What should I look for in a Threat Intelligence Solution?


This blog article is part of a series: Part 1 | Part 2 | Part 3

In this final article in this series, I provide some guidance on what to look for in a CTI solution.

The four important questions when assessing CTI should be:

  1. How current is the Threat Intelligence Provided?
  2. How broad is the coverage?
  3. What contextual information is available to help understand the risk?
  4. Integration and automation

One other consideration on what to look for in a CTI solution is related to the importance of attribution. A lot of time and effort is spent arguing over the importance of attribution, and I don’t believe there is a definitive answer. I believe it depends upon your circumstances, resourcing and the sector in which you work. Attribution, may not matter at all for certain sectors or companies, but it is will certainly be important if you are a specialist manufacturer with process secrets, who is being infiltrated by a lead competitor. Similarly, if you are a large government defence agency, it is probably important to understand if a nation states is behind an intrusion. Cybercriminals, issue motivated groups, hacktivists, disgruntled employees, or some other disenfranchised assortment can certainly cause many problems, but attribution may not be important at all in looking at CTI solutions. If attribution is important to your organisation, then that should be a fifth consideration when assessing CTI solutions.

After going through these questions, you may also find that you have sufficient coverage currently with the Threat feeds you are getting via your existing vendors or via various open source providers.

CTI information currency is all important. Put simply, the more frequent the updates, the smaller the potential threat window is. Frequent, meaningful updates are important to keep your threat intelligence information updated and current over time. Real time, or near real time updates are optimal.

Coverage is the second important assessment criteria. It is impossible to cover all threat sources, and any vendor that promises this should be avoided. Coverage really comes down to being a big data issue. Some useful measures include:

  1. the number of IP addresses monitored.
  2. the number and variety of Threat Intelligence sources. A good cross section is important, and could include: verified existing feeds; anonymised customer data; Internet registries; known Botnets; DNS information; geolocation information (down to the country, state, city and ideally GPS coordinates); deployed honeypots; darknet data; deployed crawlers; anonymous proxy information (including TOR); free DNS services; and wherever financially viable external networks (although this can be costly).
  3. the volume of traffic monitored on a daily basis.
  4. Catch rate improvements, verified by independent and respected test authorities.
  5. The last consideration may be if internal threat information is used from other customers and can this data be broken down based on a particular data categorisation such as industry.

Contextual data should include all the metadata that relates to the threat intelligence, such as the time that the intelligence is collected, the type of threat, the geolocation to enable high risk geographies to be highlighted, and the source of the intelligence (internal, external, free). Probably the most important piece of contextual information, is how the threat intelligence is rated from a risk perspective. Here is where it can get a little tricky, as most CTI vendor will promote their own proprietary algorithm or methodology. The only real way to get to grips with this element is to run a proof of concept before purchasing and take up site references and specifically drill into this element with current clients. Because things change pretty quickly in cyberspace, currency of this contextual information is also very important.

Automation and integration is the last important factor in assessing CTI. Automation makes the intelligence actionable from a technology configuration perspective. Integration is important to ensure that automation is possible within your chosen technology stack. Broad support of common technologies is important, as is an accessible or open API.

In summary the issues to focus on when selecting a CTI solution should therefore come down to speed, reach, accuracy across a seemingly infinite data set, together with the ability to integrate and automate.

I hope that you enjoyed this series on cyber threat intelligence. If you would like to learn more about the subject or would like to talk to me, I can be contacted via email at: slane@shearwater.com.au