I sometimes say that “threat intel doesn’t help people who don’t help themselves.” Here is one particular example: if you buy the best threat intelligence possible – mixed strategic and tactical, with full actor information, detailed indicators, and with revelations about future attacks targeted to your organization, can you really benefit from it? Those who procure such intel from the likes of “eyeVision”, “eyeProtection” and “ThrongHit” 🙂 – real intel, not just indicator lists – need to be able to act on the results and sometimes such ability to act is just operationally infeasible for a less mature organization.
For example, at my Threat Intel roundtable at Gartner Catalyst 2015, the conversation turned to this subject: “if you hear 3 days in advance that you will be hit with a colossal DDoS attack of a particular type, will it help you?” Some people answered “yes” and pointed at specific things they can do in the time they have; others said “sort of” – they would still take heavy damage, but may be able to reduce panic and avoid some mistakes in responding (after all, “unpleasant surprise” is usually worse than just “some unpleasantness”). A few said that they will be able to do a few things only… and if such “3 day attack warning” costs them $100K, they won’t sign for it.
The situation is even ‘worse’ with targeted attacks. If you hear that “Bearlike Mammal of Death” group will try to steal your critical data using lethal APT tactics, knowing this is unlikely to help if you don’t have the defenses, tools, people and effective processes already in place. You can target your defenses much better with such valuable intel, but it won’t save you on its own….
In other words, remember that intel alone does NOT win wars. The actual warfighters (= skilled security professionals) with weapons (=security tools) as well as threat intel do. Telling armed peasants and spearmen that a ballistic missile is coming does not help – even if you know the exact model and who launched it…
Blog posts related to threat intelligence:
- My Threat Intelligence and Threat Assessment Research Papers Publish
- Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
- On Threat Intelligence Management Platforms
- How to Use Threat Intelligence with Your SIEM?
- On Internally-sourced Threat Intelligence
- Delving into Threat Actor Profiles
- On Threat Intelligence Sources
- How to Make Better Threat Intelligence Out of Threat Intelligence Data?
- On Threat Intelligence Use Cases
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Consumption of Shared Security Data
- From IPs to TTPs
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.