The threat intelligence market is composed of vendors that provide technologies and services that allow for the management and curation of threat intelligence (TI). TI technologies are referred to as threat intelligence platforms, which may be sold as stand-alone solutions or as part of a integrated solution. TI services may include monitoring the clear (surface) web, dark web and deep web, delivered in the form of feeds.
Taking a use-case-centric view is still the ideal and pragmatic way to start a journey and improve your security program with intelligence-led initiatives. In some client inquiries, we have seen clients start by getting a service first, then trying to get that investment to fit the use cases later. Instead, we recommend deciding what you want from TI in the first place — that is, what end do you have in mind? Then determine what you’d be prepared to slice out of or find additional funding for from your security budget.
Threat Intelligence Lifecycle
The figure shows the typical intelligence life cycle, this process is iterative and should constantly be re-evaluating itself. As requirements change/evolve, so should your data acquisition, aggregation and action plans.
Vendors are looking to tailor offerings to a broader list of Vertical Industries and Organizational Sizes – TI service clients typically have assets of significant value (for example, financial assets, intellectual property or assets that support critical infrastructure), protected or otherwise sensitive information (such as user identities or classified security information), leverageable services (for example, network bandwidth) , or large customer bases.
The information obtained from the product or service of ten feeds into a multiyear planning and deployment cycle in their security programs. TI services appeal primarily to large enterprises that have significant brand presence or higher- risk profiles, and generally have security organizations with more mature security programs. However, some service providers are expanding their focus to include midsize organizations and have been pursuing this objective for several years by providing pre-packaged, easier- to-consume offerings at lower price points into a range of technologies and maturity levels.
Popular TI Use Cases
A simple way to consider how TI services can add value to your security program. As it shows, TI can be a combination of:
- Tactical or Strategic — In terms of its area of your security program you are looking to address, which roughly aligns with “time.”
- Technical or Business — In general terms, applies to whether the TI is more focused on security operations or risk management.
There is no one “right” choice here. Depending on your use-case needs and maturity, you could decide to use only tactical/technical TI at this point. However, in general, strategic/business TI is more expensive than technical/tactical services.
Below, in no order, is a list of popular use cases for TI that we have listed based on inquiries with end-user organizations:
1. TI Analyst Augmentation.
Very few organizations have access to vast resources that will enable them to build out a large, dedicated threat intelligence function. Indeed, these limited resources are a top reason why it is critical to focus on use cases and not “doing” threat intelligence because it seems “cool”.
Most organizations need solutions that will work as an extension to their team. This is especially useful for access to language skills, but our team also helps to prioritize alerts, produce RFIs, and research the latest trends and developments across the criminal underground.
2. TI Sharing and Threat Actor Tracking.
Understanding the TTPs (tactics, techniques, and procedures) of specific actors is highly valuable for threat modelling and Incident Response efforts. With our threat actor library, security teams can access the latest intelligence on particular actors. For example, analysts can access the threat intelligence profiles of actors. For analysts who want to view the data behind our intelligence profiles.
3. Surface, “Deep” and “Dark” Web Monitoring.
In the past two years, we have seen a massive increase in the numbers of teams looking for visibility into criminal locations across the “deep” or “dark web”. This, in and of itself, may not seem like a use case, but consider the types of alerts you might get from these sources. The most common areas teams are interested in are: exposed credentials, phishing kits, and other tools. Again, to re-emphasize the earlier point on TI Analyst Augmentation, it can be challenging to gain access to these sources in a safe environment.
4. Security Technology Telemetry Enrichment.
Enrichment of MRTI (Machine-Readable Threat Intelligence) is one of the most popular threat intelligence use cases. Now by combining a wide range of sources we can help to enrich observables. Searching for an observable in Search will return results for our own intelligence incidents, Twitter, and blog posts.
5. Vulnerability Prioritization.
Threat intelligence can also be used to understand which vulnerabilities are being exploited and how that applies to your security posture. TI integrations are enabling insight on which vulnerabilities are being leveraged by threat actors and is arguably one of the best use cases in modern enterprises for threat intelligence. This quantifiable knowledge provides key insight in the understanding of what an organization’s threat landscape looks like.
6. Phishing Detection
Always great to have a knowledge about phishing and the types of tactics attackers. In particular, domain impersonation is (yet another) big concern for the teams we work with. A daily digest of these results enables security teams to block these domains before they target employees.
7. Intelligence Analyst Investigations Tools
If you are interested in learning more about how data can be accessed through analyst investigations tools, check out more areas which are some of the most popular TI use cases.
Before purchasing a service, have a detailed plan for how you will use it and start with an end in mind. Understand who and what tools/processes consume it and how they will use it. Also understand what decisions you expect to make on the basis of the content provided, as well as “who” and “how” those decisions will be made.
Pricing models are becoming more consistent across the market. In general, though, an end-user organization can expect to pay for a basic service that includes tactical content, such as IP reputation feeds, risky URLs and indicators of compromise. More advanced strategic content — which includes information about actors’ motives, intentions, and capabilities developed or tailored for the individual client — can cost more.
Not all services that are marketed as TI actually provide that type of content, so it is important to understand what problem you are trying to solve. However, if you are trying to find out what your adversaries are doing or even planning (for example, what vulnerabilities are being exploited) and want to find out without drawing attention to yourself, then a TI service may be valuable.
Breadth of Coverage
What areas of the threat landscape, what use cases can the provider deliver and in what form factors (MRTI, reports or threat analyst access)? For example:
- What threats do they cover?
- Are they focused on phishing, malware, deep/dark web, social media?
Depth and Accuracy
Just as important as how much information is available is how that information can be specifically targeted for you. Concurrently, having a high level of action-oriented fidelity is important.
Ability to Execute
How long has the provider been in the market? How viable is it? If its client base doubles, could it service you with the same level of satisfaction? Is it financially viable?
Are you able to use the TI in multiple ways, for different processes and within a range of tools? Some TI comes in a “black box,” which can be described as single-purpose or single-use.
Many TI providers are deep specialists in the specific areas and techniques they use to understand the threat landscape. Understanding this specialization is key. It will help you align provider capabilities with the perspective you need to address the risks for which you need assistance.
Once you receive multiple formats and types of TI in various volumes, you need to be able to gather it all together in one place and aggregate it. This involves such things as the deduplication of overlapping intelligence, enrichment, storage, sharing and downstream orchestration/automation use cases.
This is still the biggest issue with adding intelligence- led initiatives to your cybersecurity program, as well as the biggest opportunity for security leaders if they can convert information into action. IT security leaders are advised to start with this end in mind.