Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Jonathan Zhang
Jonathan Zhang
Connect Directly
E-Mail vvv

5 Reasons Why Threat Intelligence Doesn't Work

Cybersecurity folks often struggle to get threat intelligence's benefits. Fortunately, there are ways to overcome these problems.

Offense is the best defense. To defend well, we must take the initiative. When we are aware, we can prepare. Whatever the motto of your cybersecurity team, fighting cybercrime requires keeping an ear to the ground to anticipate threats.

That's what threat intelligence is all about, isn't it? Identifying and mending the weak spots of corporate IT infrastructure before someone maliciously exploits them instead. At least that's what the theory says. And many organizations are buying into it as global spending in threat intelligence services will surpass $1.4 billion in 2018 — up from $905.5 million in 2014.

The problem is, CSOs and cybersecurity folks often struggle to understand threat intelligence's benefits. Let's examine the reasons why and who's to blame — and how to move beyond those problems.

1. Mismatch with Particular Cybersecurity Needs.
Cybersecurity teams sometimes see threat intelligence as the quick fix that will protect them from hackers and scammers. This expectation is largely overinflated. The fact is, there is no such thing as one-size-fits-all threat intelligence.

Instead, threat intelligence solutions must be implemented as per the particular security needs of each organization, suborganizations, or even department — or all that's being achieved is accumulating irrelevant data that gives a false sense of security.

A financial services company, for example, probably wants to pay close attention to website forgery and malicious contact forms aimed at deceiving targets into revealing their credit card and bank account numbers.

A pressing concern for technology providers, in parallel, is making sure proprietary information (such as trade secrets and R&D advancements) do not fall into the wrong hands, be it due to email spoofing, poor encryption, or malware.

2. No Resources to Act Upon Threat Intelligence
Say that you have access to insights. How do you intend to use that information to respond to threats coming your way? The reality is that 44% of daily security alerts are never investigated, and threat intelligence data may end up unutilized, too, for a variety of reasons.

It could be that nobody in the organization knows how to interpret what they're looking at, much less act on it. Or they may lack leadership's commitment to the cause and the corresponding budget needed to lift up defenses.

Either way, knowing there is something wrong without understanding security flaws or having the means to resolve the situation does not reduce the prevalence or intensity of cyberattacks.

To overcome that gap, it's advisable to get C-level sponsors who are ready to allocate resources to train relevant employees about threat intelligence's working practices and the concrete steps for tackling flagged vulnerabilities.

3. Treating Threat Intelligence Like Any Other Cybersecurity Effort
There is an undeniable connection between threat intelligence and other cybersecurity initiatives. Threat intelligence is here to provide direction to security awareness undertakings, spot server misconfigurations, and stay on top of new forms of malware, among other things.

Following that train of thought, it is easy to assume that any security professional is ready to handle threat intelligence like a pro. However, there is a significant disparity in orientation and methodology.

More than anything else, threat intelligence is the job of an analyst whose expertise helps make sense of the big picture and establish a cybersecurity road map for proactive threat prevention and interception. That's much unlike the role of an incident response specialist trained to be reactive and respond to individual threats as they occur.

Acknowledging the discrepancy is essential, and that means responsibilities may need to be redistributed within cybersecurity teams — potentially dedicating someone to monitoring threats as they emerge in light of existing and recently acquired online assets.

4. Failing to Integrate Threat Intelligence
How can you make sure that your cybersecurity staff uses threat intelligence insights? The quickest path to product adoption is often by linking innovations to what users already know, and threat intelligence is no exception.

In fact, it's essential to connect threat intelligence and its data feeds to commonly deployed software such as, for example, security information and event management applications. Doing so will speed up implementation and make insights more accessible as part of a comprehensive cybersecurity program.

Lack of integration, on the other hand, not only makes threat intelligence less effective, it also adds to the workload of cybersecurity teams that need to manually assemble and compare data from yet another source to assess the infrastructure's well-being.

5. Disregarding the Lingo of Threat Intelligence
Depending on whom you ask, threat intelligence can mean different things, and its corresponding language can vary significantly. Fail to account for this and stakeholders at various levels of the organization may quickly get lost in translation.

When senior managers talk about threat intelligence, chances are that the focus will be on high-level decision-making. Where should this financial year's security budget be spent? Which technology vendors should be kicked out for not being compliant with corporate security policies?

But sit with cybersecurity analysts and the conversation will quickly take a technical turn. Are our SSL certificates up to date? Shall we better connect to that malware database to stay on top of ransomware attacks? What are the top 100 websites employees interact with on a daily basis?

Through internal communications and awareness initiatives, it's necessary to ensure interested parties become aware of the different perspectives threat intelligence can take. In general, these can be broken down into two levels, one being concerned about strategic undertakings such as M&A and long-term partnerships, and the other about operational matters — e.g., the reinforcements, fixes, and configurations of websites, servers, and applications.

Threat intelligence, like any other new practice, comes with its load of promises and benefits — most of which have seduced CSOs and their security teams. Misconceptions and misunderstandings like the ones discussed in this post, however, will keep on delaying threat intelligence's full-blown deployment and potential to tackle cybercrime.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jonathan Zhang, CEO/Founder of WhoisXML API and TIP, is a serial entrepreneur in the infosec industry and the founder of whoisxmlapi.com and threatintelligenceplatform.com. He has vast experience in building tools, solutions, and systems for CSOs, security analysts, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Jonathan TIP/WhoisXML API
Jonathan TIP/WhoisXML API,
User Rank: Author
11/10/2018 | 3:03:26 PM
Re: Making threat intel. more effective through NLP
Yes that's a great example of automatically act upon threat intel data!  The field of automated threat intelligence is emerging with advancement in AI and NLP.  Its ultimate goal is to free analysts from mountains of data and even make decisions without human intervention.
User Rank: Author
11/8/2018 | 5:13:36 PM
Making threat intel. more effective through NLP
Good article!

One of the ways to make threat intel. data more effective is by using NLP algotihms to automatically "read"  the threat intel. docs  (human written information) and classify the content into an "attacker intent" categories. This  process helps the analysts to accelerate invetigation and response operations 

7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...