6 Capabilities to Look for in Any Threat Intelligence Solution

Posted: 9th January 2018
6 Capabilities to Look for in Any Threat Intelligence Solution

Choosing the right threat intelligence solution is difficult when so many choices already exist in a growing market.

The needs of each organization vary, meaning the best solution for one group is not necessarily ideal for another, and selecting the best solution for your needs is never as simple as finding the most expensive or fully featured product.

Although a large organization with a complex network may leave themselves vulnerable to attack by choosing an insufficiently robust solution, a smaller organization might also harm themselves if they choose a powerful solution producing threat intelligence that they lack the time or capacity to make sense of and act upon.

Selecting the best threat intelligence solution for you is not a hopeless task, however. In its recent Market Guide, the technology research company Gartner lists six capabilities — defining how a vendor collects, processes, and analyzes raw information — that provide an important benchmark for choosing a solution that best fits your needs. According to Gartner, the quality of an intelligence product is generally linked to its ability to produce intelligence in line with the intelligence lifecycle:

  • Whether the vendor develops content based only on logs from current network activity or also gathers information by infiltrating and communicating with threat actor groups.
  • Whether the vendor gathers information only from open, public sources or also includes closed sources.
  • Whether the vendor gathers information only from English-language sources or includes and interprets information from non-English sources as well.
  • Whether the vendor analyzes data, correlates disparate data points, and draws informed conclusions or only provides a series of individual data points without analysis.
  • Whether the vendor is able to create personalized content that addresses the risks and threats specific to your organization.
  • Whether the vendor distributes content in a form that your organization can consume.

Let's look at each of the capabilities in a little more detail.

1. Gathering content from both in and out of your network.

At a minimum, every organization should know what is going on in their own backyard. Getting a good idea of how your network normally looks will make unusual activity stand out more obviously. Further, keeping track of your internal network activity also helps monitor for malicious insiders — people within your organization who, for whatever reason, may seek to compromise your network or otherwise cause harm.

Some security solutions gather data and event logs from within your network to provide a baseline of what normal looks like, but limiting the dataset to this space means that you will never see an attack from the outside until it is already underway. More comprehensive services gather data from outside of your network, looking for indications of vulnerabilities or an impending attack in places like forums on the dark web. Identifying attacks before they happen and taking preventative steps can make all the difference in mounting a timely and effective response.

2. Gathering content from open and closed sources.

The section of the internet that we can access through search engines like Google is vast — by some estimates, there are at least 4.56 billion pages indexed by search engines. Even so, this “public” part of the internet only makes up about four percent of all the data online. The rest is locked away in the portions of the internet called the deep web and the dark web, which make up about 90 percent and 6 percent of the remaining data, respectively.

The deep web refers to all the pages that are not indexed by search engines because it can only be accessed through secure logins or paywalls, comprising information like government and private company databases, personal information like medical and financial records, and scientific and academic reports. The dark web includes websites that are only accessible through certain browsers that provide encryption and anonymity, and many of those websites offer marketplaces for illicit goods and services, but also provide spaces for private and anonymous communications and exchanges of all kinds.

Exploits and vulnerabilities are frequently traded on forums on the dark web in particular, but they are also discussed in many spaces on the deep web by parties that wish to keep them safe. Threat intelligence vendors will sometimes cooperate and share their data in order to have more complete datasets than any individual vendor could gather and process, and this sort of cooperation simply won’t take place on the surface web. A vendor that gathers data from closed sources will have access to a magnitude of information — giving a more complete picture, but only if they have the resources to sort through it all.

3. Gathering content from foreign-language sources.

It’s right there in the name: the World Wide Web does not stop at national borders or divide itself based on the language of its users. Many of the largest and most devastating cyberattacks in recent times have come from foreign sources, meaning threat intelligence vendors that limit their datasets to English-language sources will potentially leave huge gaps in their analysis and prediction.

The NotPetya ransomware attack that occurred earlier in 2017, for example, was traced to a source in Ukraine but eventually infected hundreds of thousands of computers worldwide in less than a week. Some of the largest cyberattacks are state-sponsored operations attacking foreign powers — like the Equifax hack this year, which some evidence suggests may have been undertaken by Chinese intelligence agents.

Determining whether your organization needs a threat intelligence solution that gathers content from foreign-language sources largely depends on your size. Smaller organizations whose customers are limited to one country or that do not have a significant enough market presence to attract unwanted attention from foreign parties may simply find it unnecessary to gather data from foreign-language sources.

4. Providing informed analysis and prediction.

Threat intelligence, as defined in the Gartner Market Guide, is evidence-based knowledge derived from a process, rather than a series of individual data points. Vendors that only provide data points without any analysis are not offering intelligence, in the proper sense. Even within the scope of threat intelligence properly conceived, however, there remains a wide range of offerings based on a vendor’s ability to not only gather data from the right sources and catch indicators of compromise, but also provide context, implications, and proactive suggestions.

Threat intelligence comes through two channels: machine-readable content, and content that people can understand. Machine-readable content generally includes highly automated real-time monitoring and notifications, enabling quick responses to detected threats. Because they are mostly automated, threat intelligence solutions that focus on producing machine-readable content tend to be more affordable. Content meant for human consumption will go a few steps further, providing a narrative analysis that may provide context, like the perceived intent of threat actors, and even make predictions about future threats or give suggestions. This takes skilled personnel on both sides — for the vendor to produce this kind of content, and for the consumer to apply it with wisdom.

5. Creating personalized content.

Because most organizations use software and systems that are are publicly available, truly personalized content is not always the key to producing effective threat intelligence. Many threats target vulnerabilities in software that are widely distributed rather than focusing on attacking a specific organization. In those cases, having a threat intelligence solution that gathers data from sources that are relevant but not unique to your organization is often enough.

The Gartner Market Guide notes that some organizations will benefit from a more bespoke solution, including brand monitoring on social media and in the closed parts of the internet. Keeping an eye out for specific companies or even specific people within a company being mentioned can help organizations predict better whether they are being phished or recognize false flag schemes, domain fraud, masquerading, social media amplification, or activist schemes. This kind of custom solution will provide more comprehensive threat intelligence, but will cost more and may be unnecessary for smaller organizations.

6. Distributing content that you can understand.

According to Gartner’s Market Guide, a number of open standards have evolved for machine-readable threat intelligence, and threat intelligence solutions that adhere to these standards rather than proprietary ones will generally be more successful. Using systems that have the ability to both understand and export threat intelligence content will lead to larger and more accurate datasets, especially as more groups begin to share their data with each other.

In a less literal sense, some vendors may produce threat intelligence in a form that your organization simply does not have the capacity to effectively apply. As mentioned before, threat intelligence solutions that produce detailed analysis geared toward human consumption are not necessarily the right solution for every organization (and not just because of price) if you do not have the manpower or know-how to act upon the intelligence.

Choose the Right Solution for You

Customers searching for the right threat intelligence solution have a wide variety of goals they want their solution to meet. They may want to understand the identity, methods, and motives of attackers and better defend against future attacks; they may want to understand a previous incident in greater detail; they may want to develop case studies to use for training exercises; they may want to have advance warning of future attacks against a shared IT infrastructure. Each organization’s needs and capacities are unique. Determining your needs and capacities first, and then evaluating the threat intelligence solutions on the market according to these six qualities, will help you easily find the perfect solution.

You can read Gartner’s “Market Guide for Security Threat Intelligence Products and Services” in full by downloading your free copy from Recorded Future.