Spy Game: The Emerging Cybersecurity Realm of Threat Intelligence

Five years ago, IBM stunned the world when its Watson machine learning system defeated two former Jeopardy! champions to capture a $1 million prize. This amazing feat moved far beyond the game-playing capabilities that computers had previously achieved in much more structured games, such as chess.

Competing effectively on Jeopardy! required not only access to massive amounts of information but also the ability to understand and answer complex natural language questions. This summer, IBM announced that they were turning the cognitive power of Watson loose on a new problem – cybersecurity.

While Watson might be the most famous cyberpersonality to take on the challenge of defending networks against attacks, it isn't the first. This is the latest development in the emerging field of cyberthreat intelligence (CTI), a discipline dedicated to applying military-style intelligence techniques to the collection, analysis and use of information about cybersecurity threats.

When CTI solutions first appeared on the market a few years ago, they were met with a healthy dose of skepticism. After maturing significantly, CTI implementations now play an important role in many enterprise cybersecurity programs.

What is Threat Intelligence?

Threat intelligence takes the collection, analysis and dissemination techniques perfected by the military and applies them to a new domain of warfare: the information landscape. Like traditional intelligence agencies, CTI providers collect information from a wide variety of cybersecurity sources, analyze it and then use that information to produce intelligence products that provide value to their customers.

CTI providers do the heavy lifting of cybersecurity analysis that most enterprises simply don't have the resources to undertake. They typically combine information from at many different categories of sources to generate products that help their clients better understand and react to the evolving cybersecurity threat landscape. Some of hese sources include:

Gathering threat information from deployed security tools. One of the greatest sources of threat information is the current inventory of security devices deployed in enterprises around the globe. CTI vendors gather information from the security products installed on the sites of their customers, anonymize the data and then aggregate it to facilitate the early identification of new threats.

Deploying their own sensors. CTI providers use darknets, honeypots, DNS sinkholes and other techniques to gather their own information about the sources of malicious traffic.

Gathering intelligence from public sources. The Internet and dark web already contain tons of cybersecurity information ready for the taking, including password dumps, BitTorrent sites, hacker forums and more. CTI providers comb through these sources, seeking nuggets of information that may be useful and relevant to their clients.

Recruiting spies. Sometimes the best source of information is good old-fashioned spying. Rumors persist that some CTI providers seek moles inside of cybercriminal organizations to feed them information.

After CTI providers gather information from all of these sources, they feed it to a team of analysts who have the job of transforming it into actionable intelligence. One of the most common products offered by CTI vendors is a real-time feed of known malicious hosts on the Internet.

Many firewalls, intrusion prevention systems and other security devices are capable of receiving these live feeds and proactively blocking malicious hosts before they attempt to penetrate protected networks. CTI providers may also produce detailed reports analyzing cybersecurity threats either in general or customized for a specific client.

Does Threat Intelligence Live up to the Hype?

As recently as August 2014, Forrester analyst Rick Holland panned CTI products, stating that "Threat intelligence is one of the most over-hyped capabilities within information security today." That was a fairly common sentiment, as many security professionals felt that CTI solutions merely resold information that was generally available and didn't contribute much to the defense-in-depth capabilities of the modern enterprise.

Less than a year later, however, Holland changed his tune, opening a June 2015 research report with the statement, "Cyberthreat intelligence (CTI) has emerged as a potentially powerful tool for S&R professionals who must defend their digital business from cybercriminals."

Forrester's change of heart doesn't appear to be an isolated one. Rather, it seems to reflect the sense of the cybersecurity profession as a whole. In a 2015 survey of cybersecurity professionals, the SANS Institute found that threat intelligence efforts have plenty of traction. Of the professionals surveyed, 75 percent felt that CTI is important to security efforts and 56 percent actively use threat intelligence information obtained from vendor-driven CTI feeds.

Of those leveraging CTI, 63 percent of respondents felt that CTI improved their ability to detect and respond to security incidents. These statistics certainly indicate that organizations are not only purchasing CTI products but are deriving significant value from them. CTI does seem to finally be living up to the hype of years past.

Learning More About Threat Intelligence

As a fairly new discipline, there aren't many formal education programs available for those interested in studying threat intelligence. The major security certifications, including the Certified Information Systems Security Professional (CISSP) and Security+ credentials, barely touch on the subject, if they mention it at all.

More technical certifications, including the Certified Ethical Hacker (CEH) credential, come closer, touching on many of the topics included in threat intelligence programs without explicitly applying the CTI label.

One of the only formal options available for those seeking to dive deeply into CTI is the SANS Institute course FOR578: Cyber Threat Intelligence. This advanced course is for experienced security analysts with significant incident response experience. It dives deeply into the elements of tactical, operational and strategic threat intelligence and describes opportunities for sharing threat intelligence with the open source community.

While there is currently no certification program covering the material in this course, it wouldn't be surprising if Global Information Assurance Certification (GIAC), the certification organization affiliated with SANS, eventually releases a corresponding credential.

All indications are that threat intelligence solutions have moved beyond the fad phase and now play an important role in many enterprise security programs. Information security professionals not currently leveraging CTI in their organizations should carefully consider the available products and watch developments in this space closely.

Integrating CTI feeds with existing security infrastructure components can dramatically enhance the effectiveness of firewalls, intrusion prevention systems and other security controls by helping them distinguish friend from foe.