MWR InfoSecurity has released a CPNI and CERT-UK supported study entitled Threat Intelligence: Collecting, Analysing, Evaluating, that aims to remove the confusion around threat intelligence and gives vendor neutral advice that can be scaled to different sectors, sizes of organisation, and organisational goals. Whilst high on organisations' RADARs, little consensus exists as to what threat intelligence is, and many companies risk investing huge sums of money with little effect on security. The in-depth report, authored by MWR senior security researcher Dr David Chismon, breaks down the wide range of things marketed as threat intelligence into distinct types, and advises how to build and evaluate a successful threat intelligence programme - and crucially, how not to build one - as well as detailed advice on collecting, analysing, acting on and sharing the information obtained.
“Threat intelligence is rapidly becoming an ever-higher business priority with a general awareness of the need to ‘do’ threat intelligence, but vendors are falling over themselves to offer a confusingly diverse array of threat intelligence products,” said Dr David Chismon, senior security researcher at MWR InfoSecurity and principal author of the report. “There is a risk that in the hurry to keep up with the threat intelligence trend, organisations will end up paying large amounts of money for products that are interesting but of little value in terms of improving the security of their business. ‘Doing’ threat intelligence is important – but doing it right is critical.”
To address this, CPNI and CERT-UK contracted MWR InfoSecurity to review the area and provide a framework for threat intelligence. The resulting paper is the product of literature reviews, internal experience, and a large number of interviews with people involved in threat intelligence and related fields across a range of organisations.
“By taking threat intelligence back to its intelligence roots and applying the same strict principles, it quickly becomes clear that effective threat intelligence focuses on the questions that an organisation wants answered, rather than simply attempting to collect, process, and act on vast quantities of data,” said Dr Chismon. “Yet, it’s vital to be asking the right questions in the first place. Hence this paper looks in detail at the cycle of setting requirements, collecting and analysing data, turning the results into a consumable product and evaluating the usefulness of that product – which then feeds back into asking ‘better’, more useful questions for the future.”
In addition, a helpful “Quick Wins” section is included with actions that organisations can take today, regardless of staff and budget constraints, in order to improve internal threat intelligence practices. Importantly, it assumes no specific current security infrastructure, such as SIEM tools, IDS tools or log aggregation and analysis.
