Today, the biggest gap in the cyber security of organizations is that companies work in isolation while criminals are working in collaboration. This is exactly the reason for the sudden rise of the new domain in cyber security what we refer as “Threat Intelligence.”

A couple of years back, the focus of organizations was to get SIEM for a consolidated view of entire infrastructure and minimize the response time. Needless to say, the approach was always reactive. However, in the cat and mouse game between security professionals and cyber criminals, a proactive approach is the need of the hour. From my experience, the problem statement “Threat Intelligence” as a service/platform address to is,

“How do I monitor the bad traffic/activity in my network/infrastructure for which I do not have any rules in place?”

So how does the “intelligence” part of threat intelligence work? “It requires having one foot on the dark side.”

Example questions that consumers of this service are looking to answer include:

  • Is a connection to this IP address bad?
  • Is this URL dangerous?
  • Is this day-zero attack rumor true?
  • What do the bad guys know about me?
  • Has our sensitive information leaked?
  • Should I anticipate an attack? When? How?
  • Who is my enemy? Are they credible?
  • What will my enemy’s capabilities be in two years?
  • Where should I target our security spending?
  • What are the risks inherent in our business strategy — both strategic and tactical?

Market of Threat Intelligence

Below infographic from is enough to realize the growing market of this new entrant in the cyber world.

Delivery of Threat Intelligence Offerings

After evaluating half a dozen top notch threat intelligence vendors, I could see there are mainly two ways to offer this service/product.

In-House: Organizations who do not want their data to be sent out can opt for in-house appliance-based products. Needless to say, most costly but meets data sovereignty requirements.

Cloud Based: Minimum on budget and no installation/deployment required at the client end. Direct access to cloud-based portal and feeds.

What to expect from a Threat Intelligence Service/Product?

Any new domain appearing in the security space comes with a solution to specific problem and TI is no exception. However, in the race of getting market share, TI vendors are keeping on adding more and more features on the products. Organization looking to opt for TI service need to focus on priorities based on MoSCoW.

Must Have
a. Feeds
     Malicious IPs, URLS, and Domains with categorization such as Malware/CnC/Spyware/Phishing
     Malicious File Hashes with categorization such as Malware/CnC/Spyware/Phishing
     Malicious File Names with categorization such as Malware/CnC/Spyware/Phishing
b. A portal to view the dashboards, reports and searching capability.
c. Easy integration ability with SIEM products.
d. Advisories on latest breaches, campaigns, threat actors and region/company/sector specific threats.
e. A credible certainty/threat score for all the feeds.
Should Have
a. Real-time monitoring of organization’s public IP/domains
b. STIX/TAXI/YARA/Cybox support for importing and exporting feeds to and from other products/vendors.
c. Phishing emails/domains as a feed
d. Minimum update frequency of one hour for feeds and information in portal
Could Have
a. Sandboxing capability for the suspected attachments.
b. Secure sharing of intelligence in the community and public
c. Brand protection by searching the darkweb for any data leakage and possible breach
d. Detailed information about the feeds with actors, targets, sources of identification for getting an idea about motive and mean of attack.

How to get best out of a Threat Intelligence Service

A Threat Intelligence service must not be considered as a replacement of any existing technology/tool. It is always a supplement not substitute to existing security infrastructure in place. A TI service can effectively be used in conjunction with SIEM in two ways.

  • Send all the feeds to the SIEM/application and create correlation rules/reports/dashboards to detect any communication/activity towards those feeds for incident detection.
  • Integrate searching capability of TI platform with SIEM/application to query about any domain/IP/URL from the SIEM console for faster incident response.

Top players in the battleground

Though lots of startups have realized the potential in this space and are in the market competing with the big fish, there are few who are setting the benchmark and can be looked into seriously.

  • Anomali
  • Threatconnect
  • FireEye
  • RecordedFuture
  • LookingGlass
  • Anubish – A company which claims zero false positives with its sinkholing approach.

At last, the focus of a SOC must be to optimize the inputs being received, prioritize them and act following 80/20 rule as there’s too much data to make sense of if the organization has limited resource staff of security operations center analysts or threat analysts.