Why a One-Size Fits All Approach to Threat Intelligence Does Not Work

Underground forums make exploit kits easily available, enabling anyone to perpetrate sophisticated and targeted attacks. This “commercialization” of malware makes it almost effortless for attackers to stay ahead of security vendors and incident responders because instead of starting from scratch, hackers keep adapting their capabilities.

It’s not all doom-and-gloom, as the continuous reuse of these kits increases the likelihood that someone — e.g., a researcher, analyst, organization or group — has already seen the attack and provides the intelligence for organizations to make decisions about how to respond. There is a lot of interest in threat intelligence. The segment is a hot one: 85 percent compounded annual growth off of $190 million in 2015 revenue and there is a long list of vendors that provide a range of threat intelligence-related services.

However, known attacks — ones that can be identified via threat intel — can frequently be overlooked and best efforts mistimed and misaligned. While there are many factors contributing to this, one is due to the growing firehose of information coming from the number of different organizations that provide threat feeds about newly discovered exploits and vulnerabilities. How so? Well, organizations subscribe to a number of threat feeds, which are constantly being updated. A daily required chore for security operations center (SOC) analysts is to comb through this information to determine what is valuable to the organization. This is not an easy task because:

• Deciphering threat intel takes time and specialized skill as it contains much more than trivial, self-evident information about a threat.
• There are many different types of threat intel and indicators of compromise with which analysts must be familiar.
• Analysts must consider the source of the information and the reliability of the information itself. Unfortunately, independent lab tests that compare different threat intelligence services aren’t easily available.
• There is also an issue of timeliness. Attack techniques can change in the time between creation of third party intel and its use by security teams, compromising its effectiveness. This is especially true for rapidly evolving threats like exploit kits.

There is an additional twist that impacts the effectiveness of threat intel from commercial and third party sources: it cannot account for the uniqueness of each customer’s network. For example, intel about a threat that is targeting a local educational institution might not be valuable to the team responsible for protecting a multinational semiconductor company operating in multiple, global locations. Given this, you can understand why attacks may still be overlooked despite the availability of this rich information about threats.

To ensure reliable detections, a security solution must provide organizations with the ability to derive the most from commercially available threat feeds. One way to accomplish this is by doing away with the “black box” approach, where the inner workings of commercial and third party threat intel sources are typically invisible to security analysts as rules are written and tuned by vendors. The intention of this approach is to simplify what is complex. While noble, this approach hampers security analysts because even though they may have the intel, they have no way of knowing whether it’s a small tweak or a complete rewrite that will increase the efficacy of a poorly performing rule.

The same security solution must also accommodate additional sources of threat intel available to organizations. Threat intelligence varies by industry vertical and organizations may have access to feeds that security vendors do not (e.g., threat intel feeds from FS-ISAC are available only to financial institutions). Many organizations, especially those with large threat research teams, may develop highly tailored intelligence. A security solution should be able to use the threat intel sources that capture the uniqueness of an organization’s network as that will result in more reliable detections.

And, it should go without saying, that an important goal of any security solution should be to obviate the SOC analyst’s daily chore of combing through intel to determine what’s valuable. Vendors that carefully vet and curate the threat feeds that are available in their solutions by default put you on the path to achieving this goal.

Commercially available threat intelligence holds tremendous promise, but SOC teams must be able to tailor the most meaningful components while also balancing what is uniquely valuable to their organizations. The modern enterprise network extends beyond traditional on-premise environments to encompass public and private cloud and industrial environments. Threat intelligence should enable the organization, not overwhelm its security teams with false positives and excessive alerts about harmless issues. A security solution must allow security teams to easily use threat intel so that it accommodates the uniqueness of each organization’s network. Doing so will result in more reliable detections, a must to retain the sanity of your short-staffed and overworked security teams.