Get ahead of the enemy

Business Security

By collecting, analyzing and contextualizing information about possible cyberthreats, including the most advanced, threat intelligence offers a critical approach to identify, assess and mitigate cyber risk.

Cyber ​​threat intelligence: Getting the best foot forward against adversaries

When it comes to mitigating an organization’s cyber risk, knowledge and skills are powerful. That alone should make cyber threat intelligence (TI) a key priority for any organization. Unfortunately, this is often not the case. Among the various protective measures that IT leaders must consider to help them counter increasingly sophisticated attacks, threat intelligence is often overlooked. This oversight can be a critical flaw, however.

By collecting, analyzing and contextualizing information about possible cyberthreats, including the most advanced, threat intelligence offers a critical approach to identify, assess and mitigate cyber risk. Done right, it can also help your organization prioritize where to focus limited resources for maximum impact and therefore reduce its exposure to threats, minimize damage from potential attacks, and build resilience against future threats.

What are the main types of TI?

The challenge for your organization is to sift through what is a crowded market of TI vendors to find the right offer. It is, in fact, a market predicted value over $44 billion by 2033. There are four types of TI:

  • strategic: Delivered by senior leadership through white papers and reports, it offers contextual analysis of a wide range of trends to inform the reader.
  • Tactical: Adapted to the needs of multiple team members in hands-on security operations (SecOps), it outlines tactics, techniques, and actor procedures (TTPs) to provide visibility into the content of the attack and if how malicious actors can compromise the environment.
  • Technical: Helps SecOps analysts monitor new threats or investigate existing ones using indicators of compromise (IOCs).
  • Operation: IOCs are also used, but this time to track enemy movements and understand the techniques used during the attack.

While strategic and tactical TI focus on longer term goals, the latter two categories are concerned with uncovering the “what?” in short-term attacks.

Buyers guide to threat intelligence

What to look for in an intel threat solution

There are a variety of ways that organizations can consume threat intelligence, including industry feeds, open source intelligence (OSINT), peer-to-peer sharing within verticals, and directly from vendors. It goes without saying that there are many latecomers offering their expertise in this area. Indeed, Recorded by Forrester a 49% increase in paid commercial threat intelligence feeds from 2021 to 2022.

However, you are best advised to focus on the following when evaluating whether a vendor is a good fit for your organization:

  • Completeness: They must offer a comprehensive TI coverage covering a wide range of threat actors, threat vectors, and data sources – including internal telemetry, OSINT and external feeds. IOC feeds should be considered as part of a holistic TI service rather than a standalone.
  • Accuracy: Inaccurate intelligence can be filled with noise analysts. Sellers must provide accuracy.
  • Relevance: Feeds should be tailored to your specific environment, industry and company size, as well as what is most relevant (tactical / strategic) to your organization in the short and longer term. Also consider who will be using the service. TI develops a new persona all the time; even the marketing, compliance and legal teams.
  • Timeliness: Threats move quickly so any feed needs to be updated in real time to be useful.
  • Scalability: Any vendor should be able to meet your organization’s TI needs as it grows.
  • Reputation: It always pays to go with a vendor that can boast a track record of TI success. Increasingly, it may be a vendor that is not traditionally associated with TI, but rather SOAR, XDR or similar adjacent areas.
  • Integration: Consider solutions that fit your existing security infrastructure, including SIEM and SOAR platforms.

Navigating the TI market

The TI market is constantly evolving, with new categories emerging to help evaluate new threats. That can make choosing the right option(s) a challenge. It’s good to think longer term about your requirements to avoid constantly reassessing strategy, although this should be balanced with the need for relevance and agility.

It’s also worth noting that the maturity of your organization plays a big part in how many and what kind of TI services to use. Those with dedicated teams and resources can use 15 TI sources across commercial, OSINT, and free offerings.

Today’s threat actors are well-resourced, dynamic, determined and can use the element of surprise. TI is one of the best ways organizations can level the playing field and gain the upper hand, including by understanding their adversary, assessing the threat landscape and making better decisions. That’s the way not only to stop attacks in their tracks before they make an impact on the organization, but also to build resilience for the future.

Each organization must choose the TI mix that is right for them. But when looking at sellers, make sure the data is at least complete, accurate, relevant and timely. Curated feeds can go a long way in saving time and resources for your own team. The key is to find a vendor whose feeds you trust. According to IDC, 80% of G2000 companies will increase investment in threat intelligence by 2024. Make sure you are set up to succeed.

Leave a comment