Threat Intel Feeds Suck

28 August 2023

The promise of cyber threat intelligence was always that, as a global community, blue teams could share information about badness that happened instantaneously and proactively utilize indicators of attack or compromise observed by others. While this was a wonderful premise, there were several practical implementation impediments that degraded the value of cyber threat intelligence. The first and foremost was the idea of a trusted source of this intelligence that would vet and verify it. As competitors in the marketplace sought to move more data faster to consumers the fidelity of that data declined dramatically. Attackers learned to change up their Tools/Tactics, Techniques, and Procedures (TTPs) to stay ahead of detections and contributors to the ecosystem varied in quality. Rather than realizing value, consumers of threat intelligence found that it added operational complexity without reducing risk, and more often resulted in errors and outages than preventions.

In addition to quality and timeliness, organizations quickly realized that what might be bad for one contributor might not present a threat to another. For instance, TTPs associated with a threat actor that never targeted your organization were, in essence, worthless. Unfortunately, many cyber threat intelligence teams got stuck in the rabbit hole of monitoring, researching, enriching, and tracking threats that had been observed globally, but which had never presented themselves locally. While this sort of tracking makes sense for a nation state, it rarely did for a business. Eventually security leaders began to question the value of their investment in cyber threat intelligence and often found no practical return for their investment. This led many organizations to completely deprecate their cyber threat intelligence capabilities.

If we frame the value of cyber threat intelligence to direct applicability for an organization, and the correlation of intelligence to observed threats, we can rethink the paradigm of high volume, low fidelity, low probability threat intelligence gathering and tracking. Instead of focusing on the global corpus of threat intelligence, organizations can reverse their orientation to a very local scope and derive higher value for their efforts.

Knowing that an APT group uses spear phishing to gain initial access is debatably valuable to any specific organization but knowing that a threat group has deliberately targeted your organization, and being able to track and correlate that activity over time is pure gold. Being able to advertise that the cyber threat intelligence team is tracking threats directly observed in the business justifies the intel teamís existence by drawing concrete connections between threats and the business. Long term actor tracking shifts from threats that might affect the environment to threats that are actively or repeatedly targeting the environment.

In order to shift the focus of cyber threat intelligence to this type of tactical, valuable, and high-fidelity data, such data needs to be originated from security operations. Security Operations Center (SOC) analysts spend their days triaging, investigating, and responding to alerts. If an organization can take the TTPs that SOC analysts identify and known threats, and then track and enrich those and provide feedback to SOC, then a synergistic value loop can result.

As SOC analysts conduct investigations, they need a mechanism to submit Requests for Intel (RFI) to the Cyber Threat Intelligence (CTI) team. The CTI can take Indicators of Compromise (IOC) or TTP identified by the SOC and record them in a database, or a Threat Intelligence Platform (TIP), and provide correlation, enrichment, and research to enhance the RFI. This can then be returned to the SOC analyst who can pivot or expand their investigation to enable better operational cybersecurity defense. The CTI can build a corpus of data derived from the observed activity in the environment and do their own independent long term actor tracking with easily defensible value since the threats have been positively identified locally.

Using operationally derived data to feed the CTI can also create more direct and actionable interactions between CTI, Threat Hunting, Detection Engineering, Incident Response, and other teams because CTI can provide relevant data to these teams about the threats that are provably targeting the environment. This also transforms any CTI reporting to executives from speculation about potential threats into specific accounting for threats that directly target the business and rise to a high level of concern.

Although developing this sort of capability is relatively straightforward for most organizations, a mechanism to submit RFI to CTI teams that is low friction and integrates into SOC investigative lifecycle is critical to success. SOC must submit consistent volumes of RFI to feed the CTI team. Metrics can be used to drive this success, however. Requiring SOC analysts to submit RFI for IOC and TTPs observed during their operations can be set as an expectation. Analystsí RFI submissions can then be tracked for volume and quality. The SOC Quality Assurance (QA), or review process, which evaluates investigations after the fact for quality, accuracy, and efficacy, can include an evaluation of whether candidates for RFI were properly identified and submitted. Similarly, the CTI team can be evaluated on how rapidly and accurately they respond to RFI and return enrichments to the SOC. The CTI team can also be measured on the amount, and quality, of data submitted to other security teams.

Once SOC and CTI are tightly integrated an organization can build a robust corpus of cyber threat intelligence in their TIP that is directly applicable. CTI can develop high fidelity reports, track threats over time, develop relevant trend and gap analysis, and provide high quality recommendations and observations to senior leadership. CTI can point to the direct value of their efforts and justify their existence in concrete terms.

Shifting to an operationally focused, and sourced, CTI program is relatively easy and low cost, especially utilizing free tools such as OpenCTI. Armed with just a few procedural changes in SOC and a skilled CTI team any organization can begin deriving direct, and long term, value from IOC flowing through SOC throughout the day. This can translate into a high value, easily defensible program that can support not only SOC, but the integration of multiple other parts of mature cybersecurity defensive teams.