How to Overcome the Most Common Challenges with Threat Intelligence

By David Monnier, Chief Evangelist, Team Cymru Fellow

What would be your ideal approach to protecting your organization? Knowing exactly what threats are targeting your organization, well before those adversaries take action, so that you can shore up your defenses so that threat never even impacts your systems.

However, today’s typical approach to threat intelligence isn’t putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon.

Organizations today need better intelligence, better tools, and a better approach to threat hunting that can put them on the offense and in a position to proactively protect their organization. Here’s why it’s time to reimagine threat intelligence.

6 Signs It’s Time to Reimagine Threat Intelligence

Today’s standard approach to threat intelligence may provide you a lot of information, yet you may still feel that your ability to proactively protect against threats is still lacking. Here are some of the ways in which today’s approach to threat intelligence is leaving your vulnerable and resource constrained.

Data Overload: Today, threat hunters have access to data about numerous threats around the world. But is all that data necessarily? These large, uncurated data sets make threat detection and response difficult due to the sheer volume of entries that must be sifted through to find what’s actually actionable.

Outdated Data: A quick reaction time is of the essence if threat hunters want to protect their environments. But intelligence can be delayed due to processing and delivery through a tool, and 94% of organizations today rely on reports, which often convey outdated intelligence. This deprives organizations of being able to respond to threats in real time, leaving you vulnerable to evolving threats or responding after an attack has already happened.

Irrelevant Threats: In addition to the volume of threats, threat hunting teams are inundated with data that isn’t relevant, like threat actors working in other parts of the world or targeting other industries. Security teams must sift through large data sets to find threats that are truly applicable to their organization — not an organization around the world.

Resource Constraints: Sifting through these data sets doesn’t just consume the time and energy of your security team members. Running large, uncurated data sets through your security tools will impact their performance and slow down threat response. Continuously upgrading your tools to accommodate growing amounts of data can incur additional operational costs as well.

False Positives: Another challenging side effect of ingesting these large, uncurated data sets are the false positives it’s likely to return, due to outdated or irrelevant data. Addressing each false positives — which can take an average of 32 minutes to investigate — takes valuable time away from threat hunting or other security tasks, delaying the protection needed.

Supply Chain Risk: Trying to manage those uncurated data sets doesn’t just mean that you’re missing threats to your organization. It also means that you’re not tracking threats to your vendors or third-party providers in your supply chain, either — which, considering the number of attacks to supply chains have increased 742% over the past three years, can also place you in danger.

Evolve Your Threat Hunting to Threat Reconnaissance

Ultimately, a bloated threat intelligence feed doesn’t lead to better security. You may have information on every threat actor out there at your fingertips, yet still be unable to protect your organization because you didn’t have actionable, contextually relevant intelligence from streamlined feeds.

This is why security teams who want to move from a reactive to a proactive stance should look for tools that provide intelligence that is applicable to you and your organization. Better intelligence can enhance your visibility into threat actor behavior, getting that intelligence in real time allows you to act on it quickly, and having agile tools allows threat hunters to visualize and take action upon that data. These factors will enable you to evolve your threat hunting to threat reconnaissance.

What is threat reconnaissance? It’s having the right intelligence and tools to take action externally against threats to your environment before they even happen. The worst position to be in is hunting for adversaries after they’ve caused a breach or infiltrated your network. Today, an ideal posture is taking a proactive approach to threat hunting, which involves hunting out threats that may be in your system.

But what if you were able to proactively guard against attacks before they even got to your perimeter? Having applicable, relevant, and actionable intelligence can help you better understand which threats are approaching your organization, which gives you time to shore up your defenses and prevent them from getting in in the first place.

The Benefits of Threat Reconnaissance

Evolving to this kind of security approach provides a number of benefits, the biggest of which is preventing a cyber attack, which can result in the loss of data, assets, IP, or overall reputation. Attacks can also impact people’s lives and well-being, like we’re seeing with the rise in threat actors targeting hospital systems. Knowing what your threats are and where they’re coming from can help you see if your supply chain is at risk as well, and help guard against third-party attack.

When you have the right intelligence and tools that provide you real-time information and visibility, you’re able to improve your decision making as well, and have the time to make wise, informed choices to protect against attack. Better decision making and lowered risks can provide a lot of cost savings as well, including hardware and resources. Organizations have seen savings of $1.7 million over three years by improving their approach to threat intelligence.

A More Ideal Approach Today

What would be your ideal approach to protecting your organization? By using more relevant and applicable intelligence to know exactly what threats are targeting your organization, you can realize your ideal security posture and prevent an attack before it even begins.

About the Author

David Monnier, Chief Evangelist, Team Cymru Fellow. David Monnier was invited to join Team Cymru in 2007. Before joining Team Cymru, he served in the US Marine Corps as a Non-Commissioned Officer and later worked at Indiana University. At the university, he spearheaded innovation at a high-performance computing center, contributing to the creation of some of the most advanced computational systems of that era. He transitioned to cybersecurity, serving as the Lead Network Security Engineer at the university. David also played a pivotal role in launching the Research and Education Networking ISAC.

Within Team Cymru, David has held positions as a systems engineer, a member of the Community Services Outreach Team, and a security analyst. He has led initiatives to standardize and bolster the security of the firm’s threat intelligence infrastructure. David also served as the Team Lead of Engineering, instituting foundational processes that the firm continues to depend upon.

After establishing the firm’s Client Success Team, he recently rejoined the Outreach team, redirecting his focus towards community services. This includes assisting CSIRT teams worldwide and promoting collaboration and data sharing within the community, aiming to enhance internet safety.

With over two decades of experience across diverse technologies, David offers a rich repository of knowledge spanning threat analysis, system fortification, network defense, incident response, and policy. Among seasoned industry professionals, he’s celebrated as a thought leader and a vital resource. David has also been a keynote speaker at global trust groups and events catered to network operators and security analysts. David can be reached online at LinkedIn: https://www.linkedin.com/in/davidmonnier, Twitter: @dmonnier and at our company website https://www.team-cymru.com