Cyber Security Threat Intelligence, or Threat Intel, is information which organisations use to determine if they are to be, are being or have been the subject of a Cyber threat. This information forms part of the organisation’s preventative and preparative activities when responding to known or suspected threats. Such threats can take numerous guises and have a range of impacts, including brand damage, financial loss, service disruption or regulatory impact. To counter and protect against these threats, here at Softcat we see great value in having good quality and comprehensive Threat Intel.
What are the advantages of Threat Intel?
The integration of an accurate, solid, reliable cyber threat intelligence source is the bedrock of an efficient Security Operations Centre (SOC). In the absence of cyber threat intelligence sources, your detection capabilities are reliant on lesser reliable methods such as:
- Manually reverse-engineering threats, if you’re fortunate enough to have such a specialist skill within your organisation
- Matching based on experiences, this will be limited to what you and your team have identified previously, and only works if you have the mechanism in place to capture and learn from previous incidents
- Pattern matching from security technologies such as anti-virus and IDS systems and, if you’re lucky, shared knowledge from industry peers.
Incorporating threat intelligence sources into a SOC can help reduce threat hunting time, proactively uncover security incidents and reduce investigation time. Advantages of good threat intelligence are not only limited to your SOC teams, it can also support other cyber functions such as Compliance and Governance, Threat Modelling and Risk Management activities.
Just like software, threat intelligence falls into two main models, each with its own set of merits and limitations:
- Open Source Intelligence (OSINT) – this is free to use, can be community driven or security vendor/government agency funded and consists typically of a group of security volunteers or professionals (in the case of vendors/governments) working for the greater good. Quality review is undertaken on a peer basis and can be optional in some instances. OSINT is a great starting place if your business is cost sensitive or you simply want to dip your toe into the threat intelligence data lake!
Closed source – these are typically commercial solutions which incur a cost to use. Intelligence generated by these services can remain closed source, but some can trickle into the open source domain over time. Closed source typically provides a higher quality of available tooling and training, as there is funding to cover these components and a higher volume of intelligence output compared to its open source counterpart. Quality review is more rigorously undertaken on an active basis and, in some instances, is independent of the originating source to ensure accuracy and trustworthiness of the intelligence.
Which is better?
The somewhat more contentious point would be to crudely apply the old saying of ‘no such thing as a free dinner’ and assume that the quality of closed source threat intelligence is greater than that of open source because closed source uses a paid-for model and therefore must be better than its ‘poorer’ open source counterpart. In reality, there is some really good security intelligence that comes from hard working security people operating open source threat intelligence communities, you just need to be conscious that there exists the potential for a greater degree of ‘drift in validity’ of information in open source than closed!
A ‘drift in validity’ can materialise a number of ways:
- Errors, human or otherwise
- Purposeful, either as part of testing a detection or by threat actors attempting to misdirect or deny service e.g. by adding legitimate applications as Indicators of Compromise
- How the data itself is being used – e.g. the junior analysts who blindly responds to SOC events based purely on threat intelligence information. Threat intelligence forms part of your assessment of a threat, it should not be the only information used to make a decision.
- Time – some Indicators of Compromise naturally expire as a service or source is dismantled, or as technologies progress and make the attack vector null and void.
Start with your own threat intel
These two threat intelligence types (open and closed) should augment and improve your internal self-generated threat intelligence that you gain first hand from your own incidents and cyber activities (red teaming, etc). So, which to choose?
The two types have their merits:
- Both will supplement your internal capabilities and are not a replacement for self-generated intelligence
- Open Source is a great starting point for those who wish to leverage external intelligence
- Closed Source can have a greater degree of customisation, ease of integration and less ‘validity drift’
- All threat intelligence information should be validated and not taken purely on face value.
Get in Touch
If you’re interested in finding out more about threat intelligence, speak to your account manager, or click below.