Skip content

Eight things to consider before deploying cyber threat intelligence

Protecting against cyber-attacks is proving to be a real challenge. A few years ago, defence in depth was the recommended methodology to successfully fight cyber-attacks. Despite the proliferation of defence in depth mechanisms, a large number of high profile cyber-attacks are still observed. It's no surprise to anyone that all sensible business owners and world leaders are seriously worried about the impact of successful cyber-attacks against their environment. According to a survey by Forrester’s Foresights Security Survey in 2013, 75% of 490 companies agreed that cyber threat intelligence was a priority.  The recent report “2015 Global Megatrends in Cybersecurity” sponsored by Raytheon suggest that most companies will deploy cyber threat intelligence over the next three years as a measure against cyber-attacks.

In my recent article published by Infosecurity Magazine at http://www.infosecurity-magazine.com/opinions/eight-things-deploying-cyberthreat/ I discuss eight things that should be considered before deploying a cyber-threat intelligence solution.  There are still many misconceptions about what a good cyber threat intelligence solution should look like.

I anticipate that there are many incidents when, after spending a considerably large amount of money on a cyber-threat intelligence solution, companies realise that their security posture has not improved.  I fear that most CTI solutions will be somehow equivalent to Intrusion Detection Systems i.e. generating a large number of alerts that will either require experts to tune them or that will cause analysts to turn off them off.  I have come across some CTI providers that have collected over 30 thousands IPs labelled as ‘bad’. Such bad IP lists are then distributed with the intention to block the IPs. My concern here is that the end user has zero knowledge as to why they are blocking such IPs. More so, they don’t know how long such IPs should be blacklisted for. Last but not least, it would certainly more relevant to know that IPs blacklisted are known to target the type of system being protected. I usually say, what’s the point in building a fence ten meters deep and 200 meters tall when the enemy is coming by helicopter? 

Making the most of your cyber threat intelligence

Further to this recent article with Infosecurity Magazine, in my recent seminar help at Oxford University, I discussed in more details what a successful CTI looks like. Figure 1 is a suggested life cycle for a good cyber threat intelligence solution. The video of the talk is available at https://www.cybersecurity.ox.ac.uk/resources/videos under the title ‘Cyber Threat Intelligence might not be the solution’.