Threat intelligence today

Organizations seeking to proactively identify and counter today’s flood of cyberattacks can’t complain about having limited options for conducting threat analysis. Spurred by the growth in attack volumes, types and sophistication, the field of cyberthreat intelligence (CTI) has been experiencing its own growth spurt. In fact, there are now so many sources of threat information that companies may find it almost as difficult to analyze the CTI alternatives as it is to detect cyberthreats themselves.

Broadly speaking, CTI solutions comb through huge volumes of network traffic, security events and other relevant data. Their objective is to identify indicators of compromise (IOCs), known attack tactics, techniques and procedures (TTPs), and other forms of attack signatures. Some solutions leverage machine-learning techniques, aiming to extrapolate from known attack patterns and signatures so they can flag new, as-yet-unidentified threats.

Companies can deploy their own on-premises solutions to analyze potential threats, of course. Most notably, in-house solutions include security information and event management (SIEM) systems, which sort through the huge volumes of events generated by today’s IT infrastructures and networks.

Beyond their own monitoring and analysis systems, however, organizations are increasingly turning to third party sources of CTI, such as network carriers and security tools vendors.

Response to growing, evolving threats

Organizations need to establish a comprehensive CTI regime that combines several layers of analysis and – ideally – automated response. The scope of the challenge is illustrated by some of the statistics associated with AT&T Threat Intellect, the CTI foundation underlying many of the security services at AT&T.

To identify threat activity, AT&T monitors more than 115 petabytes of data crossing its network on an average business day, looking for abnormal or malicious activity patterns. Among other threats, AT&T identifies approximately 5 billion vulnerability scans and 200,000 malware events each day. And that’s just the threats AT&T sees on its own networks.

At present, the CTI market is somewhat disjointed with a fair amount of overlap among different CTI services and systems. There are efforts underway, however, to promote more CTI consistency, as well as information sharing among CTI providers. One vendor-driven imitative, for example, is the Cyber Threat Alliance, whose members have agreed to share their threat information with one another rather than keeping it proprietary as a competitive differentiator.

An effort to promote adoption of several open specifications for CTI is also gaining traction. One specification, the Trusted Automated eXchange of Indicator Information (TAXII), supports several models via which organizations can securely share CTI information. Another specification, the Structured Threat Information Expression (STIX) language, provides a standardized and structured way to describe cyberthreats.

All told, the CTI field is doing a good job of keeping pace with the growing volumes and rapid evolution of the cyberthreats it seeks to counter. Organizations need to educate themselves about the many sources of CTI information available to them, and should ensure that their cybersecurity defenses include CTI elements that are well aligned with the threats they’re likely to encounter.

Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.

Copyright © 2017 IDG Communications, Inc.