Rebekah Brown

The State of Cyber Threat Intelligence

Blog Post created by Rebekah Brown Employee on Aug 17, 2016

The SANS State of Cyber Threat Intelligence Survey has been released and highlights some important issues with cyber threat intelligence:


Usability is still an issue - Almost everyone is using some sort of cyber threat intelligence. Hooray! The downside – there is still confusion as to the best ways to implement and utilize threat intelligence, and the market is not making it any easier. We believe that the confusion is related to the initial push by threat intelligence vendors to sell list-based threat intelligence – lists of IPs, lists of domains, etc – with little, or even worse, no context. This type of threat feed is data, not intelligence, but it is easy to put together and it isn’t too difficult to integrate with security tools that are used to receiving blacklists or signature based threat data. That…well…to put it nicely, doesn’t exactly work. The survey shows that over 60% of respondents are using threat intelligence to block malicious domains or IP addresses, which contributes to high false positives and a nebulous idea of what threat intelligence is actually supposed to be doing. However, nearly half use threat intelligence to add context to investigations and assessments, which is a much better application of threat intelligence and even though it uses some of the same data sources, it requires the additional analysis that actually turns it into intelligence. A smaller number of respondents reported that they use threat intelligence for hunting or to provide information to management (28 and 27 percent, respectively), but it appears that these areas are growing as organizations identify the value they provide.


Threat Intelligence helps to make decisions - 73% of respondents said that they felt they could make better and more informed decisions by using threat intelligence. 71% said that they had improved visibility into threats by using threat intelligence. These are both key aspects of threat intelligence and indicate that more organizations are using threat intelligence to assist with decision making rather than only focusing on the technical, machine to machine aspect of threat intel.  One of the overarching goals in intelligence work in general is to provide information to decision makers about the threats facing them, and it is great to see that this application of CTI is growing. CTI can be used to support every aspect of a security program, from determining general security posture and acceptable level of risk to prioritizing patching and alerting, and threat intelligence can provide insight to support all of these critical decisions.


More isn’t necessarily better – the majority of respondents who engage in incident response or hunting activities indicated that they could consume only 11-100 indicators of compromise on a weekly basis, and can only conduct in-depth research and analysis on 1-10 indicators per week. Since there are approximately eleventy-billion indicators of compromise being generated and exchanged every week that puts a lot of pressure not only on analysts, but on the tools we use to automate the collection and processing of data. Related – two of the biggest pain points respondents had with implementing cyber threat intelligence are the lack of technical capabilities to integrate CTI tools into environments, and the difficulty of implementing new security systems and tools. In order to automate the handling of large amounts of indicators in a way that allows analysts to zero in on the most important and relevant ones, we need to have confidence in our collection sources, confidence in our tools, and confidence in our processes. More of the wrong type of data isn’t better, it distracts from the data that is relevant and makes it nearly impossible for a threat intelligence analyst to actually conduct the analysis needed to extract value.


Download the SANS State of Cyber Threat Intelligence Survey here.


To learn more about our approach to integrating threat intelligence into incident detection and response processes, come join us for an IDR intensive session at our annual conference, UNITED Summit.