The Difference Between Threat Intelligence and Random Information

Some vendors offer Threat Intelligence by monitoring information about you on the surface and dark web for an annual fee. This sounds good on the surface but what are they really doing for you? Do you ever see any evidence other than their summary report? Are you truly getting your money's worth? Are you able to do anything with the information they offer?

Unless you ask the right questions, define a clear contract, or a proper report, a company could be wasting a considerable sum of money. Here's why.

Threat Intelligence should consist of recorded information compiled by combing, scraping, monitoring the surface and dark web, recording discovered exploits, potential vulnerabilities, and information that can be used by a threat actor against a domain. Unfortunately, one key metric missing more often than not are indicators of compromise (IOC) - hashes that can be added to endpoint protection, domains/IP addresses that can blocked, and other vectors that can be blocked or filtered.

There's also one other key metric that is forgotten; providing qualified and verified information. A threat intelligence vendor can provide all the information and IOCs in a fancy briefing. It is nothing more than subjective information. Subjective information has a tendency to create hassles and incidents rather than mitigate risks and eliminate threats. For example, some vendors report the same emails/accounts over and over without validation. This results in unnecessary incident response, wasted hours and resources.

If all you get is an empty summary of something that happened some place to someone somewhere, or if the information gathered cannot be verified as accurate and reliable, then it cannot be qualified and therefore is not actionable, viable threat intelligence.

Actionable threat intelligence provides useful information that enables improving defenses, not waste money.