In the security industry today, dozens of vendors are trying to sell threat “intelligence” feeds and publishing threat intelligence reports. Each vendor has their own definition of what threat intelligence means, which matches their offer. However, when examined, what many vendors call “threat intelligence” is really just another feed of indicators: domains, IP addresses, and file hashes. While this kind of threat data feed can be useful, data without context isn’t truly intelligence.
First, it’s important to understand what threat intelligence is. One CIA study of intelligence analysis defined intelligence as “secret state or group activity to understand or influence foreign or domestic entities”. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the
subject’s response to that menace or hazard”.
Both definitions suggest that the purpose of threat intelligence is to understand and influence actors who threaten their organization. For most non-governmental organizations, the goal is to detect and stop these threat actors. The intent of threat feeds is to help organizations detect communication to known malicious infrastructure, but without context, that data cannot help the organization understand the threat associated with the indicator. Also, many threat feeds are generic, with every customer getting the same feed. This means that the presence of an indicator on a feed is no guarantee that it’s even relevant to the customer. This doesn’t matter for untargeted attacks because by definition every organization is at risk. However, including threat data for a targeted threat actor is useless at best and a distraction at worst if that threat actor doesn’t actually pose a threat to your organization.
APT groups are an excellent use-case for threat intelligence data. Common phishing pages or botnet servers are very short-lived; their threat indicators may only be useful for a few days. APT command and control servers can remain online for months or years, making APT threat intelligence highly valuable. They are also persistent, if your organization is the target of an APT group they will usually continue to attack and re-establish control. There are many examples of this, but the most recent is the APT breach of the US Government’s Office of Personnel Management (OPM). The most recent attack was discovered this past April, but analysis of threat intelligence connects it with other attacks on personal information at Anthem and USIS, an OPM contractor. Knowledge of the infrastructure and indicators used by this threat group in earlier breaches could have lead OPM to have discovered this breach more quickly.
APT groups are also specialized, however. Given what we know about the threat actors behind the Anthem and OPM attacks, the indicators are only likely to be relevant to organizations that have personal information about federal employees. For any other organization, indicators about this attack group are unlikely to be relevant. The best threat intelligence is threat intelligence directly related to your organization and the specific threats it faces.