How to Explain the Meteoric Rise of Threat Intelligence

For the past couple of years it seems like threat intelligence is everywhere.

Every vendor offers a threat intelligence solution; every organization seems to be using it to some degree. At security conferences it feels like you just can’t escape the topic.

But why? Why this sudden surge in uptake? Is it really as valuable as everyone seems to think it is?

Threat Intelligence Definition

So what is threat intelligence? Levi Gundert, our own Vice President of Intelligence and Strategy, describes it like this:

“Threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information.”

But let’s take a step back. Simply put, threat intelligence is a way to get ahead of your attackers.

Traditionally, cyber security has been a reactive discipline. Threat actors do their best to breach networks, and security professionals try to stop them with technical controls and incident response. Over time, the industry learned what the most common attack vectors were, and the majority of organizations implemented a standardized security approach.

But there’s a problem.

Threat actors are constantly looking for new ways to breach network security, and the industry as a whole can’t react quickly enough. When a new threat arises, there isn’t time for vendors to develop a solution before organizations start falling prey to it.

That’s where threat intelligence comes in. Real-time harvesting of both open and dark areas of the web provides proactive organizations with the intelligence they need to effectively defend against ever-evolving cyber threats.

Let’s say, for example, that threat actors developed an industrial scale phishing campaign that seemed to be evading most spam filters. Using threat intelligence, an organization could find data on this threat to tighten email controls and dramatically reduce the risk of a breach.

Alternatively, a threat intelligence solution might inform a financial institution of an impending advanced persistent threat (APT). Organizations in the financial, healthcare, and government sectors are far more likely to be targeted by organized cyber crime groups, and early intelligence could easily be the difference between security overtime costs and a full-scale breach.

Who’s Using Threat Intelligence?

The short answer is almost everyone.

According to a Ponemon Institute study into the value of threat intelligence, 78% of respondents in the U.S. and UK consider threat intelligence to be highly important for achieving a strong cyber security posture. Even more tellingly, over 66% of respondents have either implemented or are planning to implement a threat intelligence solution.

Threat intelligence has had a meteoric rise over the past few years, going from practically unheard of to mainstream in no time at all. According to research by IT-Harvest, the market for threat intelligence is growing at a rate of 85% per year, and the trend is expected to continue.

Hard to believe, isn’t it?

The rise becomes easier to understand when considered against the growth of cyber crime as an industry. Between 2013 and 2015 the global cost of cyber crime quadrupled. By 2019 it’s expected to reach $2.1 trillion.

Quite simply, cyber crime is paying off big time for organized crime groups, and so long as that’s true we’ll continue to see these trends.

What’s in It for Me?

The thing about threat intelligence is that it doesn’t directly enhance your security profile or decrease cyber risk. Instead, threat intelligence is useful because it enables you to allocate your security resources in a more powerful and evidence-based way.

Broadly speaking, there are three ways for this to happen.

1. Increasing speed and reliability of threat detection and prevention.

A comprehensive threat intelligence solution is the most reliable way to identify threats or attacks before they happen. More specifically, threat intelligence enables you to narrow the threat landscape down to those most likely to target your specific organization. Preparing for every possible threat simply isn’t an option, and threat intelligence is the only reliable way to determine where your security resources are best allocated.

Whether the heads up comes from threat actor “chatter” or internal telemetry, identifying an attack on your organization even just a few minutes earlier can be game-changing, particularly in terms of cost.

2. Tightening security controls.

Perhaps the worst-case scenario for any organization is being breached due to a zero-day exploit. Literally, that means the exploit takes advantage of a vulnerability for which there is no patch.

No matter how good your security profile is, a zero-day exploit could allow a threat actor anywhere in the world to breach your network. Naturally, then, as soon as a zero-day exploit is discovered, you should want to know about it. Perhaps you can identify a short-term fix, or temporarily suspend use of the affected application. Equally, you’ll want to know as soon as a patch is available.

A powerful threat intelligence solution will flag up zero-day threats (or similarly urgent information) for immediate action, minimizing the risk period. This may seem an extreme example, but according to FireEye zero-day threats have been identified at the rate of almost one per month for the past several years.

3. Facilitating decision making.

When you have solid, evidence-based intelligence to work from, decision making is a much easier and more powerful process. Whether it’s deciding where to invest your security budget, or how responsibilities should be allocated, threat intelligence is an indispensable resource for senior security officers and executive board members.

How Might Threat Intelligence Change in the Future?

The way things are going it’s pretty clear that threat intelligence is here to stay. Precisely what format it will take, however, is up for debate.

Based on current trends and breakthroughs, it seems likely that threat intelligence will see enhancements through two primary routes.

1. Intelligence sharing.

In the past, vendors (and even organizations) have guarded their intelligence carefully. But as threat actors become exponentially more organized and motivated, the threat to every organization is constantly reaching new highs.

Thankfully, the practice of threat intelligence sharing has become more widely accepted over the past two years. Some concerns have popped up along the way, but platforms such as the OpenIOC framework have benefited enough organizations to make the value of intelligence sharing clear for all to see.

As a result, in the coming years we expect to see intelligence sharing take a more central role in the threat intelligence process.

2. Machine learning and artificial intelligence (AI).

AI is one of those things that’s constantly about to “explode” into the mainstream. If you listen to the hype, we’ve been on the verge of cracking real AI for several decades.

Clearly it hasn’t quite happened yet.

Thankfully, though, research into AI has given us a number of highly valuable technologies. For example, in the past 18 months machine learning has burst onto the scenes, seeing particular success in fraud detection for financial and gambling institutions.

Now let’s get one thing straight. Powerful modern threat intelligence solutions like Recorded Future are already capable of harvesting massive quantities of data and distilling it down to actionable Intelligence Cards™. Our Web Intelligence Engine already uses machine-learning algorithms in conjunction with natural language processing (NLP) to structure and present intelligence in a way that’s both actionable and easy to digest.

So what we’re suggesting here isn’t far fetched. In the coming years, we strongly suspect that machine learning and other AI-style technologies will continue to enhance and speed the production of threat intelligence. Equally, it’s highly likely that new technologies will arise that continue this trend of “faster and better” intelligence processing.

Naturally, we intend to be at the forefront of these developments.