The ‘REAL’ Distinction of Threat Intelligence PlatformsPOSTED BY RYAN TROST
Threat Intelligence Providers or Threat Intelligence Platforms
Threat intelligence vendors are starting to dilute the term ‘platform’ in order to expand their target addressable market (TAM) by inflating [read: manipulate] the customer’s viewpoints. Recently I started skimming a specific intel provider’s blog who are starting an early marketing campaign to pivot into the platform space and several of their claims were comical. Their attempt to highlight the difference between platforms and providers were biased leading to lofty broad generalizations…so I’m hoping to provide some clarity.
First let’s address the overall subject of the blog – the distinction between threat intelligence platforms and threat intelligence providers, and then we’ll peel back a layer or two for each. Threat intelligence providers produce key insights based on their research and expertise and consolidate that information into an ingestible feed, typically delivered in a variety of ways – email, portal download, RSS feed, tweet…pick your poison. Whereas, threat intelligence platforms (TIPs) are basically complex content management systems that specialize in threat intelligence and allow customers to aggregate, organize, trend, hunt and deploy that data. Obviously there’s a lot more to it under the covers and different threat intelligence models deliver different outcomes. But suffice it to say that threat intelligence platforms continue to evolve, enriching threat feeds with contextual data and information, and prioritizing threat intelligence to make it more usable.
Threat Intelligence Providers
Now let’s peel back those layers and start by discussing the different types of threat intelligence companies. There are several “core types” of intelligence efforts including – human intelligence (HUMINT), signals intelligence (SIGINT), open source intelligence (OSINT), dark web intelligence, incident response intelligence, malware intelligence, etc.
HUMINT is the cloak and dagger technique with focus on people – basically spies and assets. For the purposes of this blog it equates to hiring a linguist who specializes in the adversary’s language to help translate artifacts in malware or a local native to penetrate a crime syndicate.
SIGINT is interception of signals including most commonly radio transmission or network communication, etc. For instance, eavesdropping on a busy Internet router just collecting all the data and looking for certain suspicious patterns; even better if it is unencrypted. HUMINT and SIGINT are fascinating techniques and stems from a long tradition of military tradecraft dating back centuries.
OSINT is the most leveraged across the industry as it is simply scouring the Internet looking for relevant pivot points to your research – blogs, whitepapers, communities, fight clubs, ‘freemium’ services, etc. There are over 200 open source blacklists that publish lists of bad domains or IP addresses that have been identified performing suspicious traffic. Although OSINT is the most prevalent across the analyst industry, it also requires a reasonable amount of validation – depending on the source. Most analysts would treat a daily blacklist feed of bad domains differently than a blog describing the latest exploit/vulnerability in great detail from a reputable source. However, on the other end of the spectrum is the “deep dark web”, which is fancy lingo for black market forums and e-commerce websites where users buy, sell and discuss illegal efforts. Due to the illegal nature of the contents [i.e. selling malware or the latest 0-day exploit], more often than not, these black market websites are invitation-only and require a bit of initial $$$ spending [a worthy customer] or proven hacking prowess [seller] to penetrate these forums.
Incident response intelligence and malware intelligence are not coined terms I have seen or heard but given how successful several firms were at building intelligence teams around these concepts, they seem like viable terms. IR intelligence surfaced as incident response firms, like Mandiant, who help companies overcome a breach, emerged and over time were able to study adversary motivations, movements, and actions across customers and industries. This exposure to adversaries allowed them to become a speaking authority on adversary TTPs.
Malware intelligence was created in a similar vein. As companies like FireEye and VirusTotal offered malware sandbox services, they started to see a huge uptick of malware samples which in turn allowed them to start tracking adversary groups and/or malware families through unique malware signatures. Over time this offered interesting characteristics – who was sophisticated, how often would the adversary reuse infrastructure, which anti-virus companies had the best detection rate and which adversary was attacking which industries.
Most intelligence providers specialize in a specific type of intelligence collection but quickly begin to bleed into the other intelligence efforts. As a result, intel providers collect a ton of data from a number of internal and external sources to cater to their own internal analysis workflows in order to capture those unique insights. However, very seldomly does that provider make their internal platform available to external customers. So, does the intelligence provider have a TIP? No they have an internal intelligence repository to suit their own internal needs but not that of a customer who needs to manipulate that data in order to make use of it.
Threat Intelligence Platforms
The second layer is diving deeper into platforms. The best way to delineate threat intelligence platforms is two primary sub-categories including on-premise versus SaaS platforms as well as single tenant versus multi-tenant. The initial characteristic involves separating ‘pure play’ platforms versus SaaS platforms. The most customizable threat intelligence platforms to align with a customer’s needs reside within a customer’s own environment, whereas, a SaaS platform is a fancy way of saying ‘portal login’. SaaS platforms are ideal for supporting large ISAC sharing communities. Some SaaS platforms have a local integration server to aid with deployment – but to that point, if you deploy a system onsite, why not the full product?!
This quickly leads into a conversation of on-premise vs. cloud which triggers another “word game” differentiating between hardware versus virtual appliance. Regardless which direction benefits you, the bottom line is single tenant versus multi-tenant model. This becomes essential because single tenant platforms allow customers to customize and to have 100% control over the data coming in and out of the platform. All platforms have integration with open source blacklists – can you turn those on/off? Can you re-score the data coming into the platform beyond how the intel provider is categorizing it? Can you set the expiration of that intelligence based on your tools, manpower, resources, etc.? In multi-tenant environments you are either locked into the vendor’s discretion or that of the larger community.
The upside for platforms that are “single tenant” AND “reside” within the customer’s environment include:
- Maximum efficiency deploying intel to local security technologies (no need to poke additional holes in the firewall)
- Your data remains your data and is not automatically shared with the vendor platform – which is likely an infringement of contractual obligation for some of YOUR sources of intelligence!
- No commingling of data
- Negate the reliance on third-party infrastructure – uptime as well as increased attack surface
- Continue to access your data even if you need to disconnect from the Internet (extreme defensive measure)
Threat intelligence platforms continue to evolve and offer additional aspects of control – orchestration, SIEM-like functions, sensor detections, or most recently, the ability to conduct collaborative investigations and to coordinate response across teams. Regardless which features pique your interest the focus is on providing greater control to determine the right response and to act faster than previously possible.
The threat intelligence platform space doesn’t have to be complex and confusing. You just need to break it down into its simplest form and ask yourself: Does the end-user have the utmost control and authority of the data, thus making it ever more usable? When the answer is “yes,” chances are you’re looking at a true threat intelligence platform.