In a world of increasingly stealthy and sophisticated cybercriminals, it is difficult, costly and ineffective for companies to defend themselves against these threats alone. As revealed in The Third Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, more companies are reaching out to their peers and other sources for threat intelligence data. Sponsored by Infoblox, the study provides evidence that participating in initiatives or programmes for exchanging threat intelligence with peers, industry groups, IT vendors and government results in a stronger security posture.
According to 1,200 IT and IT security practitioners surveyed in the United States and EMEA, the consumption and exchange of threat intelligence has increased significantly since 2015. This increase can be attributed to the fact that 66% of respondents say they now realise that threat intelligence could have prevented or minimised the consequences of a cyberattack or data breach. Despite the increase in the exchange and use of threat intelligence, most respondents are not satisfied with it. The inability to be actionable, timely and accurate is the most common complaint about threat intelligence.
Following are 12 trends that describe the current state of threat intelligence sharing:
1. Most companies engage in informal peer-to-peer exchange of threat intelligence (65% of respondents) instead of a more formal approach such as a threat intelligence exchange service or consortium (48% and 20% of respondents, respectively). 46% of respondents use manual processes for threat intelligence. This may contribute to the dissatisfaction with the quality of threat intelligence obtained.
2. Organisations prefer sharing with neutral parties and with an exchange service and trusted intermediary rather than sharing directly with other organisations. This indicates a need for an exchange platform that enables such sharing because it is trusted and neutral.
3. More respondents believe threat intelligence improves situational awareness, with an increase from 54% of respondents in 2014 to 61% of respondents in this year’s study.
4. 67% of respondents say their organisations spend more than 50 hours per week on threat investigations. This is not an efficient use of costly security personnel, which should be conducting threat hunting and not just responding to alerts received.
5. 40% of respondents say their organisations measure the quality of threat intelligence. The most often used measures are the ability to prioritise threat intelligence (61% of respondents) and the timely delivery of threat intelligence (53% of respondents).
6. Respondents continue to be concerned about the accuracy, timeliness and ability to be actionable of the threat intelligence they receive. Specifically, more than 60% of respondents are only somewhat satisfied (32%) or not satisfied (28%) with the quality of threat intelligence obtained. However, this is a significant decrease from 70% in 2014, which indicates some improvement as the market matures. Concerns about how threat intelligence is obtained persist because information is not timely and is too complicated, according to 66% and 41% of respondents, respectively.
7. Companies are paying for threat intelligence because it is considered better than free threat intelligence. 59% of respondents also believe it has proven effective in stopping security incidents.
8. 73% of respondents say they use threat indicators and that the most valuable types of information are indicators of malicious IP addresses and malicious URLs.
9. The value of threat intelligence is considered to decline within minutes. However, only 24% of respondents say they receive threat intelligence in real time (9%) or hourly (15%).
10. 45% of respondents say they use their threat intelligence programme to define and rank levels of risk of not being able to prevent or mitigate threats. The primary indicators of risk are uncertainty about the accuracy of threat intelligence and an overall decline in the quality of the provider’s services (66% of respondents and 62% of respondents).
11. Many respondents say their organisations are using threat intelligence in a non-security platform, such as DNS. The implication is that there is a blurring of lines in relation to what are considered pure networking tools and what are considered security tools. Security means defence-in-depth, plugging all gaps and covering all products.
12. 72% of respondents are using or plan to use multiple sources of threat intelligence. However, 59% of respondents have a lack of qualified staff and, therefore, consolidate threat intelligence manually.