In cybersecurity, “threat data feeds” and “threat intelligence” are often used interchangeably. They are, however, quite different. To make matters worse, the term “threat intelligence” has been co-opted and watered down by vendors, making it even more difficult to define the difference between threat data feeds and threat intelligence.
An easy, and accessible, way to tell the difference is to think about weather forecasts. National TV news shows present a forecast for the entire country. You might get some useful information from this, but usually you just get an idea of what the weather is like nationwide. Local weather, however, drills down into the expected conditions for your specific area — not only temperature and weather, but also wind speed, barometric pressure, times for weather changes, and so on. You can use this information to plan out your actions for the next few days.
Two Different Species, Often Confused
Using the weather forecast analogy, threat data feeds provide a high-level view of the security landscape. For example, it is useful to know that there is a vulnerability in a specific type of software, but it can be relatively trivial if that software is not in use at your organization. Likewise, knowing which threat groups are active is useful information, but how do you know if they are targeting your sector or organization and what processes and tools they are using?
Cybersecurity data feeds come from a variety of sources. These can include honeypots, sensors, malware analysis platforms and vendors. They can be open source or commercial and they provide security vendors with a wealth of raw data — including hashes, IP addresses, and malicious URLs — that they can feed into their security tools. Additionally, vendors package up threat data feeds and sell them into enterprises, under the presumed benefit that they will make organizations more secure.
But enterprises need to process this information — both with automation technology like AI/machine learning and humans — if they want to use it in their own operations. This is no small task, since taking this raw data and turning it into useful information requires specially trained manpower. People have to analyze the data feeds and pull out information that is relevant to their organizations — in short, they need to find threat intelligence in the threat data feeds. By doing this, security professionals can gain a better understanding of the tactics, techniques, and procedures used by cybercriminals. This information can then be used to develop more effective security strategies.
Threat Data Feeds Exacerbate the Cybersecurity Shortage
The problem is, according to the ISC2, there is currently a worldwide shortage of 3.4 million cybersecurity professionals. Only the largest enterprises have the resources to hire people to go through all the data and glean relevant information from it. Only the largest enterprises can afford to subscribe to something that creates more work, which is what most threat data feeds do. It’s all smaller organizations can do to keep the lights on with the employees they have.
This is where threat intelligence comes into play. Rather than giving enterprises a picture of the universe and saying, “Figure it out,” threat intelligence is specific to each enterprise — their sectors, their sizes, and themselves. Threat intelligence goes to places where data feeds can’t. For example, often the first sign of a data breach is found when the data is for sale on the Dark Web. Likewise, access to networks is also sold on the Dark Web — obviously, the owners of the networks don’t realize it, or they would have fixed the holes. This is useful “after the fact” information to have so the damage can be contained as quickly as possible. The Dark Web is just one source of threat intelligence, which should also include sources like social media, the open Web, and even human beings.
Prioritize and Act
With intelligence information in hand, security teams can understand the tactics, techniques, and procedures, not to mention motivation and goals, used by those who would attack their and similar organizations. This is the type of information that enterprises can prioritize and act on quickly.
Contrary to threat data feeds, threat intelligence is organization-specific, providing organizations with information across their security footprint: who is attacking them, how are they being attacked, and why are they being attacked. With this information, organizations can make themselves more secure by shoring up weak points, mitigating future threats, and responding faster to current incidents.
An example of how this can work is when threat intelligence indicates that a specific group of attackers is targeting a specific industry or region. Security teams can use this knowledge to take protective measures, such as implementing additional security controls or providing targeted employee training. As we saw with the Dark Web examples above, threat intelligence can also provide valuable information to reduce the damage of an attack — including the tactics and tools being used by the attacker. This information can be used to not only contain a current attack but to prevent future ones.
One simple test goes a long way to understanding the difference between threat intelligence and threat data feeds: If it creates more work, it is probably a data feed. If it helps your existing employees with prioritization and operations, it is probably threat intelligence. Or, getting back to the weather analogy: Local weather will tell whether it’s OK to play golf and what time you should play. You might glean he same information from national weather, but you won’t know for sure until it’s too late.