I recently read through a report from a well known threat intelligence (TI) vendor that self-servingly claimed that TI programs “save businesses big money.” Would you really expect a vendor to say that their TI service is not worth the money that they are charging you? No, of course not. But, I was struck by the audacity of this vendor’s report, and specifically the unsubstantiated claims in it. Statements such as “Healthy organizations have threat intelligence infrastructure in place.” certainly don’t appear to be objective.
In this report, the vendor claims to have received survey results from 351 IT decision makers. No information on what percentage of hoped for survey respondents that 351 represents. The survey results claim that 67% of respondents reported that their TI program prevented phishing attacks. That is at least plausible; as that is what TI is supposed to do. But, the report also states that 58% of respondents reported that TI prevented ransomware attacks. Wait, isn’t ransomware a type of phishing attack? And, 60% of respondents stated that TI prevented a breach of customer data. Yes, a breach of customer data could be a result of a successful phishing attack. And, 57% of respondents claimed that TI prevented insider threats. What? TI prevents insider threats? Sorry, that just doesn’t make sense to me. Apparently, I’m missing something in that claim. Additionally, the report claims that 55% and 49% of respondents claimed that TI prevented BCE and supply chain attacks, respectively. But wait, aren’t BCE and (at least in the context) supply chain attacks also types of phishing?
Personally, I don’t understand why organizations even purchase TI from TI companies, as opposed to simply subscribing to their firewall vendor’s threat feed. Why do I want yet another vendor to sell me information on known bads: IP addresses, malicious domains, and IOCs? (The one use case involving TI that does make sense to me is monitoring the dark Web on my behalf, looking for compromised IP or other sensitive organizational information. Why not have a digital shadows or insights do that on my behalf?) Paying for known bads makes as much sense to me as actually paying for anti-malware. Both effectively rely on signatures - by definition, known bads. Besides, isn’t TI really just playing a version of whack-a-mole?
Where I do want to spend my limited resources is on detection, very quickly and very accurately, of unknown bads. And, I certainly am not expecting a human-curated list to be successful at such. No, I need AI for that. For that speed, for that scale, and for that accuracy.