Understand it's "job" and what you and your team need
The first step to choosing the right threat intelligence platform (TIP) for you is to figure out what you actually want the TIP to do. One pitfall that security teams often fall into is that they approach the selection with a checklist of criteria, without really evaluating the problems they're trying to solve and they end up with a product that "checks all the boxes" but ends up collecting dust.
For example, if you're buying a car, here are some things you might be looking for:
- Safety, e.g. five star crash-test ratings
- A decent sound system
- "Sporty," whatever that means
- Good gas mileage
- Lane assist
Those are all admirable features or qualities for a car to have, but consider the reason you're buying the car (in other words, the thing you're buying the car to do):
- Get the kids to school and soccer practice, and maybe keep them entertained on longer trips
- Show up the other guys and gals at the firm with their fancy imports
- Survive the ultimate road trip
The five "features" listed above might all factor into the three "reasons," but imagine if the status-seeker showed up with a minivan, or the soccer parent showed up with a convertible coupe? The features are the same, but the final product, what's really needed, is totally different.
So the first step in selecting a TIP is not picking out the key features - it's nailing down the "job" of a TIP.
What's the "job" of a TIP?
Your mileage may vary, and introspection is certainly keyhere, but for most teams the main jobs of a TIP are:
- Aggregation. Get all of my feeds and reports into a central location - a "source of truth" - where they can be accessed in a standardized format by anyone who needs them.
- Analysis. Figure out what's really relevant to me and my team. "Is this a threat to me?"
- Action. Send the right intel to my detection and defense devices. Some might call this "operationalizing" the intelligence.
Major "check the box" items like DNS lookups, machine-readable threat intelligence, STIX/TAXII, etc., are all features in service of those larger goals. Even key capabilities like automation and orchestration are just better ways of accomplishing the jobs: automation can help make teams more effective in the Analysis job, for example, by streamlining key enrichment tasks. Orchestration can help on the Action side by linking together all manner of disconnected systems.
What matters, though, is how effectively the TIP can actually do the job you want it to do. You're probably doing those jobs today already: with spreadsheets, cutting and pasting, Word docs, custom Python scripts, prayer, etc. The TIP makes you more effective at those jobs.
Let's take a look at how TIP help you accomplish these three key jobs of Aggregation, Analysis, and Action.
Aggregation -Get All Your Stuff in One Place
The first job you might want to hire a TIP for is to centralize all of your intelligence. So the question is, what intelligence are you collecting today, and how do you receive it? Consider making a checklist of the intelligence and its delivery mechanism. It might look something like this:
|Premium feed||Proprietary API and PDF reports|
|ISAC alerts||Sent via email in plain text or STIX|
|My favorite researcher blog||Website|
|Internal network activity||Available in my SIEM|
|Internal threat reports||Spreadsheets and corporate wiki|
|Open source feed||TAXII|
Once you understand what you want to bring in, you can start to review how effective the TIP is at adding the data. For example, does the TIP have native integrations with your premium feeds, or would you need to write something custom (and possibly hire software developers)? Can the TIP automatically extract indicators from your ISAC alert emails, or would your analysts need to cut and paste? Understanding how the TIP "gets the job done" can help you understand how effective that TIP is at doing the job. For example:
|Intelligence||TIP #1||TIP #2|
|Premium feed||Native integration and in-app PDF report display||Native integration|
|ISAC alerts||Parses email alerts and converts into machine-readable threat intelligence (MRTI)||Cut and paste|
|My favorite researcher blog||Aggregates popular blogs and converts into MRTI||Cut and paste or custom script for web scraping|
|Internal network activity||Bidirectional integration with my SIEM||Requires custom app|
|Internal threat reports||SDK and API allows integration with internal wiki||Not available|
|Open source feed||TAXII client||TAXII client|
While both TIPs in the above example have ways to do the job, TIP #1 is going to be more effective.
Analysis - Weed out the Irrelevant Stuff
Once you've collected the data, the next step is to identify the relevant intelligence so you can take action while avoiding false positives. Just like with the "Aggregate" job, the first step is to lay out what sort of analysis you want to do:
- Check log files for malicious indicators
- Look up data in third party enrichment tools
- Monitor your domains for spoofing attempts
- Analyze malware files
- Track threat actors across multiple campaigns
- Weed out false positives
And once again, we look to see how each TIP accomplishes the job you want it to do:
|Analysis||TIP #1||TIP #2|
|Check log files for malicious indicators||Drag-and-drop files for immediate analysis and enrichment||Import files, manually parse out indicators, and review|
|Look up data in third party enrichment tools||Automate lookups in any enrichment service that offers a REST API||Out of the box integrations with several (but limited) popular enrichment services|
|Monitor your domains for spoofing attempts||Domain-spinning workbench||Domain monitoring for-hire|
|Analyze malware files||Automate analysis in multiple third party AMAs||Integrated sandbox, limited support for other AMAs|
|Track threat actors across multiple campaigns||Flexible data model aligned to the Diamond Model of Intrusion Analysis||Rigid data model with some Kill Chain support|
|Weed out false positives||Globally crowdsourced reports of known false positives||Manual tagging|
Analysis can be more challenging to evaluate than aggregation because there are so many more options, but that's okay: what's important is that you understand what your team needs and what the TIP provides. For example, if your team is just ramping up and needs room to grow, you'll want a TIP that offers some basic enrichment while still being extensible. If you have a mature team, you'll want one that is flexible enough to adapt to your processes (rather than the other way around).
Action - Send the Relevant Stuff Where It Can Protect You
Getting intelligence out of a TIP is just as important as getting data in. I'd argue that, while taking Action depends on Aggregation and Analysis, Action is the most important job a TIP can do for you.
|Deploy to defensive devices||SIEM, EDR, firewall, etc.|
|Publish internal intelligence||Security team, executives, risk management|
|Publish external intelligence||ISAC, sharing community, law enforcement|
|Loop in other teams on critical intel||SOC, Incident Response, IT, etc.|
So really, the question becomes: what form do you want your intelligence to take, and where do you need it to go?
|Action||TIP #1||TIP #2|
|Deploy to defensive devices||Integrations, rule-based runtime apps, flexible automation/orchestration engine||Integrations, rule-based runtime apps|
|Publish internal intelligence||Export, PDFs, integrations with ticketing systems, scheduled delivery||Export|
|Publish external intelligence||TAXII server, export, anonymous crowdsourced analytics||TAXII server, export|
|Loop in other teams on critical intel||In-app notifications, email, Slack|
There's a wide variety of possible outputs, so due to the importance of the Action job it's worthwhile to take the time to assess the desired end state of your intelligence, and how that end state is achieved with any particular TIP.
A Word on Orchestration
I've mentioned several instances above where the job being done is accomplished by way of orchestration or automation. With all the buzz around orchestration, it can be tempting to think that orchestration is something separate from what you want out of a TIP, but that's a mistake. Orchestration is simply a means to an end. If orchestration can make the job you want the TIP to do more effective, then why not consider a TIP with orchestration?
Consider seat belts, airbags, and lane assist. All of those features are designed to do the job of keeping you safe and contribute in different ways and with different levels of effectiveness. Orchestration in a TIP is no different. For example, you might need to detonate malware in an Automated Malware Analysis (AMA) tool. There's lots of ways to accomplish that from a TIP:
- Download a file from the TIP and manually upload it to the AMA
- Use the TIP's build-in sandbox
- Use the TIP's out-of-the-box AMA integration
- Use a TIP's orchestration capability to automatically send malware to an AMA, detonate it, retrieve the results, and get notified if something relevant is found
In all four cases, the job being done is the same: malware analysis. What's different is the tools being used and how effective the TIP is at getting the job done resulting in significant time savings. In nearly every case, orchestration is a fantastic tool for making a TIP more effective and a better fit for the specific job you need done for the simple reason that orchestration gives you total control over how that job is performed.
In the end, when we talk about selecting a TIP based on what you and your team need it to do, keep these tips in mind:
- Make a checklist of what you and your team need the TIP to aggregate, analyze, and operationalize. Don't rely on a wishlist of features, rely on the jobs you want done.
- For each item on the list, consider how it's being done now.
- For every TIP you're evaluating, consider how that TIP accomplishes the jobs on your checklist.
- Remember that orchestration is just another way to accomplish one of those jobs.
Want to learn more? Sign up for a TC Open account! It's Free
TC Open™ is a completely free way for individual researchers to get started with threat intelligence. While this is not a free trial of the full platform, TC Open allows you to see and share open source threat data, with support and validation from our free community.