Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Network Security

OSINT Alone Does NOT Equal Threat Intelligence

While attending the 2015 RSA Conference last week, I committed myself to simply being an active onlooker and listener.

While attending the 2015 RSA Conference last week, I committed myself to simply being an active onlooker and listener.

Specifically, I spent the week loitering around the various solutions provider booths “shoulder surfing” and eavesdropping on who’s saying what to whom and how each side – the solution seeker and the solution provider – perceive one another as it pertains to cybersecurity’s current up-and-coming rising star, Threat Intelligence.

It’s that damn Threat Intelligence. So much disruptive promise (way more in my opinion than persisting with updates to sacrosanct and rusting solutions), yet so much confusion and noise.

My info-gathering tour at RSA was enlightening, but when I combined it with what I heard from Forrester’s Rick Holland this week in his briefThreat Intelligence is Like Three Day Potty Training,” a couple big insights emerged from the intersection of my data and Rick’s very thoughtful observations:

Cyber Threat IntelligenceMany businesses right now think Open Source Intelligence (OSINT) is the totality of threat intelligence and many are willing to pay handsomely for this latest fashion trend without any real notion of how or why to put it to work.

In other words, as I listened to one after another vendor and solution seeker alike, each seemed to convey that gaining usable intelligence on potential cyber threats facing businesses was best accomplished by focusing on data that’s freely available on the uppermost parts of the internet each and every day. And they seemed very willing to pay for tools to exploit it in spades based almost solely on the shiny labels.

As Rick points out, and as I observed first hand on the floor, many companies get stuck in the immature, “low-hanging-fruit-grab” period of their threat intelligence development. The attractive, available lure of OSINT is all too gratifying to pass up.

But more disturbing for me, from the exchanges I witnessed (and a bit of a twist on what Rick presented), many companies seemed as if they’d be just fine to stick with OSINT-only approaches for what sounded like much longer than an initial period of time.

Advertisement. Scroll to continue reading.

In fact, as I heard one after another describe how they handled threat intelligence activities day-to-day, far too many described a process for daily tasking, triage and justification based solely on a web article or a post.

In one case, I even encountered a major infrastructure firm who told me if it couldn’t be found on the web, it didn’t exist for them as a threat worthy of investigation or as justification for any specific cyberdefense investment!

As such, many were on the hunt for ways to “up the ante” on this process and splurge on a “real live” OSINT-only solution to get even better at the process. And they seemed more than happy to blow the majority of their shiny new threat intelligence budgets on it, leaving room for little else.

In reality, the beauty of threat intelligence is much more than skin deep. Open source data is just a small part of the threat intelligence picture.

In particular, making use of threat intelligence in your cyber defenses to…

• Raise cross-organizational situational awareness

• Manage risks across your internal org and supply chain

• Speed response (and pre-response) to incidents

• Prioritize effective use of tactical cyber solutions

• Collaborate, budget and strategize around cyber defense

• Educate and inform your workforce

…involves a whole lot more than just OSINT.

The web and all its blogs, sites, social media posts, memes and cat videos is a treasure trove of information. Well, sometimes. Even so, the internet itself is arguably the single greatest human achievement in our history on this blue-green marble, but it isn’t actually reality.

In fact, it isn’t even really a shadow of reality. It’s more like many groups of collections of individual pixels in several disjointed areas of one much bigger, 3D image. Sure, one spot may be dark blue, but without information to fill in the white spaces, it’s a guessing game as to whether the big picture is indeed a fat, funky blue whale or something else.

Effective threat intelligence involves comprehensive, continuous collection and analysis of the right data sources, from both inside your organization and out, and combining that with a high degree of relevancy to your specific business profile and characteristics. It’s an approach from many levels and angles. It’s the cliched 360 degrees and three dimensions.

OSINT tools and sources alone only give you a limited view into what you need to know to accomplish a proactive, effective cyber risk management function that helps better protect your business, its financial interests, brand and reputation, partners and customers and information technology baselines.

Effective threat intelligence requires a data collection and analysis approach across all the below…just for starters:

• OSINT – Websites, blogs, forums, breach databases, exploit databases, malware, vulnerability, Dark Web sources and myriad others

• Your Own Evaluated Threat Data – Your own team’s low-level data that’s confirmed as “real” or relevant and diligently recorded, analyzed (e.g. found Trojans or confirmed SNORT hits)

• Highly-Focused, Highly-Relevant Data Feeds – Commercial phishing feeds, patch management updates, Spam analytics, AV/AM, Government alerts and indicators

• Partner and Supply Chain Data – Extending reporting, sharing and data collection from your own “Private ISAC

• SIEM Information – Evaluated events from SIEM analysis and exploration

• TIP Data – HUMINT analysis and other alerts, low-level data from “traditional” Threat Intelligence Platforms that can be confirmed as relevant threat events

What’s even more important, specific data about your own business, its products, technologies, employees, partners, customers, locations, third-party support providers, equipment, devices and more is a key ingredient needed to provide real data relevance you can act on. Yet many ignore this information as outside the realm of “threat intelligence.” To me, if you can’t map your vulnerabilities to what’s a threat, there is no risk management and there is no such thing as “actionable.”

The bottom line? If it isn’t comprehensive, perspicacious and relevant, it’s mostly useless.

As well, more than just data of any specific flavors, effective threat intelligence hinges on the ability to free data from security operations activities and communicate it, share it effectively, integrate it with other non-cyber systems and use it to inform non-technical business strategists, analysts, managers and leaders who steer the larger business. It must be timely, standard, consistent, easily intuitive and sensible.

In other words, it has to be “human compliant” too across a variety of roles, both technical and non-technical, or, yep, you guessed it, it’s mostly useless.

So, don’t get hypnotized by a narrow focus. OSINT is just one part of putting threat intelligence to work. Despite a shiny, sexy appearance, it can cost you a whole lot more than the high price you pay for it.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...