When it comes to mitigating an organization’s cyber risk, knowledge and expertise are power. That alone should make cyber threat intelligence (TI) a key priority for any organization. Unfortunately, this often isn’t the case. Among the various protective measures that IT leaders must consider to help them counter increasingly sophisticated attacks, threat intelligence is often overlooked. This oversight could be a critical mistake, however.
By collecting, analyzing and contextualizing information about possible cyberthreats, including the most advanced ones, threat intelligence offers a critical method to identify, assess and mitigate cyber risk. When done right, it can also help your organization to prioritize where to focus its limited resources for maximum effect and so reduce their exposure to threats, minimize damage from potential attacks, and build resilience against future threats.
What are the main types of TI?
The challenge for your organization is picking through what is a crowded market of TI vendors to find the right offering. This is, after all, a market predicted to be worth in excess of $44 billion by 2033. There are broadly four types of TI:
- Strategic: Delivered to senior leadership via white papers and reports, this offers contextual analysis of broad trends to inform the reader.
- Tactical: Aligned with the needs of more hands-on security operations (SecOps) team members, this outlines actor tactics, techniques, and procedures (TTPs) to provide visibility into the attack surface and how malicious actors can compromise the environment.
- Technical: Helps SecOps analysts monitor for new threats or investigate existing ones using indicators of compromise (IOCs).
- Operational: Also uses IOCs, but this time to track adversary movements and understand the techniques being used during an attack.
While strategic and tactical TI focus on longer term goals, the latter two categories are concerned with uncovering the “what?” of attacks in the short term.
What to look for in a threat intel solution
There are various ways that organizations can consume threat intelligence, including industry feeds, open source intelligence (OSINT), peer-to-peer sharing within verticals, and direct from vendors. It goes without saying that there are a number of the latter offering their expertise in this area. In fact, Forrester recorded a 49% increase in paid commercial threat intelligence feeds from 2021 to 2022.
However, you’re best advised to focus on the following when assessing whether a vendor is the right fit for your organization:
- Completeness: They should offer a comprehensive range of TI covering a wide range of threat actors, threat vectors, and data sources – including internal telemetry, OSINT and external feeds. IOC feeds should be thought of as part of a holistic TI service rather than a standalone.
- Accuracy: Inaccurate intelligence can overwhelm analysts with noise. Vendors must deliver precision.
- Relevance: Feeds should be tailored to your specific environment, industry and company size, as well as what is most relevant (tactical/strategic) to your organization over the short and longer terms. Also consider who is going to use the service. TI is expanding to new personas all the time; even marketing, compliance and legal teams.
- Timeliness: Threats move quickly so any feed must be updated in real time to be useful.
- Scalability: Any vendor should be able to meet the TI needs of your organization as it grows.
- Reputation: It always pays to go with a vendor that can boast a track record of TI success. Increasingly, this may be a vendor not traditionally associated with TI, but rather SOAR, XDR or similar adjacent areas.
- Integration: Consider solutions which fit neatly into your existing security infrastructure, including SIEM and SOAR platforms.
Navigating the TI market
The TI market is constantly evolving, with new categories emerging to help evaluate new threats. That can make choosing the right option(s) a challenge. It pays to think longer term about your requirements to avoid constant reassessment of strategy, although this must be balanced by the need for relevance and agility.
It’s also worth bearing in mind that the maturity of your organization will play a big part in how many and what type of TI services to adopt. Those with dedicated teams and resource may consume as many as 15 sources of TI across commercial, OSINT, and free offerings.
Today’s threat actors are well resourced, dynamic, determined and can leverage the element of surprise. TI is one of the best ways organizations can level the playing field and gain the upper hand, including by understanding their adversary, assessing the threat landscape and making better informed decisions. That’s the way not only to stop attacks in their tracks before they can make an impact on the organization, but also to build resilience for the future.
Each organization will need to choose the blend of TI right for them. But when looking at vendors, ensure the data is at least complete, accurate, relevant and timely. Curated feeds will go a long way to saving time and resource for your own team. The key is to find a vendor whose feeds you trust. According to IDC, 80% of G2000 companies will increase investment in threat intelligence by 2024. Make sure you’re set up to succeed.