5 Tips For Selecting Your Source of Threat Intelligence InformationNigel Houghton
In today’s digital world, cybersecurity threats are on the rise, and businesses must stay vigilant to protect their sensitive data from cybercriminals. To combat these threats, companies often rely on cybersecurity information vendors to provide them with intelligence information. However, the quality of the intelligence information provided by these vendors has come under scrutiny, and there have been concerns about the accuracy and effectiveness of the information provided. Our experiences at ThreatQuotient give us valuable insights into intelligence information from a very wide variety of sources, from commercial vendors, to industry associations, shared business feeds and other open sources. Here are some thoughts on what to look for and things to be aware of when considering a threat intelligence information source.
One of the primary issues with the intelligence information provided by cybersecurity vendors is its lack of context. The information provided is often technical in nature and can be challenging for non-technical personnel to interpret. This lack of context can lead to misinterpretation of the information, which can lead to incorrect conclusions being drawn. For example, if a vendor provides information about a specific IP address being used in a cyber attack, without providing context on the type of attack, the severity of the attack, or the motivation behind the attack, it may not be helpful to the organization trying to defend against the attack.
Another issue with the intelligence information provided by cybersecurity vendors is its timeliness. Cyber attacks can happen quickly, and organizations need timely information to prevent or mitigate the damage. However, vendors may take days or even weeks to provide intelligence information to their clients. This delay can be significant and can render the information provided useless. By the time the information is received, the damage may have already been done, and the organization may have missed its opportunity to prevent the attack.
Furthermore, the quality of the intelligence information provided by cybersecurity vendors can vary widely. Some vendors may provide accurate and actionable intelligence, while others may provide information that is outdated or even incorrect. The accuracy of the information provided can depend on the vendor’s expertise, the quality of their sources, and the tools they use to gather and analyze the data. Organizations must, therefore, be diligent in their selection of cybersecurity vendors and should thoroughly evaluate the quality of the intelligence information provided before making any decisions. Some vendors also provide misleading information about current activity, for example a suspected hostile host may be flagged as being active when only one report in the previous week has been received which places it on the same level as another host that has hundreds or even thousands of reports over the same time period.
Remember that quantity and quality are two very different things, and while a vendor might tout the amount of information they provide it is by no means an indication of quality. Too much information can often mean too much noise, which is a hindrance to the security analyst trying to investigate an incident or attempting to predict the next move of a particular threat actor. After all, how useful is ten year old information about an eleven year old vulnerability that may have once been used in an exploit kit by a now defunct actor group?
In addition to the quality of the intelligence information provided, there are also concerns about the cost of using commercial cybersecurity vendors. Many vendors charge high fees for their services, and organizations may not always see a clear return on their investment. Furthermore, the cost of using multiple vendors can quickly add up, and organizations may find themselves spending significant amounts of money on cybersecurity without seeing the desired results. Additionally, customers may find themselves paying for open source information they could get for free from other sources.
Finally, there is the issue of vendor bias. Commercial cybersecurity vendors may have their own agendas, and their intelligence information may be influenced by their biases or interests. For example, a vendor that specializes in anti-virus software may provide intelligence information that emphasizes the importance of anti-virus software in preventing cyber attacks. While anti-virus software is undoubtedly essential, this emphasis may distract organizations from other important security measures they should be taking.
In conclusion, while cybersecurity information vendors whether commercial or open source can provide valuable intelligence information to organizations, there are concerns about the context, quality, timeliness, cost, and bias of the information provided. Organizations must, therefore, be diligent in their selection of vendors and should thoroughly evaluate the quality of the intelligence information provided before making any decisions, and in particular pay careful attention to commercial vendors trading on their prior successes or touting the volume of intelligence information they produce. Additionally, organizations should ensure that they have the expertise to interpret the intelligence information provided and should not rely solely on vendors to provide context. Oftentimes, the information shared between businesses operating in the same industry vertical can be much more useful and pertinent than anything produced by a commercial third party. By being vigilant and informed, organizations can better protect themselves from cyber attacks and ensure the safety of their sensitive data, remember to not put all your security eggs into one basket and while you might trust the intelligence coming from a vendor you should always verify the information.