
At iSIGHT, we provide intelligence in formats geared towards different stakeholders. We provide executive summaries written in layman’s language with reporting on adversaries, vulnerabilities and exploitation, and on security trends geared specifically towards business leaders. These intelligence reports help CISOs communicate to the rest of the business–providing tools to highlight the need for action and when required even debunk hype in the industry. Our
intelligence includes a daily news analysis service that can be shared with senior leadership–taking stories that appear in major news outlets and trade publications and applying our analysis. This gets CISOs out in front of the questions they are likely to receive and saves them, and their overtaxed teams, research time that can be better used for protecting the organization.
When it comes to driving better day-to-day defenses, we offer deep dive technical reporting and the machine-to-machine integrations described in the section above on actionable intelligence.
Our clients have gravitated towards the use of cyber threat intelligence for a wide variety of reasons. Some that stand out are:
• Driving business level and board level discussions about the risks their adversaries represent • Gaining a true understanding of varying adversarial motives and intents and prioritizing policies and security investments around them
• Moving their organizations from event driven (reactive) to intelligence-led and risk driven (proactive) security models
• Driving broad-level strategic decisions by improving adversary visibility–moving from a near-sighted position to one of 20/20 clarity
• Extending the life and effectiveness of aging security infrastructure by feeding actionable, real time threat intelligence into those systems
• Reducing operational chaos and improving tactical response by fusing intelligence with security events
The iSIGHT Partners Difference…
Like “cloud computing” or “big data”, cyber threat intelligence risks becoming a watered-down phrase employed by vendors in an attempt to “sell more stuff,” just as its purpose and value becomes most clear. That is why we’ve put together this primer on cyber threat intelligence–to help you set the bar for what to expect from a partner in this space.As we’ve explored, there is a significant difference between cyber threat information and cyber threat intelligence. As Gartner highlights, there is a scarcity of vendors offering true Intelligence. When looking to vendors in this space, consider the Gartner definition carefully and evaluate potential partners against it. Also keep in mind the need for actionable intelligence highlighted by Forrester Research.
If you keep these issues in mind, you’ll find that iSIGHT Partners is unique in the market. Having delivered intelligence globally for more than seven years–to clients in government and the private sector–we pride ourselves on delivering against the criteria we’ve discussed in this paper.
At iSIGHT, we’ve invested heavily in building and refining our threat intelligence capability over nearly a decade. We have unmatched experience and reach–over 200 experts around the globe with deep historical perspectives in cyber intelligence gathering, analysis and dissemination. We have combined this experience with a well-oiled process and technology platform based on a formal intelligence lifecycle. The result is that we help our clients see the big picture as it relates to the threats they face and we provide the depth and context that drives better decisions. We fuse technology and human intelligence. We are leading the way in cyber threat intelligence–providing a bridge between security and the business and supporting some of the most sophisticated government and private organizations in the world. We are also helping others who are starting their journey towards building intelligence -led security programs.
Turning “Information” into “Intelligence” requires deep technological capabilities and human expertise–the type that only iSIGHT has developed throughout these years.
