Anton Chuvakin

A member of the Gartner Blog Network

Anton Chuvakin
Research VP
2+ years with Gartner
14 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Coverage Areas:

On Threat Intelligence Use Cases

by Anton Chuvakin  |  February 4, 2014  |  3 Comments

While some people treat technical TI feeds as ready-made NIPS signatures, the reality of effective usage of threat intelligence feeds and reports for security is much more nuanced.

In this post, I will present a quick summary of discovered threat intelligence use cases, that apply to both strategic and tactical TI. Admittedly, I am saving the juicy details for my research paper, but I hope that these summaries will serve to both educate and start the discussion.

Type of use case Strategic TI Tactical TI
Planning Security architecture and monitoring planning based on long-term threats and relevant actor capabilities Study historical trends across TI feeds and environment match history (maybe???)
Prevention Better align security spending and attention based on attacker targeting; prevent attacks predicted by TI sources (HUMINT) Block bad IPs, URLs, domains, emails, files, etc; the staple usage of blacklists and high-fidelity TI feeds
Detection Look harder for intrusion evidence in places of “known interest” to attackers; review reports on threat actor tools to find ways to better detect them Use TI feeds to create NIDS sigs, NFT, SIEM and ETDR alerting rules; detect internal systems communicating with “known bads”
Triage “APT or commodity threat?” decision; a key decision that defines how subsequent IR process will go Use TI feeds as context for enriching alerts and other monitoring data; link alerts together into incidents; automated triage by escalating alerts linked to “known bads”
Incident response Better understand the business impact by relating incident artifacts to threat actor profiles; practical incident attribution Finding a full scope of an incident by linking local observables to TI; “pulling the thread” to find all compromised assets and all attacker traces
Threat assessment Assess overall threat level for your organization; report to management, board, etc Assess the risk of customers connecting to your IT resources based on TI feeds; fraud risk assessment
TI fusion – making better TI out of TI Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich tactical TI by linking to strategic TI Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich strategic TI by linking to indicators and internal TI

Note that I rolled “prediction” into prevention using strategic TI; if you think that prediction is a separate use case, just comment. At this point, true prediction (such as what is done by HUMINT and attacker sentiment analysis) is fairly rare.

P.S. By the way, are some of you wondering why I don’t call this domain “cyber threat intelligence” (CTI)? Even though I no longer assume that “c” in “cyber” stands for “clown”, frankly, I don’t see the need to “cyber it up.“ Hopefully, the discussion on definitions and types of TI makes it pretty clear that we are in the “cyber” domain here and not in gardening or something….

Posts related to this research project:


Category: security threat intelligence     Tags:

3 responses so far ↓

  • 1 On Threat Intelligence Use Cases | All that Cuteness   February 4, 2014 at 10:20 pm

    […] By Anton Chuvakin […]

  • 2 yotam Gutman   February 6, 2014 at 10:30 am

    Nicely put. Trying to predict is nearly useless nowadays. instead of pretending we have a crystal ball it’s much better to employee good ‘ole HUMINT and try to alert in near-real time regarding imminent threats.

  • 3 Anton Chuvakin   February 6, 2014 at 5:27 pm

    Actually, this is precisely what I meant by predict: predict by figuring the attackers plans.