Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/16/2012
11:28 AM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Threat Intelligence Hype

How to measure the IQ of the data you're being fed

Now that we've talked a bit about analytics, I'd like to take on the other thriving buzzword: intelligence -- specifically, threat intelligence, which seems to be part of every security product these days.

What is threat intelligence? First of all, a threat is something that or someone who could exploit your vulnerabilities. It is not the vulnerability itself. A threat could be a person launching an attack, a backhoe near your network cables, a squirrel that likes to chew on insulation, or even a hurricane. It could be the malware that infects your system, the developer who thought it was a good idea to send one email alert for each log event through your Exchange server, or the auditor who may tarnish your good name with a material finding.

Intelligence, on the other hand, varies widely. I have seen the term used to describe the correlated logs in a SIEM (as if simply knowing what was going on in your network was intelligent enough). It is sometimes used to refer to the collection of event data from more than one enterprise; many vendors do this when they receive this data from their products installed at customer sites. Taking this a step further, many security companies have researchers on staff who try to find out what the newest attacks are, which systems they're targeting, and what vectors they're using. All of these types are "intelligence" based on knowing what's happening out there, beyond your own perimeter.

Besides the "what," "where," and "when," there's the "how." Threat intelligence can include the techniques and technology being used in attacks, the critical factors that mean success or failure, or the timing, location, and sources. This is more than just describing what happened; it's information on how to identify it and how to respond to it.

The "who" and the "why" are in the last tier of threat intelligence, and finding out motivation is often easier than attribution. Not many companies are willing to connect attacks and specific actors with a lot of confidence (unless, of course, you have a smoking gun in the form of an insider). But motivation and attribution are very important for organizations that need to prioritize their activities to deal with the most likely threats, particularly if they're concerned about targeted attacks; they're also crucial for law enforcement if they're to investigate these crimes.

What really brings this data to the level of intelligence is not just describing what you get out of customer logs, honeypots, sinkholes, and mailing lists. It's putting together the disparate sources of data and adding more valuable information: which families of malware could be stopped most effectively with limited countermeasures; which kinds of targets are favored by different attacker groups; how to tell who really attacked you (not just who claimed the credit); and how reliable the information is that you've received.

This is where the rubber meets the road, and this is what you should be expecting from anyone who is offering "threat intelligence." It's not enough just to tell you in detail what has already happened. If it's not helping you make decisions, or be proactive, then it's not worth paying extra for it.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
simonmoffatt
50%
50%
simonmoffatt,
User Rank: Apprentice
11/20/2012 | 11:20:35 AM
re: Threat Intelligence Hype
SIEM products and providers have certainly jumped on the intelligence concept, where in reality it's a much broader subject, as you mention, covering different security components - many of which may actually be isolated from the SIEM environment. -Thinking things like HR turnover data, internal business projects, social media output and so on. -All can contribute to the infosec 'intel' pre and post incident analysis phase.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.