Académique Documents
Professionnel Documents
Culture Documents
by Josh Zelonis
June 26, 2017 | Updated: July 14, 2017
forrester.com
For Security & Risk Professionals
by Josh Zelonis
with Stephanie Balaouras, Bill Barringham, and Peggy Dostie
June 26, 2017 | Updated: July 14, 2017
External Threat Intelligence Allows You To The Risk Managers Handbook: How To Identify
Detect And Even Prevent Attacks And Describe Risks
Recommendations
12 Develop A Holistic Threat Intelligence
Capability
14 Supplemental Material
FIGURE 1 Tactics, Techniques, And Procedures Are The Hardest Patterns For Cyberattackers To Change
Tough!
TTPs
Tools Challenging
Network/
Annoying
host artifacts
IP addresses Easy
Source: David Bianco, The Pyramid of Pain, Enterprise Detection & Response, January 17, 2014
External Threat Intelligence Allows You To Detect And Even Prevent Attacks
A cyberattack does not start with exploitation and end with exfiltration. Criminals plan carefully how
they will develop the infrastructure they need to make an attack and then monetize the effort.3 That
means S&R pros must also plan carefully to detect and prevent such attacks. How can external threat
intelligence help? It lets you:
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
will suffer. Its important to detect when attack infrastructure is being created to stay a step ahead
of attackers trying to impersonate your organization. One emerging threat that has gained attention
lately is homograph attacks, in which attackers use Unicode characters to create domains that are
indistinguishable from legitimate domain names.4
Track exploit kits to prioritize patching. Understanding attack trends and the use of exploit kits
is a critical first step in developing a strategy to combat ransomware and other similar malware-
based attacks.5 By collecting tactical intelligence from exploit kit advertisements, you can identify
common vulnerabilities and exposures (CVEs) being exploited and prioritize patching to prevent
your organization from being compromised.6
Detect breaches by monitoring darknet marketplaces for stolen data. One place you can
intercept an attack is at the point of data commoditization. Although detecting the sale of stolen
data is not an ideal time to identify an attacker moving against your organization, considering
dwell times for external attackers average 107 days its better to be aware of the breach than to
unknowingly allow it to persist.7 For example, a credit card processor identified GameStop as the
common link between cards being sold online this year.8
The intelligence cycle is the process by which a question is asked, researched, and answered. During
this process, organizations collect, process, and analyze data to turn it into a finished intelligence
product (see Figure 2). Organizations will take over this analysis at different stages of the intelligence
cycle, depending on their operational maturity, which is why vendors offer three types of intelligence
tactical indicators, raw intelligence, and finished intelligence.
Tactical indicators are useful if theres enough context. Indicators of compromise (IoC) are file
hashes, domain names, IP addresses, or other patterns that S&R pros can use to detect a threat
or compromise. One important caveat is the need for context when using these indicators. The
STIX language uses 12 different domain objects to describe threats, with indicators only being one
of them.9 You must understand the context surrounding an indicator to understand the implication
to your organization when triggering an alert based on this indicator. For instance, Symantec has
assigned a very low risk level to the Trojan.Corentry malware.10 How would your organization
respond to the knowledge there was a malware-infected system on your network? What if it was
a very low risk? What if the implication was the CIA had infiltrated your organization?11 You simply
should not spend money on indicator feeds that dont provide context beyond indictment.
Raw intelligence has been collected and processed but not analyzed. Frequently, raw
intelligence is offered through API access, enabling search or alerting based on keywords or other
information (see Figure 3). One example is pastebin alerts, which allows users to specify keywords
that, if pasted, will generate email alerts.12 This is raw, not finished, intelligence because the alert
just shows that you have a keyword match and does not include the sentiment or details of the
user who pasted the text. Similarly, while a reverse engineer may be said to analyze a piece of
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
malware, that analysis does not become part of a finished intelligence product until its paired with
additional context, such as where it has been observed in the wild, associated threat actors, and
motivations to better understand the risk posed by the malware.
Finished intelligence is consumable and doesnt require final analysis. Finished intelligence is
more than just reportage; it requires interpretation and putting the raw intelligence into context. For
instance, during analysis and production, the CIA take[s] a closer look at all the information and
determine[s] how it fits together, while concentrating on answering the original tasking.13 There
are several types of finished intelligence; each category represents a unique task for your external
threat intelligence service provider with requests for intelligence (RFIs) as your ability to leverage
directed research (see Figure 4).
Operational
Data Information Intelligence
environment
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Compromised account data The ability to query or alert on accounts compromised in public
breaches or leaked from covert sources
Raw intelligence access API or portal-driven search capability for querying collected data for
keywords related to brand, identity, or other indicators
Fraud intelligence Monitoring for information leakage, laundering schemes, and other
evidence of scams targeting the organization. An important part of
delivering this as a finished product is the ability to track down the source
of the information leak that fraudsters are attempting to commoditize
Threat actor data Detailed profile of an actors tactics, motivations, and capabilities to allow
an organization to assess risk, combined with associated indicators to
assist with detection, attribution, and removal of the threat
Insider threat Monitoring of websites and forums for the recruitment of insiders or
monitoring attempts to sell privileged data
Third-party risk Assessment and scoring of third parties security posture, susceptibility to
attack, and evidence of data leakage to identify risk of incorporating them
into your supply chain
Strategic intelligence Executive consumable intelligence reports that inform security strategy and
provide understanding of the threat landscape
Request for intelligence Ability for customers to request an enriched, targeted investigation
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Surface web The surface web is the part of the internet that is indexed by search engines, where
information is freely accessible. While this type of intelligence is occasionally met
with disdain because it is collected from public sources, this disdain ignores two
critical factors: Criminals face a market imperative of providing an accessible
marketplace for their goods, and people commonly make mistakes with operational
security. The reality is that there is a lot of valuable information that you can derive
from open sources, but theres no guarantee that what you are getting isnt
repurposed marketing material.
Deep/dark web The deep web represents a collection of sites that are censored by search engines,
require authentication, or are only accessible via specific network protocols to
access. The dark web is a subset of this, requiring the use of TOR or similar
protocols to establish exclusivity and anonymity. Frequently, the information
gathered from the deep web requires a human to establish credibility to gain
access to assets, making this a very specialized and sensitive source of
intelligence.
Social media Social media could arguably be categorized as deep web since it is not indexed by
search engines; however, social is so pervasive that it would be fairer to think of it
as shallow web. Social media monitoring is frequently associated with reputation
risk, which is why this is frequently seen in messaging by digital risk monitoring
companies.
Sensor networks Sensor networks vary, from network monitors across the globe that detect the
registration of new domains, to endpoint products performing static analysis of
unknown files, to SIEM alerts coming out of global managed security service
providers. This information tends to be very tactical and requires a lot of further
analysis to attribute to an actor before it can become finished intelligence.
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Finished intelligence
Vu pr en on
Raw intelligence
d llig ti
ln ote ce
Th ori hre a
n
an te tec
m sid tor k
it r t at
ird ng at
Tactical indicators
Th rab ctio
lli gi sk
i s
on e d
r
Br in ro
te te ri
at ty
ge c
p
e
in tra rty
re ili
nc
au v e
In c
S pa
a
Fr uti
-
d
e
ec
FI
Vendor Focus
Ex
R
4iQ Identity, digital risk monitoring
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Finished intelligence
Vu pr en on
Raw intelligence
d llig ti
ln ote ce
rin re a
n
an te tec
m sid tor k
ito r th at
g at
Th ra ctio
lli gi k
In ac is
Tactical indicators
te te ris
on e d
r
Br in ro
at ty
ge c
p
e
in tra ty
re bili
nc
au ve
S ar
Fr uti
-p
d
ird
ec
FI
Vendor Focus
Th
Ex
R
Proofpoint Analyst expertise, global sensor
network
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Intelligence
Finished intelligence sources
Raw intelligence
Tactical indicators
ito s
ce
e
n
g
ur
tio
un om s
in
at ed
en
si s
co pr ysi
at
eb
e
ta
t d is
lig
hi ash
gn
a
n
ne ns a
pu
w
a
eb
ss tel
on
Se edi
io
an
rk
h
re
w
om tat
tw or
ce in
ks
m
ng
m
Ph re
da
e
n
ar
ac m
pu
ac aw
or
et
a
ac
ai
al
p/
o
w
w
tn
re
ci
is
rf
R
ee
al
al
Vendor
Bo
So
Su
IP
M
M
D
D
4iQ 15% 70% 15% 0%
AlienVault 1% 1% 0% 98%
DomainTools 0% 0% 0% 100%
Kaspersky 7% 5% 3% 85%
PhishMe 0% 0% 0% 100%
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Intelligence
Finished intelligence sources
Raw intelligence
Tactical indicators
ito s
ce
e
n
g
ur
tio
un om s
in
at ed
en
si s
co pr ysi
at
eb
e
ta
t d is
lig
hi ash
gn
a
n
ne ns a
pu
w
a
eb
ss tel
on
Se edi
io
an
rk
h
re
w
om tat
tw or
ce in
ks
m
ng
m
Ph re
da
e
n
ar
ac m
pu
ac aw
or
et
a
ac
ai
al
p/
o
w
w
tn
re
ci
is
rf
R
ee
al
al
Vendor
Bo
So
Su
IP
M
M
D
D
Proofpoint 0% 0% 0% 100%
Terbium 0% 100% 0% 0%
Threat 99% 0% 0% 1%
Connect
Webroot 0% 5% 5% 90%
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Many Forrester clients question not only the effectiveness of threat intelligence capabilities in the
enterprise but also the cost of products, feeds, and headcount. Fortunately, you can obtain and
demonstrate immediate benefits with your initial investment in three simple steps:
1. Focus on finished intelligence to reduce staffing requirements. You dont need to make any
immediate hiring decisions to get started with threat intelligence. Many of the vendors we surveyed
provide finished-intelligence-as-a-service, which you can consume immediately. Dont fall into the
trap of investing in tactical indicator feeds right away; your organization wont be able to leverage
this type of intelligence effectively.
2. Use strategic intelligence and RFIs to understand the threat landscape. Your initial goal with
threat intelligence should be to evolve your own security strategy decision making beyond best
practices and into informed decisions based on the current and evolving threat landscape. Learn
and ask questions. From this vendor survey, use an RFI to leverage the intelligence vendor for
reverse engineering capabilities on unknown files. Not only will this new vendor relationship help
you understand and communicate threat more effectively, youll also immediately expand the
capabilities of your security operations center (SOC).
3. Look for vendors that collect data from multiple sources. Specific use cases will factor into
your decision making when you develop a complex collection strategy using multiple feeds. Threat
intelligence is a nuanced art form. As you make your initial investments, focus on vendors that
collect and analyze data from a breadth of sources.
As you go through the intelligence cycle, keep an eye on how you can improve the process and overall
output. Armed with an understanding of the threat landscape and how these attacks manifest in your
organization, tailor your collection strategy to operationalize your new intelligence capability. At this
point you will need to bring an analyst on staff to help develop your collection strategy, manage the
intelligence data, and prepare briefings.
Create a risk register to track identified threats to your organization. Your strategic intelligence
capability should produce a document that identifies key risks, actors, and business impact of
these threats.14 Be prepared to address these threats and show how your security strategy is
aligned to reduce these risks. Enrich your intelligence capability by focusing on these specific
threats to your organization. This report outlines many types of finished intelligence offerings to
help you get started.
Deconstruct attack patterns and target intelligence at various stages. Next, invest in raw and
finished intelligence offerings to gain more visibility into the threats youve identified. Heres where
intelligence from specific sources such as the deep web can help you target the intelligence youre
collecting. Use a sensor network to capture events such as domain registration as adversaries are
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 11
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
building attack infrastructure. Subscribe to feeds that track the advertising of exploit kits on social
media to identify new features and vulnerabilities being exploited. Monitor the resale of stolen
credentials on the dark web, not only to identify information leaking from within your organization,
but also to stay alert for customers who may be susceptible to credential stuffing.
Understand that no single vendor will be able to serve your needs. Vendors that specialize in
collecting from sources like the dark web will offer particular insights that you can benefit from.
Other vendors, such as ones with a sensor network that blankets the internet, will collect and
report on events in a different time frame and of a different nature. Having diversified sources will
allow you to reap the benefits of these perspectives, but youll need a multivendor solution.
The biggest mistake technologists make with intelligence is thinking its something they can just
put into their security information management (SIM) or security analytics platform. While its
understandable to want to get something intelligent out of your SIM, this is not an effective use of this
data, and it will lessen the operational effectiveness of your SOC. Instead:
Manage your threat intelligence in a central location. As your organization begins working with
large quantities of intelligence data, its important to have a place to centralize the collection and
analysis of this data. Threat intelligence platforms automate a lot of these tasks and may even
integrate with your orchestration tools to automatically enrich alerts, which will make your SOC
more efficient.
Perform link analysis on detected threats to hunt for further compromise. The value of tactical
indicators is in their relationships. Even without attribution to a threat actor, being able to associate
two indicators that were observed in the same time and place allows you to infer that they may be
related. Herein lies the challenge of real-time streaming analysis IP addresses, DNS names, and
other tactical indicators are too transient for you to efficiently detect, share, and monitor. Searching
historical data for loosely correlated events, however, can expose a wider compromise.
Hunt for artifacts of the threat actors associated with your risk register. Understanding your
adversary, including their tactics, sophistication, and funding, enables you to defend proactively
against a known offense. Knowing how they are tooling and other attributable information about
them will allow you to actively hunt for signs of intrusion, reducing your time to detection on events
your mitigation strategies didnt identify. You cant do this without strategic intelligence.
Recommendations
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 12
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Make strategic intelligence the foundation of your security program. An understanding of the
threat landscape allows you to effectively prioritize security spend, focusing on mitigation of threats
your organization needs the most. Tooling for the adversary will not only decrease alert volume, but
ensure that generated alerts are more salient.
Try it before you buy it; ask vendors for sample or redacted reports. These will help you
understand the final work product you are subscribing to. While this recommendation is tailored
more toward finished intelligence, in the age of the customer, external threat intelligence vendors
should be happy to demonstrate the quality of analysis and writing behind their research.
Close the loop with your own internal intelligence. External intelligence provides valuable
information about the threat landscape and what is going on beyond your own perimeter. That said,
dont neglect your internal sources. Intelligence generated from within your organization is the most
relevant and actionable intelligence available to you, and its free!
To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more.
Learn more. Learn more.
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 13
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Supplemental Material
We would like to thank the individuals from the following companies who generously gave their time
during the research for this report.
4iQ PhishMe
AlienVault Proofpoint
CrowdStrike PwC
FireEye RiskIQ
Flashpoint SecureWorks
Group-IB SecurityScorecard
IBM SenseCy
Kaspersky Terbium
LookingGlass ThreatConnect
Optiv Webroot
PhishLabs ZeroFOX
Endnotes
Source: Kasia Boddy, Everything ever written boiled down to seven plots, The Telegraph, November 21, 2004 (http://
1
www.telegraph.co.uk/culture/books/3632074/Everything-ever-written-boiled-down-to-seven-plots.html).
Source: David Bianco, The Pyramid of Pain, Enterprise Detection & Response, January 17, 2014 (https://detect-
2
respond.blogspot.com/2013/03/the-pyramid-of-pain.html).
While not all cyberattacks are motivated by profit, the ability to make money from cyberattacks warrants the capital
3
Source: Mohit Kumar, This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera, The
4
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 14
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook
Source: Bye Empire, Hello Nebula Exploit Kit. Malware dont need Coffee, March 3, 2017 (http://malware.
6
dontneedcoffee.com/2017/03/nebula-exploit-kit.html).
Source: Steven Petite, Gamestop.Com Customers Credit Card Information May Have Been Compromised, Digital
8
STIX stands for Structured Threat Information eXpression. Source: About STIX, Github (https://oasis-open.github.io/
9
cti-documentation/stix/about.html).
10
Source: Trojan.Corentry, Symantec, November 26, 2015 (https://www.symantec.com/security_response/writeup.
jsp?docid=2015-111823-1849-99).
11
Source: Longhorn: Tools used by cyberespionage group linked to Vault 7, Symantec Official Blog, April 10, 2017
(https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7).
12
Source: Pastebin My Alerts, Pastebin, April 17, 2012 (https://pastebin.com/PNxAR80G).
13
Source: The Intelligence Cycle, Central Intelligence Agency, March 23, 2013 (https://www.cia.gov/kids-page/6-12th-
grade/who-we-are-what-we-do/the-intelligence-cycle.html).
14
See the Forrester report The Risk Managers Handbook: How To Identify And Describe Risks.
2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 15
Citations@forrester.com or +1 866-367-7378
We work with business and technology leaders to develop
customer-obsessed strategies that drive growth.
Products and Services
Core research and tools
Data and analytics
Peer collaboration
Analyst engagement
Consulting
Events
Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
For more information, visit forrester.com. 136769