Survey: Use of Cyber Threat Intelligence Gaining Steam

The use of cyber threat intelligence is increasing and evolving with different types being deployed to meet different needs, according to a new survey by the SANS Institute.

The survey provides practitioners and security professionals who lead cyber threat intelligence (CTI) teams a view into what other teams are doing and some best practices in the field, Robert Lee, SANS analyst and threat intelligence expert, tells Channel Futures’ MSSP Insider.

SANS Institute’s Robert Lee

“It should give them confidence in actions they are doing, as well as guidance and ideas on areas they may not be as strong in yet,” he said. “The survey is also a fantastic tool to help balance what all effort is going into CTI versus what others are doing and where they are seeing value in it.”

CTI is a resource for network defense at most survey respondents’ organizations, with 72 percent either consuming or producing it. Only 8 percent reported having no plans to begin using intelligence.

Top use cases include security operations, detecting threats and attacks, blocking threats and security awareness. A diversification in uses for CTI, along with a better understanding of how it’s used to benefit an organization’s security posture, means that CTI is being used more widely by both large and small organizations, according to SANS.

Although more are using CTI, organizations aren’t defining requirements for the CTI programs in any organized manner. Just 30 percent have documented their requirements, while 37 percent have ad hoc requirements, leaving 33 percent without defined requirements for their efforts.

“The community is starting to adopt a much better focus on tradecraft and adversary tactics, techniques and procedures (or the adversary’s behaviors) instead of simply technical indicators; this is a fantastic evolution of the field,” Lee said. “Technical indicators have value but can be very limited in value and frustrating to work with. A behavior-based approach to understanding and countering adversaries is a great maturity sign.”

Surprisingly, there was general agreement in the survey on the limitation of government-led intelligence sharing efforts, he said. Most of the deep understanding of cyber threats comes from the private sector, not the government, meaning the government needs to innovate how it delivers value outside of technical insights into threats, he said.

SANS Institute’s Rebekah Brown

Once the focus of a CTI program is determined in its requirements, it’s important to process collected data to put the efforts to use, according to SANS. Some of these processes include: deduplication of data; enrichment of data using public, commercial or internal data; reverse engineering of malware; and data standardization. Most respondents report that such processing is either a manual or semi-automated process, although 8-19 percent of respondents report fully automated processes for some of these tasks.

“While the use of CTI continues to grow, there is no one-size-fits-all approach,” said Rebekah Brown, SANS analyst and threat intelligence expert. “Organizations leverage different types of CTI to meet different needs.”

Full results will be shared during a two-part webcast on Feb. 5 and Feb. 7.