Gartner Blog Network

On Threat Intelligence Sources

by Anton Chuvakin  |  February 26, 2014  |  2 Comments

Where does threat intelligence (TI) come from? Yes, we all know that little gnomes living in the clouds make threat intelligence out of seagulls’ poo. But apart from that, where DOES it come from?

Let’s delve into this, starting from the high level. Some types of TI are simply the results of somebody else’s security monitoring. They see it, they share it, you pay them to see it too. The proverbial “they” may have bigger networks, better tools or simply be in that business for hard cold cash. Other TI comes from people who go actively crawl for threats, browse sites for malware, run honeypots, spam traps, sinkholes, etc or even actively “engage” the threat actors and/or infiltrate their ranks. Different processes – different TI (all fitting our broad TI definition).

In general, categorizing the TI sources as “technical” and “human” is a bit artificial, since many of the sources are in essence produced by a tight collaboration of humans AND machines (e.g. a smart TI analyst armed with data visualization and entity linking software) with various fractions of contributions from each. Still, mostly technical sources include:

  • Network monitoring (NIDS, NBA, etc)
  • Server and client honeypots [some vendors want to say they use “next gen honeypots” which really means that they use … honeypots :-)]
  • Spam (and phishing email) traps
  • Live botnet connections
  • Link crawling for malware and exploit code
  • Malware reversing and observation
  • Social network monitoring
  • BGP observation [ooooh…fun!]
  • Tor usage monitoring

However, some of the juicier intel does not come from automated tools, but from people (admittedly, equipped with tools). For example, you don’t simply wget a Russian cybercrime forum for future analysis. A human needs to actively work to get in. Similarly, you don’t simply sniff IRC traffic or intercept emails between attackers, a lot of “very human” work is involved before this task can be completed. Some TI vendors whisper about infiltration and “aggressive techniques” (as I suspect, some hacking across state borders aimed at malicious infrastructure may in fact be legal [or at least unlikely to ever be charged] in the source country).

This set of sources includes examples such as:

  • Public internet, IRC, newsgroup monitoring [crawlers + human analysts/translators]
  • Attacker online community infiltration (web forum, “private” social media, IRC, etc)
  • Leaked data about attacker’s infrastructure (such as leaks by other attackers)
  • Direct compromise of attackers systems.

Furthermore, if you are buying/receiving TI from somebody else (government, regional CERT, sharing club, security vendor, TI vendor) the intel you receive is ultimately produced by a blend of the above sources. Of course, you may also be producing your very own TI from local incident artifacts – a subject of the next post in this series…

Have I missed any major threat intel sources?

Or, better, can you think of a better way to classify and organize them?

Posts related to this research project:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: security  threat-intelligence  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on On Threat Intelligence Sources

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.