Threat Intelligence Fatigue
By Chris Richter, SVP, Global Security Services, Level-3 communications
The cyber landscape is becoming ever more threatening, yet paradoxically, companies are growing weary of threat intelligence, a vital tool in cyber defense. To understand why, we need to look at the current threat landscape, what’s causing the hesitancy and what the industry can do to address the issue.
First, the Threat Landscape
2016 was the year of the DDoS attack. It was also the year of the ransomware attack and spear-phishing too. I don’t mean to sound facetious; we hear every day that the cyberthreat landscape is rapidly evolving and the evidence is everywhere you look, from the Dyn attack to the ‘HoeflerText’ malware in Google Chrome to the newest bank phishing scam.
In fact, DDoS attacks are up in both count and scale, thanks to the ongoing proliferation of IoT and the publication of Mirai source code to co-opt everything from DVRs to cameras into its army of botnets. According to Level 3 Threat Research Labs, more than 30 percent of DDoS attacks are now 10 Gbps or more–sizable enough to render the services of a typical business unavailable on the internet. There are also reports of attacks more than 100 Gbps increasing substantially over the last year.
Ransomware became a billion dollar industry in 2016, and emails loaded with ransomware increased 6,000 percent year over year, according to IBM. In addition to a spike in consumer victims willing to yield a few hundred dollars to regain control over their personal devices, businesses became more obvious targets given their deeper pockets and the higher stakes–hospitals, educational institutions, public infrastructure, and so on.
Another prime example of the growing sophistication of cyberthreats is the prevalence of spear-phishing, the more successful sibling of the now easily recognizable phishing attempt. Unlike its predecessor, with its telltale signs of off-branding, misspellings, typos and other errors, spear-phishing is custom made for targets and is designed to look and sound legitimate, often spoofing a trusted source.
In short, with the attack industry booming and ever larger payloads to chase, cybercriminals are becoming increasingly more organized and sophisticated.
To be fair, there are plenty of studies that show enterprises in various stages of implementing threat intelligence into their broader security strategies
Whether their motivation is profit, spite or political in nature, they’re part of a growing machine that translates into big business.
The New Threat on the Horizon
With this knowledge as a backdrop, one might assume cyberthreat intelligence would be enjoying an equivalent boom. And yet it’s not. A surprising number of companies we’ve met with in recent months are experiencing what I would call “Threat Intelligence Fatigue.” To be fair, there are plenty of studies that show enterprises in various stages of implementing threat intelligence into their broader security strategies. There’s a growing segment of threat intelligence vendors whose mission is to perform analysis of an enterprise’s assets, vulnerabilities and risks, which are then correlated with a wealth of publicly-available threat intelligence and shared back with the business.
So, what’s the problem? Threat intelligence is supposed to be evidence-based and actionable. The aim is to put the right knowledge into the enterprise’s hands so it can make the right decision at the right time to avoid or negate a threat. Unfortunately, threat intelligence has been a big disappointment for many. Over the years, vendors have made big promises, but their products have ultimately delivered very little useful data, and resulted in a lot more work and cost for the business.
The 2016 SANS State of Cyber Threat Intelligence (CTI) report found a “major source of frustration for many security professionals is the overly general nature of many CTI feeds” based on data “that is somewhat shallow and less geared toward their organization or vertical.” The report also found that businesses lack the resources to research and act on significant volumes of intelligence indicators–anything over 100 in a single week.
Problem-solving for the Threat Intelligence Weary
There’s an obvious gap here. The 2016 SANS report notes, “The [threat intelligence] landscape today is very fragmented, and there are few consistent themes in terms of approaches organizations are taking: lots of tools, lots of ‘standards’ and little agreement on which are best may lead to more confusion. For the future, organizations must be able to use tools and CTI data in a more integrated way.” So how are we going to resolve the threat intelligence fatigue?
Vendors and providers will need to continue to strive for clean, simple intelligence that is relevant to the customer and delivered in a manner the customer can consume, with minimal (if not zero) false positives. Just as bad actors are working diligently to craft the right phishing scheme to crack targets’ individual defenses, we in the security industry need to make sure the intelligence we’re providing is custom to the particular risks and assets of the organizations we’re helping to protect. That means alerting on the most important indicators of compromise, rather than the universe of potential threats. It means offering tools and portals that are designed with customer experience top of mind. Finally, it means working together as an industry to take action against known threats so that the businesses we serve don’t have to.
No one would argue that actionable threat intelligence is fundamental part of any sound security posture. As cybercriminals mature into streamlined organizations intent on capitalizing on the vulnerabilities of IoT and our collectively poor cyber hygiene, cyber intelligence needs to adapt to the needs of the individual businesses it serves. If we are successful in doing so, perhaps next year we’ll see 2017 being named the year of “Truly-Actionable Threat Intelligence,” the year we stopped bad actors in their tracks.