Conclusion: The challenge with handling threat intelligence is in assessing its relevance to an organisation, determining an appropriate response and then continual execution and reassessment. Consequently, the more comprehensive the threat intelligence service is, the greater the requirement for a customer to have existing, mature cyber security capability. Organisations must understand how they will use a threat intelligence service and what business benefit it will deliver to their organisation.

{jcontenthider g_id=2 HIDE}

This advisory paper is only available to IBRS advisory clients. To find out more about becoming an IBRS advisory client complete the attached form and we will be in touch.

Please let us know your name.
Please let us know your email address.
Please enter a valid phone number
Invalid Input
Invalid Input


{jcontenthider g_id=2 SHOW}

 Observations: As organisations move toward a risk based approach to information security some are engaging with commercial threat intelligence vendors to get an external view on cyber threats. The threat intelligence market is diverse and includes vendors with varying capabilities and specialties. Vendors range from local providers such as AusCERT, through to Dell SecureWorks, CrowdStrike, FireEye/Mandiant, to iSIGHT Partners and Booz Allen Hamilton (the former employers of Edward Snowden). Customers should consider the following issues when contemplating engaging a threat intelligence service:

What is threat intelligence?: Threat intelligence services can range from vulnerability cataloguing, through to complete commercial intelligence services.

Vulnerability information aggregation (e. g. AusCERT), tracks the vulnerabilities disclosed by specific vendors (e. g. Oracle, Microsoft, IBM, Adobe, etc.) and then distributes the pertinent vulnerabilities to subscribers of the service. An under-resourced IT department may get immense value from this aggregation of important and critical vulnerabilities, as this allows the focussing of effort. However, an information security group with mature capabilities will already have subscriptions to relevant software vendors for vulnerability updates and have mature processes for dissemination of these to operations groups that can execute on this information. So a vulnerability aggregation service may suit a smaller security team.

At a midpoint along the threat intelligence continuum are vendors who leverage their managed security services, incident response, and forensics teams. These vendors, along with anti-malware vendors, frequently leverage their investment through the production of publicly available reports.

Full commercial intelligence organisations that have cyber research capabilities (e. g. Booz Allen Hamilton & iSIGHT Partners) offer a more in-depth appraisal of threats. These firms have analysts who trawl the Internet for signs of criminal activity, and nation state actors, etc. and often have a continual exchange of analysts with government intelligence and law enforcement agencies. An information security group with high capability may recognise that it does not have the resources to allocate dedicated staff to researching attack trends around the world, as well as conducting reconnaissance on underground sites looking for intelligence which could impact the organisation. A better resourced, and mature, information security group may be able to integrate the deeper intelligence from one of these providers into its current processes for assessing the risk and working with business units to better understand likelihood and potential impact.

The diversity of services, all referred to as threat intelligence, can cause confusion for customers, as the deliverables vary widely. These services also range dramatically in price; from a few thousand dollars per year, to tens of thousands of dollars per month, and higher.

What do you want to achieve?: In assessing the suitability of a threat intelligence service, an organisation must be clear on what outcome it expects to be able to achieve. These outcomes should centre on the following:

  • Focus IT efforts on maintenance and automation of technical hygiene issues.
  • Present a wide-angle view of the threat environment that an organisation is operating in to boards and business executives.
  • Enable internal information security staff to prioritise their resources, through anticipation against attacks against people/processes/technology (this can include directing the efforts of outsourcers).
  • Initiate and drive incident response discussions with other business units (such as legal, communications and HR) based on an external assessment of threat possibilities.

Geo-bias: Cyber security executives have noted that many of the large vendors that have threat intelligence capabilities are based in the northern hemisphere, and allocate the majority of their resources to gathering intelligence which impacts the majority of their clients – who are often also based in the northern hemisphere.

This means that attacks against Australian and New Zealand organisations which may come from more local sources (e. g. Southeast Asia) may be overlooked. Excessive focus on China and Russia (and other Eastern European countries) can result in linguistic specialisation. The implication for local organisations is that the threat intelligence provider may not have any analysts that speak the vast array of languages from Southeast Asia, South America, or even Africa. Organisations should be aware that a cyber-attack can come from anywhere in the world, and it is not unreasonable to expect that southeast Asian attackers may have a special interest in A/NZ organisations.

Cost of service delivery: A critical factor for vendors providing more advanced levels of threat intelligence is the cost of service delivery. Having a 24/7 capability with well-trained analysts and consistent bench strength, is extremely costly. These organisations need a strong return on their investment to maintain viability. The more specialised they are the fewer the clients but the higher the fees. The more generic the intelligence is the more easily it can be disseminated widely (including publically available reports). Failure to gain traction in a region will likely see a vendor close down their focus on that territory both from account management and intelligence gathering perspectives.

Next Steps:

Threat intelligence is yet another layer of defence for organisations, but it is a costly one, and one that will require an ongoing commitment to ensure that the intelligence is consumed, comprehended, and responded to appropriately.

Before engaging with a threat intelligence supplier, be clear on:

  • What information the threat intelligence service will provide.
  • Who the internal audience of this threat intelligence will be.
  • What outcomes are expected from consumption of this intelligence?
  • How relevant (customised) the threat intelligence will be for the organisation.
  • Who will be accountable for assessing the intelligence for relevance and ensuring it is responded to appropriately.

Also, review the STIX/TAXII initiative and assess its potential suitability.


James Turner

About The Advisor

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences.