I write often of poor quality threat intelligence which pervades the security community. Poor quality threat intelligence not only has a heavy cost on its consumers, it also threatens the confidence threat intelligence consumers place in their providers. Confidence is the cornerstone of threat intelligence. Nobody will take intelligence from an untrustworthy source and act – at least they shouldn’t. It is important that the producer and consumer trust each other. That trust needs to be based on transparency and verification.
However, how does one appropriately assess threat intelligence? The first step must be to identify the qualities which define “good” threat intelligence. However, these are not binary qualities – there is a clear gradient based on use case. Timeliness is a good example of this gradient as some intelligence (likely more strategic) has a more fluid timeliness requirement while tactical threat intelligence has stricter requirements.
Further, one single threat intelligence source will not likely be able to satisfy all qualities simultaneously. For instance, it is unlikely any one provider will have complete visibility across Diamond elements or Kill Chain phases and consumers will have to rely on more than one to achieve satisfactory completeness.
The four qualities are (CART): Completeness, Accuracy, Relevance, and Timeliness.
Threat intelligence must be sufficiently complete to provide effective detection and (hopefully) prevention. For instance, providing a domain indicator used in the exploitation of only one victim is not sufficient for other victims and therefore the intelligence is effectively incomplete and unhelpful.
Threat intelligence must save organizations more in success than it costs them in errors and mistakes.
Threat intelligence must address a threat to the organization in a method that allows for effective action. Intelligence addressing threats not faced by the organization is of no value. Further, intelligence delivered in a type or method not usable by the organization is also unhelpful.
Threat intelligence must be received and operationalized fast enough to make an impact more valuable than the cost of the threat intelligence itself.