How to Choose the Right Threat Intelligence Platform for You

How to Choose the Right Threat Intelligence Platform for You

Understand it’s “job” and what you and your team need

The first step to choosing the right threat intelligence platform (TIP) for you is to figure out what you actually want the TIP to do. One pitfall that security teams often fall into is that they approach the selection with a checklist of criteria, without really evaluating the problems they’re trying to solve and they end up with a product that “checks all the boxes” but ends up collecting dust.

For example, if you’re buying a car, here are some things you might be looking for:

  • Safety, e.g. five star crash-test ratings
  • A decent sound system
  • “Sporty,” whatever that means
  • Good gas mileage
  • Lane assist

Those are all admirable features or qualities for a car to have, but consider the reason you’re buying the car (in other words, the thing you’re buying the car to do):

  • Get the kids to school and soccer practice, and maybe keep them entertained on longer trips
  • Show up the other guys and gals at the firm with their fancy imports
  • Survive the ultimate road trip

The five “features” listed above might all factor into the three “reasons,” but imagine if the status-seeker showed up with a minivan, or the soccer parent showed up with a convertible coupe? The features are the same, but the final product, what’s really needed, is totally different.

So the first step in selecting a TIP is not picking out the key features – it’s nailing down the “job” of a TIP.

What’s the “job” of a TIP?

Your mileage may vary, and introspection is certainly keyhere, but for most teams the main jobs of a TIP are:

  1. Aggregation. Get all of my feeds and reports into a central location – a “source of truth” – where they can be accessed in a standardized format by anyone who needs them.
  2. Analysis. Figure out what’s really relevant to me and my team. “Is this a threat to me?”
  3. Action. Send the right intel to my detection and defense devices. Some might call this “operationalizing” the intelligence.

Major “check the box” items like DNS lookups, machine-readable threat intelligence, STIX/TAXII, etc., are all features in service of those larger goals. Even key capabilities like automation and orchestration are just better ways of accomplishing the jobs: automation can help make teams more effective in the Analysis job, for example, by streamlining key enrichment tasks. Orchestration can help on the Action side by linking together all manner of disconnected systems.

What matters, though, is how effectively the TIP can actually do the job you want it to do. You’re probably doing those jobs today already: with spreadsheets, cutting and pasting, Word docs, custom Python scripts, prayer, etc. The TIP makes you more effective at those jobs.

Let’s take a look at how TIP help you accomplish these three key jobs of Aggregation, Analysis, and Action.

Aggregation -Get All Your Stuff in One Place

The first job you might want to hire a TIP for is to centralize all of your intelligence. So the question is, what intelligence are you collecting today, and how do you receive it? Consider making a checklist of the intelligence and its delivery mechanism. It might look something like this:

IntelligenceDelivery Mechanism
Premium feedProprietary API and PDF reports
ISAC alertsSent via email in plain text or STIX
My favorite researcher blogWebsite
Internal network activityAvailable in my SIEM
Internal threat reportsSpreadsheets and corporate wiki
Open source feedTAXII

Once you understand what you want to bring in, you can start to review how effective the TIP is at adding the data. For example, does the TIP have native integrations with your premium feeds, or would you need to write something custom (and possibly hire software developers)? Can the TIP automatically extract indicators from your ISAC alert emails, or would your analysts need to cut and paste? Understanding how the TIP “gets the job done” can help you understand how effective that TIP is at doing the job. For example:

IntelligenceTIP #1TIP #2
Premium feedNative integration and in-app PDF report displayNative integration
ISAC alertsParses email alerts and converts into machine-readable threat intelligence (MRTI)Cut and paste
My favorite researcher blogAggregates popular blogs and converts into MRTICut and paste or custom script for web scraping
Internal network activityBidirectional integration with my SIEMRequires custom app
Internal threat reportsSDK and API allows integration with internal wikiNot available
Open source feedTAXII clientTAXII client

While both TIPs in the above example have ways to do the job, TIP #1 is going to be more effective.

Analysis – Weed out the Irrelevant Stuff

Once you’ve collected the data, the next step is to identify the relevant intelligence so you can take action while avoiding false positives. Just like with the “Aggregate” job, the first step is to lay out what sort of analysis you want to do:

  • Check log files for malicious indicators
  • Look up data in third party enrichment tools
  • Monitor your domains for spoofing attempts
  • Analyze malware files
  • Track threat actors across multiple campaigns
  • Weed out false positives

And once again, we look to see how each TIP accomplishes the job you want it to do:

AnalysisTIP #1TIP #2
Check log files for malicious indicatorsDrag-and-drop files for immediate analysis and enrichmentImport files, manually parse out indicators, and review
Look up data in third party enrichment toolsAutomate lookups in any enrichment service that offers a REST APIOut of the box integrations with several (but limited) popular enrichment services
Monitor your domains for spoofing attemptsDomain-spinning workbenchDomain monitoring for-hire
Analyze malware filesAutomate analysis in multiple third party AMAsIntegrated sandbox, limited support for other AMAs
Track threat actors across multiple campaignsFlexible data model aligned to the Diamond Model of Intrusion AnalysisRigid data model with some Kill Chain support
Weed out false positivesGlobally crowdsourced reports of known false positivesManual tagging

Analysis can be more challenging to evaluate than aggregation because there are so many more options, but that’s okay: what’s important is that you understand what your team needs and what the TIP provides. For example, if your team is just ramping up and needs room to grow, you’ll want a TIP that offers some basic enrichment while still being extensible. If you have a mature team, you’ll want one that is flexible enough to adapt to your processes (rather than the other way around).

Action – Send the Relevant Stuff Where It Can Protect You

Getting intelligence out of a TIP is just as important as getting data in. I’d argue that, while taking Action depends on Aggregation and Analysis, Action is the most important job a TIP can do for you.

Deploy to defensive devicesSIEM, EDR, firewall, etc.
Publish internal intelligenceSecurity team, executives, risk management
Publish external intelligenceISAC, sharing community, law enforcement
Loop in other teams on critical intelSOC, Incident Response, IT, etc.

So really, the question becomes: what form do you want your intelligence to take, and where do you need it to go?

ActionTIP #1TIP #2
Deploy to defensive devicesIntegrations, rule-based runtime apps, flexible automation/orchestration engineIntegrations, rule-based runtime apps
Publish internal intelligenceExport, PDFs, integrations with ticketing systems, scheduled deliveryExport
Publish external intelligenceTAXII server, export, anonymous crowdsourced analyticsTAXII server, export
Loop in other teams on critical intelIn-app notifications, email, SlackEmail

There’s a wide variety of possible outputs, so due to the importance of the Action job it’s worthwhile to take the time to assess the desired end state of your intelligence, and how that end state is achieved with any particular TIP.

A Word on Orchestration

I’ve mentioned several instances above where the job being done is accomplished by way of orchestration or automation. With all the buzz around orchestration, it can be tempting to think that orchestration is something separate from what you want out of a TIP, but that’s a mistake. Orchestration is simply a means to an end. If orchestration can make the job you want the TIP to do more effective, then why not consider a TIP with orchestration?

Consider seat belts, airbags, and lane assist. All of those features are designed to do the job of keeping you safe and contribute in different ways and with different levels of effectiveness. Orchestration in a TIP is no different. For example, you might need to detonate malware in an Automated Malware Analysis (AMA) tool. There’s lots of ways to accomplish that from a TIP:

  1. Download a file from the TIP and manually upload it to the AMA
  2. Use the TIP’s build-in sandbox
  3. Use the TIP’s out-of-the-box AMA integration
  4. Use a TIP’s orchestration capability to automatically send malware to an AMA, detonate it, retrieve the results, and get notified if something relevant is found

In all four cases, the job being done is the same: malware analysis. What’s different is the tools being used and how effective the TIP is at getting the job done resulting in significant time savings. In nearly every case, orchestration is a fantastic tool for making a TIP more effective and a better fit for the specific job you need done for the simple reason that orchestration gives you total control over how that job is performed.

In the end, when we talk about selecting a TIP based on what you and your team need it to do, keep these tips in mind:

  1. Make a checklist of what you and your team need the TIP to aggregate, analyze, and operationalize. Don’t rely on a wishlist of features, rely on the jobs you want done.
  2. For each item on the list, consider how it’s being done now.
  3. For every TIP you’re evaluating, consider how that TIP accomplishes the jobs on your checklist.
  4. Remember that orchestration is just another way to accomplish one of those jobs.

Want to learn more? Sign up for a TC Open account! It’s Free

TC Open™ is a completely free way for individual researchers to get started with threat intelligence. While this is not a free trial of the full platform, TC Open allows you to see and share open source threat data, with support and validation from our free community.

About the Author
Dan Cole

Dan Cole, Director of Product Management at ThreatConnect, has spent the last decade as a product manager working to create awesome software that gets to the core of solving the unique problems faced by a myriad of industry verticals. From large financial and insurance providers, to global telecom carriers, to federal agencies, Dan believes that the right software can free companies and users to focus on and enable their key missions.