Threat intelligence services provide information about the identities, motivations, characteristics, and methods of attackers. See Rob McMillan, Khushbu Pratap, “Market Guide for Security Threat Intelligence Services,” 3, Gartner (October 14, 2014). “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets to that can be used to inform decisions regarding the subject’s response to that menace or hazard.” Rob McMillan, “Definition: Threat Intelligence,” 2, Gartner, (May 16, 2013).
There are two primary types of threat intelligence services. “First is the threat intelligence provider that finds external data about threats and emerging attack trends in order to share that data to subscribers. Secondly, some companies have built software platforms that pull in multiple feeds from potentially hundreds of sources and then sorts that data so that the most relevant threats are shown to users in the form of alerts.” John Breeden II, Review: Threat intelligence could turn the tide against cybercriminals,” Network World (September 14, 2015).
Threat intelligence services have become an effective part of security programs that have other tools in place to absorb and act on threat intelligence information. See, e.g., Jason Cook, “Five reasons threat intelligence fails today, and how to overcome them,” Network World (May 7, 2015). “[T]hreat intelligence feeds can allow an organization to pull the raw data, normally just IP addresses, domain names or malware hashes. . . . The ability to identify systems communicating with command and control (C&C) servers or malware running in your environment will quickly demonstrate the value the capability brings.” Edward McCabe, “Are We Ready for a Threat Intelligence Program?” The Nexus (July 6, 2015).
Both open source and private threat intelligence services are available. Information-sharing organizations such as ISACs and ISAOs help facilitate sharing threat information. “Standards like STIX and TAXII are helping to normalize threat data and make it more actionable. Shared wisdom and community defense models are quickly becoming the new norm.” Kristi Horton, “Why Threat Intelligence Feels Like a Game of Connect Four,” Dark Reading, (November 10, 2015).
Network World’s review of two commercial threat intelligence vendors provides insights into the services such vendors offer. Network World describes ThreatStream OPTIC as follows:
ThreatStream OPTIC is designed to process, analyze and rank threat data from more than 170 open source feeds, up to 30 or more commercial feeds and several more produced by government organizations. Data tied to threats that specifically endangers a protected network is then given to appropriate personnel.
ThreatStream OPTIC is designed to work in conjunction with SIEM tools like QRadar and Splunk to determine if the data from outside threat streams is of concern to protected networks, such as if any outgoing traffic is hitting known malware sites. Depending on the program that OPTIC is paired with, patches or remediation actions can be deployed or even automated.
Network World’s description of ThreatConnect 3.0 includes:
At the time of our testing, there were more than 4,000 active users on the ThreatConnect platform. . . . ThreatConnect collects threat streams from multiple sources and then allows specific communities of users to collaborate on what steps work, who the adversaries are and what they are targeting.
Many other threat intelligence vendors provide competing services, including Carbon Black, FireEye, and Check Point Software. Security teams should evaluate threat intelligence services to choose a service that will work best with their other security tools, their budgets, and their staffing levels.
Sixty-nine percent of the respondents to an October 2014 SANS Institute survey reported using cyber threat intelligence, and 75 percent felt it was very important and would be used in the detection and response systems over the next five years. Dave Shackleford, “Who’s Using Cyberthreat Intelligence and How?” 1, 21, SANS Institute (February 2015). Sixty-three percent indicated threat intelligence contributed to improving incident detection and response. Id. at 13.
No single security tool or set of tools can prevent all attacks from succeeding. If data feeds from threat intelligence tools do not trigger automated responses, security managers have to act on the information the tools provide. One of the claims in the “Shareholder Actions” component of the ongoing Target litigation provides a cautionary (alleged) illustration:
[O]n November 30, 2013, Target’s FireEye security system spotted the malware and triggered its first alert: “malware.binary.” Target had spent $1.6 million on the FireEye malware detection tool, and it alerted Target’s security team in Bangalore, India, that malicious malware was being uploaded onto the Company’s system. The Bangalore team dutifully elevated the issue, alerting Target’s higher level security team in Minneapolis. And then Target, under the direction of the Individual Defendants, did nothing.
Davis v. Steinhaufel, et al., No. 0:14-cv-00203 (D. Minn., July 18, 2014), Verified Consolidated Shareholder Derivative Complaint for Breach of Fiduciary Duty and Waste of Corporate Assets, Dkt. No. 48, ¶ 98. This claim, among others in the litigation, has not yet been proven.
The widespread use of threat intelligence services suggests that many security teams find the services useful. Given the extensive deployment of threat intelligence services, organizations that decline to deploy such services may, after a breach, face allegations that they failed to implement best security practices.