Evaluating Cyber Threat Intelligence Services, Part One

September 20, 2016
Cyber Threat Intelligence: Post by Katie Nickels
Katie Nickels

An explosion in offerings of cyber threat intelligence services has occurred in recent years. Cybersecurity vendors have recognized that not all organizations have the personnel or visibility of adversary operations to produce intelligence in-house. So they've begun offering cyber threat intelligence services like FireEye Intelligence Center, iSIGHT Partners, and ThreatConnect, just to name a few.1

We define cyber threat intelligence services as any offering from a commercial vendor that provides evaluated information and reports, usually focusing on attempted or successful intrusion activity, threats, vulnerabilities, or adversary Tactics, Techniques, and Procedures (TTPs).

Information from cyber threat intelligence services is generally used for network defense purposes. It can assist in identifying threat activity that organizations might miss using traditional signature-based detection. Cyber threat intelligence can also help analysts understand the context surrounding alerts they see. Finally, knowledge of adversary activity can help shape the network defense priorities based on the most likely avenues of attack.

How might you get the greatest benefit from such a service? With so many offerings, how can your organization evaluate whether a threat intelligence service is right for you—and, if so, which one?

Think before you buy

Keep in mind that any service you use won't immediately improve your network defenses because additional work will be needed to extract actionable information and apply it to your network defense tools.

If you are looking for immediate benefit to defenses, your cybersecurity operations center (CSOC) might want to consider security appliances rather than intelligence services.

Who will use the intelligence service, and how will it be used?

For a cyber threat intelligence service to be useful, an organization must have analysts who can consume and integrate the intelligence into network defenses.

Vendors deliver intelligence in varying ways, such as unstructured prose format or structured formats that could allow atomic indicators to be ingested into security appliances or databases. Be sure to think about the best format for your organization. You can get the best of both worlds by using the two formats together: ingesting atomic indicators into tools allows you to alert on activity, and prose reports provide context for analysts to interpret those alerts.

Make sure your existing intelligence and security tools can ingest the data in the format that the vendor provides. Manually ingesting the data just increases the demand on the analysts. Depending on the quality of the atomic indicators, you should consider conducting additional processing and vetting prior to applying the indicators to your security appliances. You could automate the ingest of indicators into a database where this processing and vetting occurs.

  • For prose reports, analysts should review them and decide which reports are applicable to your organization's network. For example, reports detailing how adversaries exploit vulnerabilities in the software your organization uses would then help you prioritize patching that software.
  • For atomic indicators such as domain names, IP addresses, and file hash values, analysts should work with your organization's engineers and intrusion analysts to ensure that the indicators are properly ingested into your security information and event management system, intrusion detection system, or other appliances. The analysts should also review any alerts created by the indicators for quality and accuracy and remove or modify indicators as needed. Your organization should ensure that atomic indicators are provided with context, as it may be impossible to take action on alerts without additional information about why the indicator is of interest.

Some services provide an application programming interface (API), which allows you to automate the ingestion of structured data from the service. In such cases, ask the vendor if the API's use is rate-limited and whether you're allowed to download structured data in bulk. Otherwise, retrieving large amounts of indicators and deploying them to your sensors and SIEM tools may be difficult, if not impossible. Your organization should also consider how often reports and indicators are updated, which will affect how often data is ingested.

How does a service's value and cost compare to others?

Costs can range from hundreds to thousands of dollars. Expensive doesn't necessarily mean "best," and what's best for one organization may not be what's best for yours. Organizations have different needs for the depth of reporting, the types of indicators that they can make best use of, and the types of threats that they need coverage for.

Before you make a purchase, compare the cost and offerings from several vendors to determine whether one provides more value based on your organization's needs.

Evaluate whether the intelligence that a service provides overlaps with the intelligence that your existing cyber threat intelligence analysis team produces. While there may be some duplication, the service should provide some unique intelligence to ensure it adds value to your organization's capabilities.

You should also check if there are alternate sources to obtain similar information provided by the service being considered. For example, many cybersecurity companies release limited information and reporting publicly at no charge, such as blog posts on observed threat activity. This reporting may not have original or exclusive information and varies based on the company's resources, but the level of detail may be appropriate for some organizations.

Your organization should consider whether you can obtain similar information through partnerships such as the Information Sharing and Analysis Center (ISAC) for your sector. The value of a service also depends on whether it applies to your organization's sector. Many services provide broad reporting to appeal to a wide audience, but you should evaluate whether the information applies to your unique sector.

Considering vendors

The next post discusses additional considerations you should weigh when evaluating the vendors that offer these cyber threat intelligence services.

In short, remember that threat intelligence services can be a valuable addition to your organization's network defense posture, but only if your selection addresses your cyber defense needs and easily integrates into your existing processes, tools, and analysis workflows.

1The MITRE Corporation offers independent, unbiased views. We are not recommending any particular platform or product.