The Great Threat Intelligence Debate

Dan Holden, Director-Security Research, Arbor Networks

Input “threat intelligence” into your Google News search engine and over 1.3 million results pop up. It’s become the latest in popular buzzwords in the Internet security industry. But, besides the obvious reasons, why is the industry so hot to trot on the notion of threat intelligence/sharing at the moment?

Before I address the ‘why’ question, I should take a step back to address the ‘what’ question: what is good cyber threat intelligence, anyway?

Advanced technologies may be able to detect the vast amount, size and scope of cyber threats out there, issuing alerts when a system is compromised, but without context or relevant information about the attack, security analysts may inadvertently dismiss serious attacks as unimportant noise. Actionable, defensible security intelligence is required to quickly identify threats that are targeting—and have already compromised—your environment.

The right security intelligence fuels the creation of mechanisms to recognize and block network-based attacks— some of the time. However, effective security intelligence not only identifies attacks, methods, and other indicators, but also understands and catalogs the attack infrastructure, so that broader, more proactive measures can be taken with confidence.

The main goal for threat intelligence and threat sharing is to get at that much-needed greater context into the events happening on your network or your ‘piece’ of the Internet and how it interacts with the rest of the Internet. It can also make up for the lack of greater context into simple events logged in legacy technologies (firewalls, IDS, anti-virus.) Getting at the why, where, and how of a security event versus just knowing that the event or the indicator of compromise exists.

The problem with threat intelligence is that it’s become a bit of a big data headache. For effective threat intelligence, you need a giant store of the known ‘bad’— something that changes a million times a day—and the majority of the known bad, you might never interact with at all. It may never apply to your particular slice of the Internet. The efficiencies and costs associated with storing that amount of data isn’t very appealing to most, despite the upside to having your hands on what could be some really great insight into the threats your network is or could be exposed to. This is why many vendors are partnering up to create these shared threat intelligence groups—taking the big data burden off of one and spreading it among many, but in a trusted, smaller-scale, but still effective, environment.

Given the influx of threats coming at you from every possible angle, entry-point and vector, what is really needed to stay ahead of attackers? Context. That context can help you gauge risk, prioritize your security responder’s time, and move on to the next threat (among many) at hand. In other words, don’t focus on threat intelligence merely for its sake—or because it's the latest hot buzzword in the industry. Threat intelligence data not only needs to be actionable and proven, it also needs to be easily accessible for incident responders to be efficient and effective.

The goal of threat intelligence shouldn’t be corroborating bad data with more questionable data (because threat intelligence isn’t always proven), but it should be about searching out the best data that fits the risk profile of your particular organization, industry, and risk. At the end of the day, threat intelligence is about tracking the threat actors; naturally everyone will have a different slant or specialty on this. Ultimately, threat intelligence should make a marked improvement over existing staff and processes. If you have a giant library and no time to read anything in that library, then all you have is a bunch of books. No action, no intelligence.