Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Jonathan Zhang
Jonathan Zhang
Connect Directly
E-Mail vvv

5 Reasons Why Threat Intelligence Doesn't Work

Cybersecurity folks often struggle to get threat intelligence's benefits. Fortunately, there are ways to overcome these problems.

Offense is the best defense. To defend well, we must take the initiative. When we are aware, we can prepare. Whatever the motto of your cybersecurity team, fighting cybercrime requires keeping an ear to the ground to anticipate threats.

That's what threat intelligence is all about, isn't it? Identifying and mending the weak spots of corporate IT infrastructure before someone maliciously exploits them instead. At least that's what the theory says. And many organizations are buying into it as global spending in threat intelligence services will surpass $1.4 billion in 2018 — up from $905.5 million in 2014.

The problem is, CSOs and cybersecurity folks often struggle to understand threat intelligence's benefits. Let's examine the reasons why and who's to blame — and how to move beyond those problems.

1. Mismatch with Particular Cybersecurity Needs.
Cybersecurity teams sometimes see threat intelligence as the quick fix that will protect them from hackers and scammers. This expectation is largely overinflated. The fact is, there is no such thing as one-size-fits-all threat intelligence.

Instead, threat intelligence solutions must be implemented as per the particular security needs of each organization, suborganizations, or even department — or all that's being achieved is accumulating irrelevant data that gives a false sense of security.

A financial services company, for example, probably wants to pay close attention to website forgery and malicious contact forms aimed at deceiving targets into revealing their credit card and bank account numbers.

A pressing concern for technology providers, in parallel, is making sure proprietary information (such as trade secrets and R&D advancements) do not fall into the wrong hands, be it due to email spoofing, poor encryption, or malware.

2. No Resources to Act Upon Threat Intelligence
Say that you have access to insights. How do you intend to use that information to respond to threats coming your way? The reality is that 44% of daily security alerts are never investigated, and threat intelligence data may end up unutilized, too, for a variety of reasons.

It could be that nobody in the organization knows how to interpret what they're looking at, much less act on it. Or they may lack leadership's commitment to the cause and the corresponding budget needed to lift up defenses.

Either way, knowing there is something wrong without understanding security flaws or having the means to resolve the situation does not reduce the prevalence or intensity of cyberattacks.

To overcome that gap, it's advisable to get C-level sponsors who are ready to allocate resources to train relevant employees about threat intelligence's working practices and the concrete steps for tackling flagged vulnerabilities.

3. Treating Threat Intelligence Like Any Other Cybersecurity Effort
There is an undeniable connection between threat intelligence and other cybersecurity initiatives. Threat intelligence is here to provide direction to security awareness undertakings, spot server misconfigurations, and stay on top of new forms of malware, among other things.

Following that train of thought, it is easy to assume that any security professional is ready to handle threat intelligence like a pro. However, there is a significant disparity in orientation and methodology.

More than anything else, threat intelligence is the job of an analyst whose expertise helps make sense of the big picture and establish a cybersecurity road map for proactive threat prevention and interception. That's much unlike the role of an incident response specialist trained to be reactive and respond to individual threats as they occur.

Acknowledging the discrepancy is essential, and that means responsibilities may need to be redistributed within cybersecurity teams — potentially dedicating someone to monitoring threats as they emerge in light of existing and recently acquired online assets.

4. Failing to Integrate Threat Intelligence
How can you make sure that your cybersecurity staff uses threat intelligence insights? The quickest path to product adoption is often by linking innovations to what users already know, and threat intelligence is no exception.

In fact, it's essential to connect threat intelligence and its data feeds to commonly deployed software such as, for example, security information and event management applications. Doing so will speed up implementation and make insights more accessible as part of a comprehensive cybersecurity program.

Lack of integration, on the other hand, not only makes threat intelligence less effective, it also adds to the workload of cybersecurity teams that need to manually assemble and compare data from yet another source to assess the infrastructure's well-being.

5. Disregarding the Lingo of Threat Intelligence
Depending on whom you ask, threat intelligence can mean different things, and its corresponding language can vary significantly. Fail to account for this and stakeholders at various levels of the organization may quickly get lost in translation.

When senior managers talk about threat intelligence, chances are that the focus will be on high-level decision-making. Where should this financial year's security budget be spent? Which technology vendors should be kicked out for not being compliant with corporate security policies?

But sit with cybersecurity analysts and the conversation will quickly take a technical turn. Are our SSL certificates up to date? Shall we better connect to that malware database to stay on top of ransomware attacks? What are the top 100 websites employees interact with on a daily basis?

Through internal communications and awareness initiatives, it's necessary to ensure interested parties become aware of the different perspectives threat intelligence can take. In general, these can be broken down into two levels, one being concerned about strategic undertakings such as M&A and long-term partnerships, and the other about operational matters — e.g., the reinforcements, fixes, and configurations of websites, servers, and applications.

Threat intelligence, like any other new practice, comes with its load of promises and benefits — most of which have seduced CSOs and their security teams. Misconceptions and misunderstandings like the ones discussed in this post, however, will keep on delaying threat intelligence's full-blown deployment and potential to tackle cybercrime.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jonathan Zhang, CEO/Founder of WhoisXML API and TIP, is a serial entrepreneur in the infosec industry and the founder of whoisxmlapi.com and threatintelligenceplatform.com. He has vast experience in building tools, solutions, and systems for CSOs, security analysts, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Jonathan TIP/WhoisXML API
Jonathan TIP/WhoisXML API,
User Rank: Author
11/10/2018 | 3:03:26 PM
Re: Making threat intel. more effective through NLP
Yes that's a great example of automatically act upon threat intel data!  The field of automated threat intelligence is emerging with advancement in AI and NLP.  Its ultimate goal is to free analysts from mountains of data and even make decisions without human intervention.
User Rank: Author
11/8/2018 | 5:13:36 PM
Making threat intel. more effective through NLP
Good article!

One of the ways to make threat intel. data more effective is by using NLP algotihms to automatically "read"  the threat intel. docs  (human written information) and classify the content into an "attacker intent" categories. This  process helps the analysts to accelerate invetigation and response operations 

NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privile...
PUBLISHED: 2021-01-20
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1...