In the last several years, we’ve seen a disturbing trend—attackers are innovating much faster than defenders are. We’ve seen the “commercialization” of malware, with attack kits available on underground forums for anyone who wants to perpetrate a variety of attacks. Large botnets are available for rent, allowing attackers to send spam or launch DDoS attacks at will. Many attackers reuse malware and command and control protocols and methods, adapting their “products” over time to keep ahead of the antimalware industry and security professionals. As more and more attacks occur, however, the likelihood increases that some organization or group has seen the attack before.
The idea behind cyberthreat intelligence is to provide the ability to recognize and act upon indicators of attack and compromise scenarios in a timely manner. While bits of information about attacks abound, cyberthreat intelligence (CTI) recognizes indicators of attacks as they progress, in essence putting these pieces together with shared knowledge about attack methods and processes.
There’s a lot of confusion around what threat intelligence is and how it’s delivered and consumed, based on the SANS survey on Analytics and Intelligence published in October 2014.1 So, in an attempt to define CTI and best practices for using CTI, SANS conducted a new survey about the state of cyberthreat intelligence policies and practices, and whether CTI has improved organizations’ ability to detect and respond to attacks faster.
In this new survey, taken by 326 qualified respondents, 69% of respondents report implementing CTI to some extent, with only 16% saying they have no plans to pursue CTI in their environments. The commitment to working with CTI is evident, with 64% reporting they have a dedicated team, person or services organization assigned to implement and monitor intelligence.
The survey shows respondent organizations are relying on multiple data feeds for aggregation and analysis that they’d like to consolidate in the next 12 months. The most common elements of CTI that have been achieved by organizations include raw, unfiltered data feeds with CTI information, tools to visualize and analyze CTI, and a wide variety of accurate and aggregated data integrated into the environment. Those who’ve adopted CTI report improvements in the following areas:
- Ability to see attacks in context
- Accuracy of detection and response
- Faster detection and response
They are accepting and consolidating feeds through their security information and event management (SIEM) and intrusion monitoring platforms, while relying on CTI feeds from a variety of sources, including the security community and vendor-driven feeds from the various tools they are using to secure their networks, systems and data. Respondents point to strong planning (selected by 57%), leveraging internal systems and intelligence (45%), and defining gaps and workarounds (43%) as key best practices contributing to successful CTI implementations. These best practices, along with adoption trends and definitions, are discussed in this paper.