sans: investigation report on the current situation of network threat intelligence in 2016

Posted by trammel at 2020-03-09

In August 2016, sans released the latest research report on the development of cyber Threat Intelligence.

Note that this is not a translation. For the original text, please go to, entitled the SANS state of cyber thread intelligence survey: CTI important and matching.

The report points out that with the increasing threat of Cyberspace Security, the role of cyber Threat Intelligence (CTI) is more prominent. 41% of the respondents said that their ability to use CTI tends to be mature, 26% said they can use CTI very mature, while only 6% said they have not used CTI.

In the first two years, people's understanding of CTI is still relatively shallow, and this report this year shows us a richer practice of using CTI, such as:

1) Traditional security companies provide information subscription services;

2) At the exit of the network, threat intelligence is used to block the malicious domain name or IP address, and provide context (context) information for security investigation and collapse assessment;

3) Most security teams use Threat Intelligence from industry or community sharing organizations, as well as business intelligence from security intelligence providers.

Some findings of the report are as follows:

1) Less than 6% of the respondents said they had no plans to use threat intelligence, while 40.5% said that threat intelligence was becoming more mature in their environment. By contrast, in last year's survey, even 7% said they had never heard of threat intelligence.

2) In terms of the value of threat intelligence, 64% said that threat intelligence improved their security and responsiveness. Further, areas of ascension include:

73% think Threat Intelligence can help them to make better decision support;

71% believed that threat intelligence improved their ability to "see threats";

58% believed that threat intelligence improved their response speed and accuracy;

53% believed that threat intelligence could help them detect unknown threats;

48% think Threat Intelligence can help them reduce information leakage (especially the real exposure of sensitive data and business interruption);

39% believed that threat intelligence could reduce the adverse effects of security events by more intelligent interdiction.

It is worth noting that the quantitative evaluation of threat intelligence to reduce information leakage is not enough, and there is still a lack of evaluation indicators, methods and work. However, Threat Intelligence can be used to improve the ability of incident response.

In contrast, the second annual survey report on cyberspace threat intelligence exchange conducted by bonemon late last year pointed out that 65% of the respondents believed that the use of threat intelligence could organize or mitigate the consequences of terrorism. It can be seen that the two independent research results are quite consistent.

3) In terms of the sources of threat intelligence, 74% of people use the intelligence shared by communities or industry organizations, 70% use the data of external threat intelligence service providers, and 46% use internal intelligence. The use of internal intelligence is regarded as a mature performance of threat intelligence, although there are still many improvements in their current use of internal intelligence.

For Threat Intelligence Service Providers, it can be divided into the following sources:

Interestingly, only 25% of the respondents use the data of professional Threat Intelligence Service Providers, and more rely on the intelligence data provided by traditional manufacturers. But I think whether it means that the professional threat intelligence service providers are of little value still needs further study.

4) The report presents three most commonly used Threat Intelligence use cases:

Block the malicious domain name and IP at the network exit;

Provide context information for safety investigation and failure assessment;

Check DNS server log to identify malicious domain name and IP

Other use cases are listed as follows:

5) In the aspect of how to integrate intelligence data with the existing protection and response system, at present, we mainly use the API of intelligence provider, and then use our own API. In terms of specific docking, it mainly relies on the Siem system, followed by the monitoring platform of * * * and the commercial threat information management platform. In terms of docking mode, Siem has the highest degree of integration (GUI integration).

Seeing this reminds me of Gartner's analysis of threat intelligence. In garter's "machine read Threat Intelligence Technology Overview" report, it is pointed out that Siem is the best choice to carry machine read Threat Intelligence (i.e. integrated intelligence).

6) In terms of threat intelligence management solutions, as well as the use of standards and frameworks, at present, it seems to be more messy, fragmented, and lack of a more unified and consistent thinking. There are many enterprises and organizations using customized norms and frameworks. This also reflects the current situation in the field of threat intelligence.

7) 61% of respondents said that they are the consumers of threat intelligence, while 33% said that they both consume and generate threat intelligence, and less than 7% of respondents focused on production Threat Intelligence.

In those enterprises and organizations that consume Threat Intelligence, the roles of specific consumers are: SOC team, emergency response team, risk compliance team, senior executives and board members, middle managers, etc.

In terms of staffing, 28% of the respondents said that there was a special formal team responsible for handling Threat Intelligence, 18% said that there was a special person responsible for Threat Intelligence, and 21% said that although there is no special responsibility at present, they are in the process of internal training and will be on duty soon.

For professionals responsible for Threat Intelligence in businesses and organizations, the report provides a skills priority list:

How do you feel? Is it too demanding? It also needs cross-border talents.

The report also made an interesting research and found that at present, it is reliable for a team to deal with up to 100 Threat Intelligence indicators per week. No matter how many, they will not be busy.

8) For organizations and enterprises, the biggest obstacle to the use of threat intelligence is the lack of trained personnel (analysts), up to 59% of whom hold this view, followed by 37% who believe that they lack the technical ability to integrate Threat Intelligence. In short, the human factor comes first.

9) For the future prospect of threat intelligence, 69% think that threat intelligence will play a very important role in defense and response, 54% think that threat intelligence will play an important role in risk classification and decision-making in the next five years, only 3% think that threat intelligence will not play an important role in the future.

In order to integrate Threat Intelligence better in the future, we need to better meet the standards, reduce false positives, cover the industrial control environment, and better data enhancement and analysis capabilities.

In short, the importance of threat intelligence is an indisputable fact, especially in the next five years. The tools, knowledge and processes around Threat Intelligence practice tend to be mature, but they can be strengthened in many places, such as threat prevention, detection and investigation. At present, the market is still in chaos, with different standards, mixed companies and information data quality. Many people think that it is not valuable to obtain general threat intelligence, but also need targeted intelligence. Moreover, some people think it is necessary to establish their own internal intelligence sources and internal intelligence integration.

But in any case, enterprises and organizations must start to use threat intelligence, which is the general trend.


My security intelligence & Threat Intelligence column

Gartner: five characteristics of intelligent SoC / intelligence driven SOC