Traditional defenses have proven insufficient in protecting organizations from adversaries who are increasingly exploiting the digital shadows of organizations to launch targeted attacks. Now, more than ever, organizations are seeking to understand which actors pose a viable threat to their assets and business operations. As a result, many are taking the next step in their journey to strengthen their defenses by turning to Cyber Threat Intelligence (CTI). But what exactly is CTI?
There are many different definitions of CTI and, as a result, varying expectations of what CTI can do. One of the most straightforward definitions comes from the “CBEST Threat Intelligence Framework” paper that says, “Information about threats and threat actors that provide relevant and sufficient understanding for mitigating the impact of a […] harmful event.”
The number of definitions nearly exceeds the number of new information security firms offering CTI. In fact, a new report by Forrester Research, “Vendor Landscape: S&R Pros Turn to Cyberthreat Intelligence Providers for Help,” includes 20 CTI vendors. This underscores the rising prominence of CTI as a security tool, but also the potential for confusion when selecting a vendor.
As a security and risk professional, how do you navigate your way through these murky waters and choose a CTI solution that will best meet your needs? As with many areas in security, there is no ‘silver bullet’ for CTI. The following five questions can help you be judicious when assessing the market and your options.
1. How wide and varied are the sources that you cover? Volume and variety of sources are among the most important characteristics of a threat intelligence provider. A provider that covers many sources, millions rather than thousands of unique domains, will reduce the chance of threats going unnoticed. Multilingual support across Web and Internet services, public and private forums and a range of media types (such as IRC chats, email and video) is also important. To get the best coverage you may likely need to work with multiple providers.
2. Can you ensure my intelligence is free from false alarms? Broad coverage must be balanced against the accuracy of alerts. Look for a provider that uses a combination of high volume CTI and curated and tailored CTI to increase the accuracy of the intelligence.
3. How quickly can I receive an alert following an event and how far back does the context go? Accuracy is important, but if the information is received too late it may be irrelevant or not actionable. Look for vendors who can provide immediate alerts and can access data from previous years which can provide valuable clues and early insights into potential events.
4. Does the service integrate with my existing services? No matter how advanced an offering may be no single vendor can satisfy all your needs. Any provider must be able to demonstrate the ability to use APIs to integrate with other solutions and to wider sharing communities including FS ISAC and CISP. Support for standards such as OpenIOC and STIX is also important, as well as integration with threat intelligence platforms like ThreatConnect and ThreatQuotient.
5. How tailored is the service to my organization and supply chain? The most valuable intelligence is that which is specific to your organization and assets, not simply to your geography and sector. So as not to be overwhelming, there should be a mechanism in place to prioritize alerts. A provider that also offers formal feedback processes can use that information to further tailor the service to your needs.
CTI is critical for organizations that want to gain a comprehensive, tailored and relevant view of the potential threats and types of attackers that could be targeting them. But attackers never rest and neither can organizations in their quest for better threat protection and risk mitigation. With CTI as a solid foundation to understand threats, you can continue to strengthen defenses with cyber situational awareness that, in the short-term, allows you to prevent and mitigate harmful events and, longer-term, allows you to prioritize threat protection investments and policies as threats continue to evolve.