SBN

2021 Threat Intelligence Use Cases

For a reason that shall remain nameless, I’ve run this quick poll focused on the use cases for threat intelligence in 2021. The question and the results are below.

Antons Threat Intel Poll 2021

Here are some thoughts and learnings based on the poll and the discussion, as well as other things.

While running this poll my fear was that the detection use case will win. Namely, people naively dropping lots of threat intel feeds into a SIEM (or EDR or NDR or … a firewall?) and then hoping for the best. I am happy to report this did not win. My explanation is that enough people tried this and found this lacking (or worse) or that my readers are the enlightened crowd and knew this from day one.

Frankly, back in the day, I’ve seen people try to match threat intel feeds with inbound (!) DMZ logs … naturally, with disastrous results (see some of my old advice for lower-maturity teams regarding threat intel).

Mind you, threat detection via TI matching can be done and I’ve seen it done, but with a very carefully curated threat intel feeds and with subset of telemetry data (e.g. rather pointless to match bad IP feeds to inbound firewall or WAF denies and then hope for a detection).

Using threat intel for alert triage has long been my favorite use case — and it won the poll! Its popularity showcases the value of “non-actionable intel”, a type that I called “context-grade” intelligence. A good example would be a noisy SIEM detection rule triggering, and then alerts being correlated to threat intel feeds to see if what we know about the source helps us decide on the alert (this can happen inside the SOAR). Same with the use of intel while responding to incidents; intel does provide useful context when you are sorting through your post-incident mess.

Frankly, using threat intel or indicators to substantiate the detection findings is where most programs seem to end up over time, once they try to play the matching game for detection (few do mature to decision support use cases as discussed below). In that sense, they have intel-enabled detection or threat-informed detections (sorry, all the terms came out silly), instead of naively treating TI as signatures (see “Threat Intelligence is NOT Signatures!”)

Perhaps I was too vague when I asked about the use case called research threats, but I meant using threat intel to learn more about “your” attackers, to support threat assessment, such as evaluating the actors, their intents and capabilities, tactics, etc. In my experience, this is a use case characteristic of higher-maturity security operations teams and/or dedicated threat teams. Along this line, I’ve spotted a lot more people who say “TTP” without truly evolving beyond indicator matching… We must take the time to understand the intent and capability of threat actors in order to make better decisions about prioritization: indicators such as “lists of bad IPs” alone don’t offer that insight.

The one I didn’t offer as a choice, but that came up in the comments was the decision support use case. Admittedly, it is related to the threat research, and is typically seen at even higher maturity levels (as I discuss here, back in 2015). Intel-supported or threat-informed decisions may be about changes in defense approaches, security architecture changes, activity prioritization, etc.

In this case, we don’t just push feeds into boxes (without any, ahem, intelligence), but seek intelligence in order to understand the attacker, then fuse this with the relevant organizational context and then inform the decision. Easy, huh? No, it is not.

Naturally, there are perhaps fun threat intelligence use cases in the other category? Admittedly, I met somebody who read threat intelligence reports for entertainment (“What other panda names are there?!”), but this hardly qualifies as a use case. Understanding macro threat trends (such as threats to your industry) is another one that I encountered (naturally, these are use cases are for strategic intel and not for indicators). Got any fascinating intel use cases to share?

Thanks a lot to Brandon Levene for a great discussion as well as for some writing.

Related posts:


2021 Threat Intelligence Use Cases was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/2021-threat-intelligence-use-cases-8f4423e250c5?source=rss-11065c9e943e------2