SANS: Who’s Using Cyberthreat Intelligence and How?

“Who’s Using Cyberthreat Intelligence and How?” By Dave Shackleford 


Threat Intelligence – the set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators

Purpose of CTI:
• Ability to see attacks in context
• Accuracy of detection and response
• Faster detection and response 

Data Collection Points:
“In addition to the 59% stating they are gathering intelligence from their internal systems, 76% of respondents say their organizations are gathering intelligence from the security community at large.

The external sources they are gathering information from include: • 56% gather intelligence from their vendor product’s CTI feeds • 54% gather intelligence from their public CTI feeds • 53% gather intelligence from open source feeds

A small number of answers in the “Other” category included private feeds for government agencies and law enforcement, as well as social media and sites such as the SANS Internet Storm Center (ISC). “

Intelligence Feeds
“We asked those who selected “vendor-driven CTI feeds” what types of vendors were providing these. The range of responses was very broad, and many teams are obviously using CTI data from a number of different types of vendors. Endpoint security vendors led with 51%, but 43% of respondents are also getting CTI information from unified threat management (UTM)/firewall/IDS vendors and 40% from CTI platform vendors, vulnerability management providers and SIEM vendors. “

Planning for CTI
Organizations planning to invest in CTI feeds, tools and internal capabilities should assess their readiness for using CTI now and in the future.

1. Decide what you intend to do with CTI data and to whom you will assign to CTI planning duties. Most organizations that attempt to implement CTI ad hoc, with no budget, staff, tools or goals, tend to reap minimal rewards.

2. Focus on tools and feeds. Once you’ve decided what you plan to do with CTI (improve detection capabilities, add more granular correlation rules to your SIEM, add host-based forensics indicators, etc.), focus on two areas: What kinds of tools will you use to aggregate and collect CTI data? And will you use commercial feeds, open source and community data, or both? Many SIEM providers are now integrating CTI feeds and information readily. Be sure to look at standard import data formats if you are bringing in feeds.

3. Consider your goals. Once you’ve decided on the basics of what data you want and where it will be aggregated, think about the short- and long-term goals of the program and how you’ll measure progress. 

CTI Standards and Tools
• Open Threat Exchange (OTX)—51%
• Structured Threat Information Expression (STIX)—46%
• Collective Intelligence Framework (CIF)—39%
• Open Indicators of Compromise (OpenIOC) framework—33%
• Trusted Automated eXchange of Indicator Information (TAXII)—33%
• Traffic Light Protocol (TLP)—28%
• Cyber Observable eXpression (CybOX)—26%
• Incident Object Description and Exchange Format (IODEF)—23%
• Vocabulary for Event Recording and Incident Sharing (VERIS)—20%

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s