The TIP Is Dead, Long Live the TIP

October 20, 2020 • Gareth Pritchard

Elite intelligence is both deep and broad. That is, it comes from a variety of sources, including internal investigations, external collection, and publicly and privately shared data sets. Each comes with a unique sensitivity level, and they all provide different levels of fidelity.

Internal intelligence is the highest fidelity. This type of intelligence is derived from an investigated attack with extracted IOCs. These may be targeted attacks utilising TTPs and IOCs that are not known to any intelligence provider and not detectable by any automated solution — like machine learning, UEBA, AI, orchestration, etc.

Even threat hunters may find it challenging to detect a well-organized targeted attack. To provide support to the threat detection strategy, intelligence is often catalogued in a TIP.

What Is a TIP?

TIP is an acronym for threat intelligence platform. Fundamentally, a TIP is a database used to store intelligence. They hold a lot of threat data and organize it in a manner that’s useful to the various team members who need to access it.

What Are the Limitations of a TIP?

A TIP is not a comprehensive security tool. It cannot perform threat hunting or active threat detection and it is not designed to disseminate intelligence to other disparate solutions.

Benefits of Using a TIP

Although a TIP alone will not serve as a one-stop solution for your security team, there are some compelling reasons to introduce one into your tech stack. This is especially true if the TIP integrates with a comprehensive security intelligence platform. Some of benefits a TIP include:

  • Centralization — Having a TIP provides a centralized location that makes threat intelligence accessible for all members of the security team. In instances where budgets may be low and access to a service-provided portal is limited, a TIP may provide a suitable alternative for accessing intelligence and investigating incidents.
  • Aggregation and Correlation — When you have multiple sources of intelligence, it provides compounded evidence of entities being malicious. It also enables private group intelligence sharing while also ensuring data and information is deduplicated and correlated with additional context.
  • Enrichment — Once a set of intelligence is collected, aggregated, and correlated, it’s also useful to apply an additional layer of intelligence-calculated risk — such as Recorded Future’s risk scores. This enables categorization and identification of intelligence elements based on prioritization and relevant context.

The Risks of Not Using a TIP

If you’re not using a TIP, targeted attacks utilizing TTPs and IOCs that are unknown to external intelligence providers may not be catalogued or utilized in the strategic threat detection strategy. That means the same attacks are not detected sooner via content development or hunting activities.

In this scenario, threat hunters and content developers may rely on disparate sources of information instead of a unified platform that provides industry-leading intelligence, internal-investigation intelligence, and focused, prioritized threat data.

Why Are TIPs Becoming Less Common?

TIPs are gaining a reputation for being expensive and unnecessary. This is primarily due to the value of intelligence combined with the evolution of TIP vendor technology. The enterprise-class TIPs available on the market today provide many more features than traditional TIPs once did. As a result, costs are inflated to account for the additional features.

Direct integration of intelligence into the detective and monitoring controls also provide a use case for eliminating a TIP. This exacerbates the problem, however, as new indicators extracted from the detected threats have nowhere to be catalogued and correlated unless they’re shared openly to public intelligence groups for dissemination back through the same premium intelligence provider.

Ultimately, the traditional TIP has died and paved the way for much more advanced technologies that inherited the TIP moninker.

Common Misconceptions About TIPs

You may be thinking, “My organization isn’t mature enough for a TIP, yet,” or “My other solutions provide all the value I need.”

The truth is, all security organizations would benefit from a TIP. They provide insightful metrics about the threats the organization is facing. Rather than being an unnecessary expense, they actually serve to save money and optimize intelligence, content development, and investigation operations.

Maturity should not be a factor in your decision to implement a TIP. Fewer alerts simply means collecting less intelligence. Forgoing intelligence collection, aggregation, and correlation in the early stages of the development of the security program may be damaging, as it means early incident IOCs are never catalogued for later use.

A TIP doesn’t need to be an enterprise-class solution, especially for a SOC that’s in the early stages of development. The primary purpose of the TIP is simply to collect data and information from internal incidents and aggregate it with external intelligence. This can be achieved with a simple spreadsheet and enrichment script; a basic example of this is shown below:

Excel Screenshot

Learn More About The Importance of Integrated Intelligence

For more information about the business benefits of elite security intelligence for maturing your security strategy, download the Recorded Future white paper, “Security Intelligence: Driving Security from Analytics to Action” today.

New call-to-action