Curating threat intelligence has become one of the hottest topics in security. Gathering information regarding the threat landscape isn't a new concept, but determining what actually constitutes threat intelligence is still fuzzy, and its current buzzword status in the industry isn't helping. Indeed, vendor marketing teams use the term liberally when promoting their products, replacing the "next-gen" hype with this new version of security secret sauce.
Simply put, global threat intelligence is a term for describing a process of collecting and curating threat data in order to apply controls and manage organizational risk. Unfortunately, this activity, often manual and time-consuming, can overwhelm the most experienced professionals. These efforts have been aided in the past by nonprofit bodies such as Information Sharing and Analysis Centers (ISACs) or the Computer Emergency Response Team Coordination Center (CERT-CC), but now private industry has jumped into the fray and is monetizing the undertaking. Still to be determined: Will this privatization help or hurt the struggle to assemble the right data to help us protect our institutions?
Fundamentals of global threat intelligence: Why you should care
What makes up threat intelligence and why should you care? Gartner calls it "… evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."
ISACs were supposed to address this issue. But their goal appears more theoretical than practical.
That's a pretty broad definition, which leads to the main problem: How do you start? While many agree that building an organization's defensive posture is critical, there's disagreement over whether intensive monitoring and analysis of threat information will get you closer to achieving some level of omniscience.
According to the Cyber Intelligence Tradecraft Project, a January 2013 report from the Carnegie Mellon University Software Engineering Institute, "…organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber-intelligence program, gathering data, or training analysts to interpret the data and communicate findings and performance measures to leadership."
The variety of information collected and analyzed could include internal data such as network packet captures and flows, authentication, system and device logs, but also external data such as IP reputation and malware block lists -- even social network monitoring. The amount of intelligence collected can be massive, demanding increased resources to store and process, which poses yet another question: What data do you scrutinize and what do you ignore? I once heard a CIO refer to this type of question as a "Sophie's choice" risk management decision. Neither is free of pain, with the knowledge that you may miss obtaining evidence of the next breach adding to the stress.
Industry groups that address this issue
Assessing global threat intelligence
Examining cloud-based intelligence
The role of big data and threat intelligence
ISACs were supposed to address this issue. They were originally established as groups to allow key industry sectors to share information under an umbrella of established standards. But their goal appears more theoretical than practical. Even with complex legal agreements in place to protect data privacy, most members prefer to take information rather than contribute. Hypothetical leaks of confidential information present the principal barrier to information sharing outside of the federal space, making large-scale collection and dissemination of threat intelligence haphazard and inconsistent.
Separate from the ISACs and CERT, there's a great deal of global threat intelligence material to be collected, but only after some heavy lifting in its filtering and subsequent application in an environment. Consolidating this extensive information into a useful form is still a major challenge, complicated by an array of standards such as the Collective Intelligence Framework, the Structured Threat Information Expression, Open Threat Exchange and OpenIOC. Other major players providing threat intelligence include the Shadowserver Foundation and Team Cymru. Additionally, there are dozens of websites devoted to providing IP or domain name reputation, spam and malware lists -- all of which can be used to beef up firewalls, blocklists and DNS sinkholes.
Security industry could fill the need, but …
By providing curated threat intelligence in a user-friendly format, the security industry could meet a critical need for most organizations. The intense effort involved with using crowd-sourced and noisy threat data requires more resources than most security teams can afford. But there's some uneasiness around the idea of collecting a company's information, then selling it back at a premium with a yearly support contract. The value of enhanced information sharing will have to be demonstrated to those at the C-level in order to justify the expense over other forms that are freely available. Otherwise, it's just another form of digital sharecropping, with customers funding the vendors.