The Challenges in Leveraging Cyber Threat Intelligence

Abstract: Today cyber attacks, incidents, threats, and breaches continue to rise in scale and numbers, as sophisticated attackers continuously break through conventional safeguards each day. Whether strategic, operational, or tactical, threat intelligence can be defined as aggregated information and analytics that feed the different pillars of any given company’s cybersecurity infrastructure. It provides numerous benefits, enabling improved prediction and detection of threats, empowering and informing organizations to make better decisions during as well as following any cyber attack and aiding them to develop a proactive cyber security posture. It helps provide actionable intelligence, which equips senior management to make timely actions and decisions that might otherwise have an impact on the company’s ability to keep ahead and defend against this growing sea of threats. Driving momentum in this area also helps reduce their reaction times, enabling a shift for organizations to become more proactive than reactive. Perimeter defenses seem to no longer suffice as threats are becoming more complex and escalating with no best practices and guidelines available for companies to follow after, during, or before the time of the threat and risk due to the multiple components involved, including the various standards and platforms. Sharing and analyzing threat data effectively requires standard formats, protocols, shared understanding of the relevant terminology, purpose, and representation. Threat intelligence and its analysis are seen as a vital component of cyber security and a tool that many companies cannot leverage and utilize fully. Securing today's organizations and businesses, therefore, will require a new approach. In our study with security executives working across multiple industries, we have identified the various challenges that prevent the successful adoption of threat intelligence and with the rising adoption of the multiple platforms, including issues related to data quality, absence of universal standard format and protocol, challenge enforcing data sharing based on CTI data attribute, lack of authentication and confidentiality preventing data sharing, missing API integration capability in conjunction with multi-vendor tools, lack of identification of tacticalIOCs, failure to define TTL value(s), lack of deep automation, analytical and visualization capabilities. Ensuring the right expertise and capabilities in these identified areas will help leverage threat intelligence effectively, help to sharpen the focus, and provide the needed competitive edge.