Main
Log in

Conclusion: The challenge with handling threat intelligence is in assessing its relevance to an organisation, determining an appropriate response and then continual execution and reassessment. Consequently, the more comprehensive the threat intelligence service is, the greater the requirement for a customer to have existing, mature cyber security capability. Organisations must understand how they will use a threat intelligence service and what business benefit it will deliver to their organisation.


{jcontenthider g_id=2 HIDE}

This Advisory paper is only available to IBRS Advisory clients. To find out more about becoming an IBRS Advisory client complete the attached form and we will be in touch.
Please let us know your name.
Please let us know your email address.
Please enter a valid phone number
Invalid Input

{/jcontenthider}

{jcontenthider g_id=2 SHOW}

 Observations: As organisations move toward a risk based approach to information security some are engaging with commercial threat intelligence vendors to get an external view on cyber threats. The threat intelligence market is diverse and includes vendors with varying capabilities and specialties. Vendors range from local providers such as AusCERT, through to Dell SecureWorks, CrowdStrike, FireEye/Mandiant, to iSIGHT Partners and Booz Allen Hamilton (the former employers of Edward Snowden). Customers should consider the following issues when contemplating engaging a threat intelligence service:

What is threat intelligence?: Threat intelligence services can range from vulnerability cataloguing, through to complete commercial intelligence services.

Vulnerability information aggregation (e. g. AusCERT), tracks the vulnerabilities disclosed by specific vendors (e. g. Oracle, Microsoft, IBM, Adobe, etc.) and then distributes the pertinent vulnerabilities to subscribers of the service. An under-resourced IT department may get immense value from this aggregation of important and critical vulnerabilities, as this allows the focussing of effort. However, an information security group with mature capabilities will already have subscriptions to relevant software vendors for vulnerability updates and have mature processes for dissemination of these to operations groups that can execute on this information. So a vulnerability aggregation service may suit a smaller security team.

At a midpoint along the threat intelligence continuum are vendors who leverage their managed security services, incident response, and forensics teams. These vendors, along with anti-malware vendors, frequently leverage their investment through the production of publicly available reports.

Full commercial intelligence organisations that have cyber research capabilities (e. g. Booz Allen Hamilton & iSIGHT Partners) offer a more in-depth appraisal of threats. These firms have analysts who trawl the Internet for signs of criminal activity, and nation state actors, etc. and often have a continual exchange of analysts with government intelligence and law enforcement agencies. An information security group with high capability may recognise that it does not have the resources to allocate dedicated staff to researching attack trends around the world, as well as conducting reconnaissance on underground sites looking for intelligence which could impact the organisation. A better resourced, and mature, information security group may be able to integrate the deeper intelligence from one of these providers into its current processes for assessing the risk and working with business units to better understand likelihood and potential impact.

The diversity of services, all referred to as threat intelligence, can cause confusion for customers, as the deliverables vary widely. These services also range dramatically in price; from a few thousand dollars per year, to tens of thousands of dollars per month, and higher.

What do you want to achieve?: In assessing the suitability of a threat intelligence service, an organisation must be clear on what outcome it expects to be able to achieve. These outcomes should centre on the following:

  • Focus IT efforts on maintenance and automation of technical hygiene issues.
  • Present a wide-angle view of the threat environment that an organisation is operating in to boards and business executives.
  • Enable internal information security staff to prioritise their resources, through anticipation against attacks against people/processes/technology (this can include directing the efforts of outsourcers).
  • Initiate and drive incident response discussions with other business units (such as legal, communications and HR) based on an external assessment of threat possibilities.

Geo-bias: Cyber security executives have noted that many of the large vendors that have threat intelligence capabilities are based in the northern hemisphere, and allocate the majority of their resources to gathering intelligence which impacts the majority of their clients – who are often also based in the northern hemisphere.

This means that attacks against Australian and New Zealand organisations which may come from more local sources (e. g. Southeast Asia) may be overlooked. Excessive focus on China and Russia (and other Eastern European countries) can result in linguistic specialisation. The implication for local organisations is that the threat intelligence provider may not have any analysts that speak the vast array of languages from Southeast Asia, South America, or even Africa. Organisations should be aware that a cyber-attack can come from anywhere in the world, and it is not unreasonable to expect that southeast Asian attackers may have a special interest in A/NZ organisations.

Cost of service delivery: A critical factor for vendors providing more advanced levels of threat intelligence is the cost of service delivery. Having a 24/7 capability with well-trained analysts and consistent bench strength, is extremely costly. These organisations need a strong return on their investment to maintain viability. The more specialised they are the fewer the clients but the higher the fees. The more generic the intelligence is the more easily it can be disseminated widely (including publically available reports). Failure to gain traction in a region will likely see a vendor close down their focus on that territory both from account management and intelligence gathering perspectives.

Next Steps:

Threat intelligence is yet another layer of defence for organisations, but it is a costly one, and one that will require an ongoing commitment to ensure that the intelligence is consumed, comprehended, and responded to appropriately.

Before engaging with a threat intelligence supplier, be clear on:

  • What information the threat intelligence service will provide.
  • Who the internal audience of this threat intelligence will be.
  • What outcomes are expected from consumption of this intelligence?
  • How relevant (customised) the threat intelligence will be for the organisation.
  • Who will be accountable for assessing the intelligence for relevance and ensuring it is responded to appropriately.

Also, review the STIX/TAXII initiative and assess its potential suitability.

 {/jcontenthider}

In the News

Managed security: a big gamble for Aussie IT providers - CRN - 02 August 2018

TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and...
Read More...

Kids, Education and The Future of Work with Dr Joseph Sweeney - Potential Psychology - 25 July 2018

What is the future of work and how do we prepare our kids for it? Are schools and universities setting kids up for future success? Does technology in the classroom improve outcomes for kids? Should...
Read More...

PageUp starts rebuilding and looks to learn lessons after data breach nightmare - AFR - 27 June 2018

The timing couldn't have been worse for PageUp; two days before Europe's new data protection regime came into force the Melbourne-based online recruitment specialist's security systems detected...
Read More...

Australia is still in the cyber security dark ages - AFR - 28 June 2018

In terms of cyber security years, Australia is still in the dark ages, a period typified by a lack of records, and diminished understanding and learning. We're only a few months into practising...
Read More...

AMP does maths on infosec shortage - ITnews - 18th June 2018

Cyber security and risk advisor at analyst firm IBRS, James Turner, said the cyber skills shortage was prompting a wider rethink around the domain in terms of resourcing for the last few years....
Read More...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry

Sitemap

Already a subscriber?

Login to read your premium content.

        Forgot your password?
Recently Viewed Articles
Related Articles