By The Recorded Future Team on May 22, 2019
Threat intelligence can positively impact every security function when it’s implemented properly, and for that reason, it’s becoming more common for organizations to start investing in a threat intelligence program. But don’t jump out of the nest until you’re ready to fly — there are a few common mistakes and misconceptions about threat intelligence that can turn it into more of a hindrance than a help.
In this first blog of a three-part series, we’ll focus on three in particular: the failure to properly vet your intelligence sources, the misconception that threat intelligence is just a series of threat feeds incorporated into a platform, and a lack of clarity between data, information, and intelligence.
Mistake 1: Failing to Properly Vet Sources
Just like any IT function, threat intelligence lives and dies on the quality of inputs — garbage in, garbage out.
Despite this, many organizations start their threat intelligence program by signing up for a series of open source threat feeds without having a proper vetting process in place.
This can result in a flood of alerts that are difficult to differentiate or trust. Because so many alerts arrive without context and turn out to be false positives or redundancies, it’s no surprise that around 44% go completely uninvestigated. And of the remaining 56%, only around half get resolved.
There’s nothing inherently wrong with open source threat feeds, and no guarantee that a paid feed will provide accurate or valuable insights. The key to strong threat intelligence outputs is threefold:
- Have a proper vetting process in place for new sources.
- When starting out with a new source, make sure your analysts are confirming possible insights against other sources that are already trusted.
- If a source fails to add value, drop it.
Mistake 2: Thinking Threat Intelligence Feeds Equal Threat Intelligence
Threat intelligence feeds, whether free or paid, are only the first step in developing an effective threat intelligence program.
Feeds, which are streams of data that provide information on potential cyber threats and risks, are an easy way to get a quick, real-time look at the external threat landscape. They usually provide information on a single area of interest, like IP addresses or malware hashes.
The kind of data provided by threat feeds is good when you can make sense out of it and take action on it — but if you can’t, then it’s just more data, which can overwhelm analysts who are already burdened with countless daily alerts and notifications.
Which brings us to the real problem.
Mistake 3: Not Distinguishing Between Threat Data, Information, and Intelligence
Threat data, information, and intelligence are not the same thing.
Threat data is a mass of individual, inarguable facts, with no context or analysis. For example, an IP address recorded in your organization’s firewall logs is a good example of a single data point.
Threat information is the result of a number of individual data points being combined to answer a simple question. For example, a summary of your organization’s firewall logs could tell you how often a specific IP address has attempted to access your network.
Threat intelligence requires further interrogation of threat data and information in order to produce a narrative that can be used to make decisions. For example, using a variety of sources, a threat analyst might determine that connections from a specific IP address should be blocked, because there is a high probability that it’s connected with a well-known threat group.
Generally, threat feeds only provide threat data, and sometimes threat information. Unfortunately, unless you have the right technologies in place to contextualize threat alerts and cut away false positives, the role of wading through countless threat alerts to find what is actually useful will inevitably fall to your human analysts.
Since even a modest number of threat feeds can produce thousands of alerts each day, this approach inevitably leads to analyst overwhelm, and ultimately what’s known as “alert fatigue” — when analysts stop paying attention to alerts, because there are simply too many to be managed.
Understand the distinction between threat data, information, and intelligence, and have the right processes and technologies in place to refine a massive volume of inputs into a manageable stream of useful outputs.
It’s perfectly all right for the technology you use to fuel your program to ingest threat data and information, so long as your human analysts aren’t expected to deal with it directly.
Start Simple With the Cyber Daily
To get a taste of what threat intelligence can provide, sign up to receive free our Cyber Daily newsletter. Recorded Future automatically scours the entire web to identify new vulnerabilities and emerging threat indicators, including:
- Top cybersecurity news
- Top targeted industries
- Top threat actors
- Top exploited vulnerabilities
- Top malware
- Top suspicious IP addresses