For: Security &
risk Professionals
Five Steps To Build An Effective Threat
Intelligence Capability
by rick Holland, January 15, 2013
Key TaKeaWays
We are overwhelmed; The enemy is inside The Wire
To say that the threat landscape is overwhelming is the understatement of the year.
Targeted attacks are on the rise with increasing sophistication, and our detection
and response capabilities are woefully inadequate. Advanced persistent threats,
espionage, spear phishing, and disrupted denial of service attacks dominate the
headlines.
The Threat intelligence Journey
Threat intelligence cannot be bought. Rather, the threat intelligence journey is
a multistep road map that: 1) lays a solid foundation of essential capabilities; 2)
establishes buy-in; 3) identifies required staffing and skill levels; 4) establishes your
intelligence sources; and 5) derives actionable intelligence.
you don’t have To Be The Nsa or GChQ To Leverage intelligence
Organizations of all sizes should take advantage of intelligence to minimize the
frequency and scope of security incidents. Some companies have the resources to
conduct intelligence operations on their own, while other will take advantage of
vendor offerings to augment their staff.
Forrester research, inc., 60 acorn Park Drive, cambridge, Ma 02140 uSa
tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com
For Security & Risk Professionals
January 15, 2013
Five Steps To Build An Effective Threat
Intelligence Capability
Tools And Technology: The Security Architecture And Operations
Playbook
by Rick Holland
with Stephanie Balaouras and Kelley Mak
Why Read This Report
Against today’s mutating threat landscape and sophisticated cybercriminals, security and risk (S&R)
professionals are outgunned and outmatched. The traditional strategy of waiting for an alert and
then responding to a compromise is futile against 21st century threat actors. Delayed responses when
cybercriminals have already begun exfiltrating intellectual property aren’t acceptable. Something must
change, and S&R professionals must proactively defend their networks and data. In this report, we draw
from the principles of military intelligence and guide S&R pros through a five-step process to build and
leverage threat intelligence capabilities.
Table Of Contents
Notes & Resources
2 The Enemy Is Inside The Wire
Forrester interviewed 22 vendor and user
companies in the creation of this report.
7 To Have An Opportunity At Success, We
Must Use Intelligence
9 Your Threat Intelligence Journey
16 Three Special Considerations For Your
Intelligence Journey
WHAT IT MEANS
18 You Don’t Have To Be The NSA Or GCHQ To
Leverage Intelligence
18 Supplemental Material
Related Research Documents
Dissect Data To Gain Actionable INTEL
August 9, 2012
Protect Your Competitive Advantage By
Protecting Your Intellectual Property From
Cybercriminals
July 13, 2012
Planning For Failure
November 9, 2011
© 2013, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar,
and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To
purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.
For Security & Risk Professionals
Five Steps To Build An Effective Threat Intelligence Capability
2
The enemy is inside the wire
To say that the threat landscape is overwhelming is the understatement of the year. Managing
vulnerabilities and threats is the No. 2 priority for S&R professionals, and the changing/evolving
nature of threats is the top security challenge organizations face (see Figure 1). Targeted attacks
are on the rise.1 The attacks are increasingly more sophisticated, and our detection and response
capabilities are woefully inadequate. Advanced persistent threats (APTs), espionage, spear phishing,
and seemingly perpetual disrupted denial of service (DDoS) attacks dominate the headlines. We
typically don’t have to wait more than a month before we learn of a major organization suffering a
significant security incident.2
2011 is frequently referred to as the “year of the breach,” and 2012 continued the trend. Global
Payments spent $84.4 million to cover the costs associated with the compromise of more than 1.4
million credit cards.3 LinkedIn’s negligent password security practices resulted in the theft of more
than six million passwords, and the South Carolina Department of Revenue’s derelict encryption
standards resulted in the compromise of 3.6 million taxpayers’ personal information.4 In November
2011, Bloomberg News reported that in 2009, Chinese hackers breached Coca-Cola during an
attempted acquisition of the China Huiyuan Juice Group. This targeted attack began with phishing
emails that enabled the attackers to steal significant amounts of data. The acquisition subsequently
failed, and although Coca-Cola never admitted to the attack, security researchers at AlienVault
traced it back to China.5
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
3
Five Steps To Build An Effective Threat Intelligence Capability
Figure 1 The Threat Landscape Is On Everyone’s Mind
1-1 Managing threats and vulnerabilities is a high priority
“Which of the following initiatives are likely to be your firm’s top IT security
priorities over the next 12 months?”
High priority
Critical priority
Data security
Managing vulnerabilities and threats
34%
46%
Application security
21%
52%
Managing information risk
50%
Aligning IT security with the business
50%
Cutting costs and/or increasing efficiency
22%
20%
21%
48%
Regulatory compliance
32%
37%
Identity and access management
45%
User security training and awareness
47%
Complying with security requirements placed
upon us by business partners
Implementing our security requirements with
business partners/third parties
37%
19%
13%
22%
38%
Integrate/converge physical and logical security
Security outsourcing
33%
52%
Business continuity/disaster recovery
eDiscovery
43%
48%
11%
32% 7%
4%
16%
12%
3%
Base: 1,409 IT security decision-makers at companies with 20 or more employees
Source: Forrsights Security Survey, Q2 2012
83841
© 2013, Forrester Research, Inc. Reproduction Prohibited
Source: Forrester Research, Inc.
January 15, 2013
For Security & Risk Professionals
4
Five Steps To Build An Effective Threat Intelligence Capability
Figure 1 The Threat Landscape Is On Everyone’s Mind (Cont.)
1-2 Threats are significant challenges for organizations
“Please rate the following IT security challenges in your firm.”
Challenge
Major challenge
Changing/evolving nature of IT threats
(internal and external)
Other priorities in the organization taking
precedence over security initiatives
Day-to-day tactical activities taking up
too much time
48%
40%
28%
36%
Complexity of our IT environment
29%
38%
Lack of budget
23%
35%
Unavailability of people with the right skills
36%
Inability to measure the effectiveness of our
security program
Lack of visibility and influence within the organization
(including difficulty making business cases)
Too many security vendors to manage
34%
40%
Lack of staff (the security team is understaffed)
Unavailability of products/services that fit our needs
27%
39%
34%
26%
16%
10%
13%
21% 5%
16%
3%
Base: 2,383 North American and European IT security decision-makers
Source: Forrsights Security Survey, Q2 2012
83841
Source: Forrester Research, Inc.
S&R Pros Are Outgunned And Outmatched
In the face of these threats, most enterprises are overwhelmed. Testifying before the US Congress
in March 2012, Mandiant’s Richard Bejtlich stated: “94% of victims learn of compromise via third
parties; only 6% discover intrusions independently. Victim organizations do not possess the tools,
processes, staff, or mindset necessary to detect and respond to advanced intruders.”6 There is little
doubt that the scale, frequency, and sophistication of breaches will continue into 2013 and beyond,
but unfortunately, the ability to detect and respond to threats is very immature. According to
Forrsights survey data, only 14% of organizations have increased their use of threat intelligence
services in response to the threat landscape. A lowly 8% have hired additional security analysts or
security intelligence experts (see Figure 2). There are early adopters of threat intelligence capabilities,
however. Manufacturing and financial services and insurance lead in threat intelligence capabilities,
with more than 20% in each sector using services and increasing intelligence staff (see Figure 3).
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
5
Five Steps To Build An Effective Threat Intelligence Capability
Figure 2 Threat Intelligence Capabilities Adoption Is Low
“What impact have high-profile cyberattacks had on IT security at your firm?”
Raised executives’ awareness of IT security
63%
Increased our attention on the security of our
intellectual property and corporate secrets
Increased our focus on the security of our remote
or global workforce
Increased our focus on the security of
business partners
40%
28%
25%
None of the above
23%
Increased our use of threat intelligence services
14%
Increased security funding
14%
Changed our strategy to focus on this new
kind of threat
Increased hiring of security analysts/security
intelligence experts
13%
8%
Don’t know 1%
Other 1%
Base: 2,383 North American and European IT security decision-makers
Source: Forrsights Security Survey, Q2 2012
83841
© 2013, Forrester Research, Inc. Reproduction Prohibited
Source: Forrester Research, Inc.
January 15, 2013
For Security & Risk Professionals
6
Five Steps To Build An Effective Threat Intelligence Capability
Figure 3 Manufacturing And Financial Services/Insurance Lead Adoption
3-1 Managing threats and vulnerabilities is a high priority
“What impact have high-profile cyberattacks had on IT security at your firm?”
Increased hiring of security analysts/security intelligence experts:
Manufacturing
Financial services
and insurance
Retail and
wholesale
Utilities and
telecommunications
23%
22%
Business services
and construction
Media, entertainment,
and leisure
17%
16%
Public sector and
healthcare
Other
9% 7% 6% 1%
Base: 189 North American and European IT security decision-makers
(percentages do not total 100 because of rounding)
Source: Forrsights Security Survey, Q2 2012
Source: Forrester Research, Inc.
83841
Figure 3 Manufacturing And Financial Services/Insurance Lead Adoption (Cont.)
3-2 Threat intelligence services adoption
“What impact have high-profile cyberattacks had on IT security at your firm?”
Increased our use of threat intelligence services:
Manufacturing
Utilities and
telecommunications
Financial services
and insurance
Media, entertainment,
and leisure
24%
20%
18%
Business services
and construction
Retail and
wholesale
15%
9%
Public sector and
healthcare
Other
9% 5% 0%
Base: 332 North American and European IT security decision-makers
Source: Forrsights Security Survey, Q2 2012
83841
© 2013, Forrester Research, Inc. Reproduction Prohibited
Source: Forrester Research, Inc.
January 15, 2013
For Security & Risk Professionals
7
Five Steps To Build An Effective Threat Intelligence Capability
They Struggle To Make Sense Of The “Threat Intelligence Hype”
As the survey data indicates, there is a largely untapped market for threat intelligence products and
services, and the vendor community has naturally picked up on this. If you walk the exhibition
floor at any security conference, marketing messages espousing the merits of threat intelligence will
surround you. The mantra is “threat intelligence to the rescue.” Bullet points describing the size of
the threat intelligence network consume the screen: “World’s largest threat detection network,” “70
million users,” “100 billion email and web transactions each month” — the bullets go on and on, ad
nauseam. The security vendor community has hijacked the term “intelligence.” We expect security
product vendors to leverage big data analytics to improve the security of their solutions, but the
majority of this “security intelligence” addresses commodity threats and actors, not the targeted
attacks against your organization. Other vendors inundate clients with so much information that
they make a global implementation of untuned intrusion detection systems (IDSes) with default
policies enabled seem effective. Intelligence isn’t a panacea, and what many vendors claim as
intelligence is simply information. Creating intelligence requires analysis.
To have an opportunity at success, we must use intelligence
Intelligence has a long history of providing pivotal information to decision-makers. Just six
months after the devastating defeat at Pearl Harbor, the weakened US Navy was able to leverage
intelligence to deliver a knockout blow that the Japanese Navy was never able to overcome. US Navy
cryptologists were able to avoid a Japanese trap and, in turn, ambush the Japanese Navy and win the
most important naval battle of World War II.7 Intelligence turned the tide and enabled a significantly
weaker US opponent to accomplish its mission.
Many have proposed that we must apply this concept of intelligence to information security and the
struggle against the threat landscape. Without intelligence, we cannot proactively protect against
cyberattacks because we don’t understand: 1) the motivations and the methods of our attackers; 2)
the existing weaknesses and vulnerabilities of our extended IT networks; or 3) how long the enemy
has been inside our defenses.
See Intelligence As A Continuous Cycle
Despite valiant efforts from vendors to the contrary, a security organization cannot acquire threat
intelligence by only buying a particular product or subscribing to a particular service — it is an
ongoing process supported by a set of capabilities built with human skill and technology. We need
to redefine intelligence, and fortunately we have a model to adopt. Governments and militaries have
been conducting intelligence operations for a very long time, and there are many lessons S&R pros
can learn. The intelligence cycle is the process by which information is converted into intelligence
(see Figure 4). Different intelligence organizations may represent the cycle differently, but the
general process includes:
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
8
Five Steps To Build An Effective Threat Intelligence Capability
■ Planning and direction. This is the beginning and end of the intelligence cycle. It starts with
intelligence requirements that align with business requirements and ends with intelligence
products. The successes and failures of previous efforts are reviewed and incorporated into
future efforts.
■ Collection. In this stage, information is collected based on the businesses’ intelligence collection
requirements. Internal and external collection is critical. We will discuss types and sources of
intelligence in greater detail later in the report.
■ Processing. In this stage, technology is leveraged to process raw information into a form that
analysts can use. Automated parsing and data deduplication occur in this phase and make the
analyst’s job much easier.
■ Analysis and production. This is one of the most critical stages of the intelligence cycle.
Analysts convert information to actionable intelligence and noise becomes signal. Operational
and strategic intelligence products are created for stakeholders.
■ Dissemination. In the final stage, intelligence products are delivered to consumers. Timely
dissemination to requestors is key; actionable intelligence must be delivered in a time frame that
supports decision-making. The intelligence cycle begins once again.
tion
irec
Co
lle
ct
io
Dissemin
Intelligence
cycle
n
atio
An
alys
is and
83841
© 2013, Forrester Research, Inc. Reproduction Prohibited
o
producti
Pro
cessi
ng
Pl
an
dd
an
g
in
n
n
Figure 4 The Intelligence Cycle
n
Source: Forrester Research, Inc.
January 15, 2013
For Security & Risk Professionals
9
Five Steps To Build An Effective Threat Intelligence Capability
Use Multiple Intelligence Disciplines
Multiple sources of intelligence help to corroborate the unknown. Governments and militaries
have far more robust intelligence capabilities than any private sector organization. Open source
intelligence (OSINT), human intelligence (HUMINT), and counterintelligence (CI) are the most
viable options for civilian non-state/military actors. More specifically:
■ OSINT takes advantage of public available information. According to the US Army Field
Manual 2.0, OSINT is “the discipline that pertains to intelligence produced from publicly
available information . . . .” This information is provided “without the expectation of privacy,”
and could be “lawfully seen or heard by any casual observer.”8 OSINT is the most accessible
intelligence discipline that enterprises can leverage. Examples of OSINT sources include public
security feeds or public comments by potential threat actors that indicate malicious intentions.
Statements from hacktivist groups such as Anonymous are clear indicators of potential attack.
Announcements from China regarding a strategic industry could be an indicator for global
competitors that they may be or are already a target.9
■ HUMINT uses information from people and media. According to the US Army Field Manual
2.0, HUMINT is “the collection by a trained human intelligence collector of foreign information
from people and multimedia to identify elements, intentions, composition, strength,
dispositions, tactics, equipment, and capabilities.”10 HUMINT requires a significant amount
of time and effort to develop. In the cyber realm, HUMINT operations typically require the
development of false identities that are used to gain access to a closed community or forum. By
establishing rapport and building credibility, HUMINT assets aim to gain insight into attacker
targets and tactics.
■ CI deceives the enemy. According to US Presidential Executive Order 12333, CI is “information
gathered and activities performed to identify, deceive, exploit, disrupt, or protect against
espionage, other intelligence activities, sabotage, or assassinations performed for or on
behalf of foreign powers, organizations, or persons, or their agents, or international terrorist
organizations or activities.”11 S&R pros might leverage CI deception using honeypots, decoys, or
the seeding of false documents. For example, a company might plant false contract negotiation
documents in hopes of concealing the actual strategy from adversaries.
Your threat intelligence Journey
As discussed, you cannot simply “buy” threat intelligence; you will have to build knowledge,
capabilities, and maturity over time. To do this, you need to develop a multistep (and likely
multiyear) road map that: 1) lays a solid foundation of essential capabilities; 2) establishes buy-in;
3) identifies required staffing and skill levels; 4) establishes your intelligence sources; and 5) derives
actionable intelligence (see Figure 5).
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
10
Five Steps To Build An Effective Threat Intelligence Capability
Figure 5 Your Threat Intelligence Journey
Derive
intel
Establish
buy-in
Build
foundation
Staff
the
team
83841
Establish
sources
Source: Forrester Research, Inc.
Step No. 1 Lay The Foundational Capabilities
Every October, the world’s most fit endurance athletes gather in Kona, Hawaii, to compete in the
Ironman World Championship. During this grueling triathlon, participants must swim, bike, and
run 140.6 miles (226.2 kilometers) in 17 hours. Competitors don’t decide overnight that they are
going to compete in an Ironman race; one must establish a strong foundation through years of
training. By the same token, organizations require a certain level of maturity before establishing
intelligence capabilities. Before embarking on the path of intelligence operations, S&R pros must:
■ Know what they are trying to protect. Data security is a challenge for most organizations.
Companies struggle to identify where their most important data resides, and identifying the
assets that transact this data is particularly challenging. We designed Forrester’s data security
and privacy playbook to ease this burden by helping S&R pros take a holistic and long-lasting
approach to data security.12 In the big data security and control framework, the first step is to
define your data.13 Data discovery and data classification make up this phase. If you don’t know
what you are trying to protect and the value it has to the organization, how can you effectively
deploy security controls to protect it? Attackers perform data discovery when they compromise
networks — shouldn’t your organization do it before them?
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
11
Five Steps To Build An Effective Threat Intelligence Capability
■ Have a mature incident response capability. In today’s threat landscape, mature incident
response is critical, yet it is very immature at most companies. In the latest Mandiant M-Trends
report, attackers were present, on average, 416 days before anyone detected them.14 Mature
incident response (IR) consists of technology but also, most importantly, people, process, and
oversight.15 From an IR team function perspective, incident response begins with first-level
security operations center (SOC) analysts, followed by a second level of IR staff who provide
deeper analysis of incidents. The third stage of maturity is strategic IR staff dedicated to longterm analysis of trends. These staff members don’t focus on day-to-day incidents but take a
holistic view, and they hunt for ongoing campaigns.
Step No. 2: Establish Buy-In
S&R leaders often struggle with gaining management buy-in for security initiatives. We struggle
with effectively communicating risk to management as well as demonstrating the value of previous
investments. The “we are at high risk,” or the “sky is falling” approaches are undesirable to say the
least. Intelligence can help garner support from nontechnical business leaders by:
■ Effectively communicating risk. The conversation can shift from hypothetical assertions of
risks to discussions based on legitimate threats and the likelihood of suffering an attack. A
recent Solutionary report states that more than 80% of respondents are using various vendor
threat intelligence reports to justify security resource and budget requests to reduce risks.16
Macro-level threat reports from vendors are certainly useful, but why not use an internally
created report for the same purposes? What better way to communicate risk than by quantifying
the actual threats to your enterprise?
■ Determining the scope and severity of attacks. A homeowner returns home to find burglars
have broken into his house and have stolen many items. Was this an indiscriminate act or was
this crime committed by highly skilled thieves? The homeowner’s subsequent responses to the
break-in will vary greatly depending on whether he believes the act was random or criminals
specifically targeting his home. The same is true for corporations. Was the compromise the
result of innocent web browsing by an employee’s child or malware targeted at an executive?
Intelligence provides enterprises with the ability to understand the scope of and severity of
attacks, as well as to determine the appropriate response and investment in controls and
processes to prevent it in the future.
■ Demonstrating ROI on previous investments. By analyzing the anatomy of attacks, S&R
pros can use intelligence to show the success or failure of existing security controls. Many
organizations don’t have the capability to do this today, so being able to provide this information
can be beneficial in demonstrating value.
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
12
Five Steps To Build An Effective Threat Intelligence Capability
Step No. 3: Staff The Team
You need Jack Ryan. In the Tom Clancy novel The Hunt for Red October, CIA analyst Jack Ryan
hypothesizes that Captain Marko Ramius is not in fact planning to strike the US, but instead intends
to defect from the Soviet Union. Ryan’s contrarian position nets both a prominent Soviet naval
leader and the stealth propulsion system of the Red October. Make no mistake; staff is the most
important component of your threat intelligence capabilities. Without analysts, you cannot change
information into intelligence. When staffing the team, remember:
■ Diversity strengthens the team. The more diverse the experiences of your team are, the
better. Analysts with cultural/geopolitical knowledge, business unit knowledge, language
skills, intrusion detection, incident handling, penetration testing, scripting, and programming
experience all deliver value. Analysts don’t necessarily need a technical background, either.
■ Look for the intangibles. Analysts are able to draw conclusions and connect the dots. An
analytic mind and critical thinking skills are the foundation for any good analyst. It is also
important to avoid bias in analysis and shed any preconceived ideas or conclusions. A director
of security intelligence said that he looks for staff that can “assess a situation dispassionately,
and can argue both sides of a position.” Given the hype and fear, uncertainty, and doubt
(FUD) surrounding various threat actors, this is a critical ability. Contradictory or alternative
perspectives are important to minimize bias and ensure balanced analysis. The ability to remain
calm under pressure is also required.
■ Use it as an opportunity to provide career advancement. It is common knowledge that
enterprises have challenges in recruiting and retaining security staff. Multiple research
interviews revealed a high level of interest within organizations for transitioning to the
intelligence team. The intelligence role provides the opportunity to place qualified staff who
might otherwise leave the organization in a rewarding, high-profile, and strategic position.
Step No. 4: Establish Sources
You cannot derive intelligence without information sources, and the more sources there are, the
better your analysis will be. Sources are internal and external and can be a mix of in-house or
commercial. There are five broad categories available to enterprises, and here is the best approach to
using them (see Figure 6):
■ Internal sources are invaluable, and organizations have a wealth of available information.
One of the most valuable internal sources of intelligence is the employee. End user employees
can alert information security of suspicious activity. Will they catch every attempt at social
engineering? Of course not, but a properly trained employee is a great first line of defense.
A CISO of a global technology firm said, “Employees should be part of your detection and
response.” SIM solutions are the technical complement to the employee. SIM centrally
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
13
Five Steps To Build An Effective Threat Intelligence Capability
aggregates logs and flows to provide the technical data that analysts review. Although much
maturation is necessary for SIM solutions to provide truly actionable intelligence, they are
nonetheless a critical source of information.17 Some very large enterprises, managed service
providers, and government entities are enlisting big-data startup Palantir Technologies to
correlate intelligence sources.
■ Government-sponsored sources can be valuable. Unfortunately, when law enforcement
reaches out to an enterprise, it is often the bearer of bad news. Interfaces with law enforcement
don’t always need to be related to security compromises. Organizations like InfraGard are
an information sharing partnership between the FBI and the private sector. Community
Emergency Readiness Teams (CERTs) are another source of information sharing. The US-CERT
sponsors the Government Forum of Incident Response and Security Teams (GFIRST), which
host an annual conference where participants share information and develop relationships.
There are government as well as commercial and academic CERTs.
■ Industry sources provide vertical-specific intelligence. There are also great industry sources
of intelligence. Start with your business partners, those that you share extranet connections with,
and build processes to share information. If there aren’t any formal vertical or industry-specific
sharing organizations, reach out to your peers and start one. The US Internet Safety Advisory
Committee (ISAC) and the European Network and Information Security Agency (ENISA) are
government-sponsored sharing organizations. The Financial Services Information Sharing and
Analysis Center (FS-ISAC) has been active recently, sharing threat information on the DDoS
attacks on financial services public-facing websites. Developing relationships and establishing
trust are critical components of these relationships.
■ OSINT provides access to publicly available information. There are a large number of publicly
available feeds that you can leverage for threat information. You can consolidate and analyze
malicious IPs, domains, and spammers. Much of the publicly available attacker information
is commodity in nature, but this doesn’t mean the source isn’t a threat to your organization.
Organizations can also collect their own intelligence using custom and open source tools. The
Collective Intelligence Framework from the Research and Education Networking Information
Sharing and Analysis Center (REN-ISAC) aggregates public feeds for easy querying.18 Maltego is
a commercial OSINT analysis tool that visualizes relationships and links between entities.19
■ Commercial sources aim to combine public, vertical-specific, and HUMINT sources for
a fee. There are ranges of commercial sources of intelligence available to enterprises. These
offerings could be feeds that save enterprises time by aggregating and validating publicly
available feeds. Vendors of cloud-based services also provide these feeds. Other companies
provide specific intelligence for threats against verticals as well as specific threats against
organizations. Some companies have robust HUMINT collection capability and incorporate it
into their intelligence products. Prices range from tens of thousands to six figures and above.
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
14
Five Steps To Build An Effective Threat Intelligence Capability
Figure 6 Intelligence Sources
Source type
Internal
Crowdsourcing
Log and network data
Description
Example
Your employees are an invaluable
source of intelligence
Security awareness training that leads
end users to notify information security
of suspicious activity. Internal forums/
distribution lists that promote the
sharing of threat data
You already have a wealth of actual
threat data
Anomalous network behavior, DNS
logs, firewall drops, web proxy logs,
web/HTTP logs
Federal and local law enforcement
Government security organizations
Lead efforts to improve the nation’s
cybersecurity posture, coordinate
cyberinformation sharing, and
proactively manage cyber-risks
FBI, Secret Service
GCHQ, DHS, NSA
US-CERT, FIRST
Government
Law enforcement
National security organizations
Computer Emergency
Readiness Teams
Industry
Business partners
Formal industry organizations
Share threat information including
indicators of compromise
Organizations designed to facilitate US: ISACs; Europe: ENISA, other vertical/
sharing from government to private industry-specific sharing organizations
sector as well as private sector to
private sector
Supply chain, extranet connections
Informal industry relationships Sharing relationships developed
through one-on-one networking
83841
© 2013, Forrester Research, Inc. Reproduction Prohibited
Companies typically have a small
number of vetted, highly trusted
individuals that they are willing to
share strategic intelligence with.
Source: Forrester Research, Inc.
January 15, 2013
For Security & Risk Professionals
15
Five Steps To Build An Effective Threat Intelligence Capability
Figure 6 Intelligence Sources (Cont.)
Open-source (OSINT)
Public threat feeds
In-house intelligence
collection
Commercial
Threat feeds
Software-as-a-service (SaaS)
threat alerting
Security intelligence providers
No cost feeds provided by
organizations with subject matter
expertise
Collection of OSINT intelligence
frequently using custom tools.
DShield, Malware Domain Blocklist,
Shadowserver, Spamhaus, SpyEye
Tracker, ZeuS Tracker
Monitoring of attacker forums and
social media
Vendors that build on public threat
feeds and provide additional value
Visible risk, emerging threats
Cloud-based services that identify
attack sources as well as command
and control
Vendors with a range of intelligence
capabilities ranging from consulting
to intelligence collection to attacker
attribution
Mandiant Cloud Alert (formerly
Unveillance), Seculert
83841
Dell SecureWorks Targeted Threat
Intelligence, iSight Partners, Looking
Glass, RSA Advanced Cyber Defense,
Verisign iDefense
Source: Forrester Research, Inc.
Step No. 5: Derive Intel
At this stage of your intelligence journey, you have the ability to start putting the pieces together and
transition from a reactive incident response mode to a proactive operational tempo. As the incident
response manager from a large contracting company put it: “In the past, you put in a tool in, wait
for it to send you an alert, respond to the alert and then start over. This isn’t the way to respond to
threats. You must be proactive.” To derive intelligence and to become proactive, follow these steps:
■ Create operational intelligence to enable proactive defense. Operational intelligence results in
actionable inputs that can be imported into detection and prevention systems. This intelligence
could be internally developed from incident response or OSINT analysis, or it could be part
of a vendor feed or service. Depending on the fidelity of the intelligence, the initial use could
be for monitoring, and once you establish confidence in the intelligence source, a transition to
blocking could occur.
■ Search for indicators of compromise (IOCs). When attackers compromise organizations,
they leave behind evidence. An analyst can piece together these breadcrumbs to understand
the anatomy of an attack. An IOC “is a forensic artifact or remnant of an intrusion that can be
identified on a host or network.” Organizations should be able to quickly query endpoints and
networks looking for these IOCs. Several competing frameworks exist for tracking IOCs. They
include: Mitre’s Cyber Observable eXpression (CybOX), Mandiant-sponsored OpenIOC, and
community-sponsored Incident Object Description and Exchange Format (IODEF). RSA’s Will
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
16
Five Steps To Build An Effective Threat Intelligence Capability
Gragido wrote a blog series, “Understanding Indicators of Compromise,” that takes a deeper
look at these frameworks.20
■ Map kill chain indicators back to defender courses of action. Lockheed Martin advocates
“intelligence-driven computer network defense,” which focuses on the cyber kill chain. The
kill chain is a systematic process to target and engage an adversary to create desired effects.
The kill chain begins at reconnaissance and ends with the action the attacker is undertaking:
typically exfiltration of intellectual property. One of the tenants of this model is mapping kill
chain indicators back to defender courses of action. Defenders can develop resilient mitigations
against intruders and intelligently prioritize investments in new technology or processes.21
■ Produce strategic intelligence products that inform decision-makers. These intelligence
products provide higher-level analysis of the threats against the organization. These products
can include historical data regarding the threats, threat trends, and threat actor capabilities as
well as predictions regarding future threat activity. You must always tie them back to business
objectives and priorities. Annual threat reports are an example of a strategic deliverable that
one can create. These threat reports serve multiple purposes. First, they inform leadership of
the threats against the organization and can help guide decision-making. Second, they raise the
profile of the intelligence team within the organization. Finally, they improve the analytic and
writing capabilities of the team.
three special considerations for your intelligence journey
As you develop your intelligence capabilities, there are three important strategies to keep in mind:
1) There are times when it makes sense to share intelligence outside of your organization; 2) you
need strong operation security; and 3) we recommend that most organizations not pursue offensive
security.
No. 1: You Should Be Sharing Intelligence
Intelligence sharing has traditionally been a manual process, built on personal relationships and
typically delivered through privately vetted lists. This manual process has devalued some intelligence
because it cannot disseminate it in a timely fashion. You should use a framework for sharing
intelligence. In addition to the IOC frameworks mentioned above, a new framework, Structured
Threat Information Expression (STIX), has emerged. STIX is sponsored by the Department of
Homeland Security (DHS) and maintained by Mitre. STIX aims to make intelligence sharing with
context occur at wire speed.22
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
17
Five Steps To Build An Effective Threat Intelligence Capability
No. 2: But You Need To Remember Operational Security
Loose lips sink ships. Operational security (OPSEC) focuses on protecting the safety and security
of the organization. OPSEC coordinates all of the actions you take to deny the enemy information
concerning activities and operations. OPSEC is absolutely critical when responding to targeted
attacks. Organizations need to think about OPSEC in two ways:
■ For your eyes only — you don’t have to share with everyone. The wider you share a piece
of intelligence, the less value it has. You need to prioritize intelligence and understand what
is appropriate to share with a wide audience versus what is appropriate to share with a single
trusted partner. The director of a vendor computer security incident response team (CSIRT)
team said: “When we are being targeted by an APT, we have a single partner we share that
intelligence with. No one else; we don’t want to tip the attacker off.” You can share low- to
medium-risk information or data that has no chance of compromising an ongoing incident,
but you should play more strategic intelligence closer to the vest. Just as the military does, you
should establish classification levels for intelligence sharing.
■ Consider the implications of submitting malware samples to third parties. Many vendors
offer cloud-based binary analysis. This could be from free services such as VirusTotal or an
offering like Palo Alto Networks’ WildFire. If you provide malware samples and signatures/
detections are created, you could be tipping off the attacker, resulting in a change in tactics,
techniques, and procedures (TT&P). A security analyst from a technology company states: “We
always opt out of any automatic cloud analysis participation. We never submit anything for
wider analysis.” Third-party malware analysis could be effective for a commodity threat, but
not if you are facing a sophisticated threat actor. You can hire firms to analyze malware on your
behalf; Verisign’s iDefense offers this capability.
No. 3: Stay Away From Offensive Security
There has been much debate within the information security community regarding offensive
security or hacking back. From an intelligence discipline perspective, this is defined as offensive
counterintelligence or counterespionage. Stealth mode security startup CrowdStrike advocates
offensive security: “Through surveillance and reconnaissance, counter-espionage techniques, hostile
target dismantling, and denial and deception, CrowdStrike security experts provide techniques
and procedures to limit the number and severity of future attacks. We help your enterprise go on
the offensive against today’s most advanced adversaries.”23 Unintended consequences are just one
example of the myriad of both ethical and legal questions associated with any offensive philosophy.
At the 2012 Black Hat US conference, Robert Clark, an operations lawyer with the US Army Cyber
Command, urged those considering offensive actions to seek legal advice “early and often.”24 If you
have a mature security program, you can consider counterintelligence operations, but leave the
hacking back to governments and militaries.
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
18
Five Steps To Build An Effective Threat Intelligence Capability
W h at I t M e a n s
you don’t have to be the nsa or gchq to leverage intelligence
Organizations of all sizes should take advantage of intelligence to minimize the frequency and scope
of security incidents. Some companies have the resources to conduct intelligence operations on their
own, while other will take advantage of vendor offerings to augment their staff. Enterprises must
understand that shifting away from the traditional approach will take time and dedication. While
making the transition, S&R pros must keep their eye on the ball and continue to focus on all other
important components of a mature security organization, including: application security, security
architecture, governance, and staff development as well as retention.
Supplemental Material
Methodology
Forrester fielded its Forrsights Security Survey, Q2 2012, to 2,383 IT executives and technology
decision-makers located in Canada, France, Germany, the UK, and the US from small and mediumsize business (SMB) and enterprise companies with two or more employees. This survey is part
of Forrester’s Forrsights for Business Technology and was fielded from March 2012 to May 2012.
LinkedIn Research Network fielded this survey online on behalf of Forrester. Survey respondent
incentives include gift certificates and research reports. We have provided exact sample sizes in this
report on a question-by-question basis.
Each calendar year, Forrester’s Forrsights for Business Technology fields business-to-business
technology studies in more than 17 countries spanning North America, Latin America, Europe,
and developed and emerging Asia. For quality control, we carefully screen respondents according
to job title and function. Forrester’s Forrsights for Business Technology ensures that the final
survey population contains only those with significant involvement in the planning, funding, and
purchasing of IT products and services. Additionally, we set quotas for company size (number of
employees) and industry as a means of controlling the data distribution and establishing alignment
with IT spend calculated by Forrester analysts. Forrsights uses only superior data sources and
advanced data-cleaning techniques to ensure the highest data quality.
We have illustrated only a portion of survey results in this document. To inquire about receiving full
data results for an additional fee, please contact Forrsights@forrester.com or your Forrester account
manager.
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
19
Five Steps To Build An Effective Threat Intelligence Capability
Endnotes
1
Targeted attacks are on the rise. For more information, see the July 13, 2012, “Protect Your Competitive
Advantage By Protecting Your Intellectual Property From Cybercriminals” report.
2
For more information on the business and IT impact of the changing threat landscape, see the November 1,
2011, “Defend Your Business From The Mutating Threat Landscape” report.
3
Source: Ellen Messmer, “Global Payments: data breach cost a whopping $84.4 million,” Network World, July 26,
2012 (https://www.networkworld.com/news/2012/072712-global-payments-data-breach-cost-261204.html).
4
Source: Nicole Perlroth, “Lax Security at LinkedIn Is Laid Bare,” The New York Times, June 10, 2012 (http://
www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.
html?_r=2&adxnnl=1&pagewanted=all&adxnnlx=1355585706-QKTKOh5iV7UPeOfg9G76Og&).
Source: Andrew Shain, “S.C. hacking ‘about worst you can get’,” The Charlotte Observer, October 30, 2012
(http://www.charlotteobserver.com/2012/10/30/3631952/sc-hacking-about-worst-you-can.html).
5
Source: Nicole Perlroth, “Study May Offer Insight Into Coca-Cola Breach,” Bits, November 30, 2012 (http://
bits.blogs.nytimes.com/2012/11/30/study-may-offer-insight-into-coca-cola-breach/).
Source: Ben Elgin, Dune Lawrence, and Michael Riley, “Coke Gets Hacked And Doesn’t Tell Anyone,”
Bloomberg, November 5, 2012 (http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesnt-tell.html?utm_source=Sinocism+Newsletter&utm_campaign=7b539f90bb-The_Sinocism_China_
Newsletter_For_11_05_2012&utm_medium=email).
6
Source: US-China Economic and Security Review Commission (http://www.uscc.gov/
hearings/2012hearings/written_testimonies/12_3_26/bejtlich.pdf).
7
Source: Gordon W. Prange, Donald M. Goldstein, and Katherine V. Dillon, Miracle at Midway, Penguin
Books, 1983.
8
Source: “Intelligence,” Department of the Army, March 23, 2010 (https://www.fas.org/irp/doddir/army/
fm2-0.pdf).
9
Source: “China eyes new strategic industries to spur economy,” Thomson Reuters, July 23, 2012 (http://www.
reuters.com/article/2012/07/23/us-china-economy-strategic-idUSBRE86M03R20120723).
10
Source: “Intelligence,” Department of the Army, March 23, 2010 (https://www.fas.org/irp/doddir/army/
fm2-0.pdf).
11
Source: “Executive Order 12333: United States Intelligence Activities,” Federation of American Scientists
(https://www.fas.org/irp/offdocs/eo/eo-12333-2008.pdf).
12
Approaching data security can be a herculean task, as businesses must manage their overflow of data,
identify sensitive information, and protect the organization from cybercriminals, malicious insiders, and
privacy infringements. At the same time, there is a proliferation of vendors who claim to have the silver
bullet to end these data security challenges. For more information on how to avoid the hype and take
a holistic and long-lasting approach to data security, see the June 28, 2012, “Protect And Manage Your
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
For Security & Risk Professionals
20
Five Steps To Build An Effective Threat Intelligence Capability
Critical Information Assets” report.
13
Defining data consists of data discovery and data classification. Data discovery locates and indexes big
data. Data classification catalogs data to make it easier to control. For more information on discovery and
protecting your data, see the July 12, 2012, “Control And Protect Sensitive Information In The Era Of Big
Data” report.
14
Source: Mandiant (http://www.mandiant.com/resources/m-trends/#).
15
Establishing an ongoing incident management program is critical, and a cross-functional team is an
important component. For more information on maturing your incident response capability, see the
November 9, 2011, “Planning For Failure” report.
16
Source: “Solutionary Survey Reveals that Threat Intelligence Reports Are Used to Shape Security Strategies
and to Justify Security Resource and Budget Requests,” Solutionary press release, December 12, 2012
(http://www.solutionary.com/index/intelligence-center/press-releases/Threat-Intelligence-Survey.php).
For more information on how SIM must change in order to provide true value, see the August 9, 2012,
“Dissect Data To Gain Actionable INTEL” report.
17
18
Source: collective-intelligence-framework (https://code.google.com/p/collective-intelligence-framework/).
19
Source: Paterva (https://www.paterva.com/web6/products/maltego.php).
20
Source: Will Gragido, “Understanding Indicators of Compromise (IOC) Part I,” Speaking of Security,
October 3, 2012 (https://blogs.rsa.com/understanding-indicators-of-compromise-ioc-part-i/).
21
Source: Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D., “Intelligence-Driven Computer
Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Lockheed
Martin (http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-WhitePaper-Intel-Driven-Defense.pdf).
22
Source: Robert Westervelt, “Black Hat 2012: MITRE to detail STIX cyberthreat intelligence system,”
SearchSecurity.com, July 23, 2012 (http://searchsecurity.techtarget.com/news/2240160049/Black-Hat-2012MITRE-to-detail-STIX-cyberthreat-intelligence-system).
23
Source: CrowdStrike (http://www.crowdstrike.com/services.html).
24
Source: Robert Clark, “Legal Aspects of Cyberspace Operations,” Black Hat USA 2012 (https://media.
blackhat.com/bh-us-12/Briefings/Clark/BH_US_12_Clark_Legal_Aspects_Slides.pdf).
© 2013, Forrester Research, Inc. Reproduction Prohibited
January 15, 2013
About Forrester
A global research and advisory firm, Forrester inspires leaders,
informs better decisions, and helps the world’s top companies turn
the complexity of change into business advantage. Our researchbased insight and objective advice enable IT professionals to
lead more successfully within IT and extend their impact beyond
the traditional IT organization. Tailored to your individual role, our
resources allow you to focus on important business issues —
margin, speed, growth — first, technology second.
for more information
To find out how Forrester Research can help you be successful every day, please
contact the office nearest you, or visit us at www.forrester.com. For a complete list
of worldwide locations, visit www.forrester.com/about.
Client support
For information on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer
quantity discounts and special pricing for academic and nonprofit institutions.
Forrester Focuses On
Security & Risk Professionals
To help your firm capitalize on new business opportunities safely,
you must ensure proper governance oversight to manage risk while
optimizing security processes and technologies for future flexibility.
Forrester’s subject-matter expertise and deep understanding of your
role will help you create forward-thinking strategies; weigh opportunity
against risk; justify decisions; and optimize your individual, team, and
corporate performance.
«
Sean Rhodes, client persona representing Security & Risk Professionals
Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forward-thinking advice to
global leaders in business and technology. Forrester works with professionals in 17 key roles at major companies providing proprietary
research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 29 years, Forrester has been making
IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com.83841