It’s a cliché, but it’s true: Hindsight is 20/20. It’s as accurate in cybersecurity as it is on Wall Street.
In the financial world, it’s easy to say today which stocks we should have invested in yesterday in order to achieve our goals without creating too much risk. But, of course, there is no perfect way to know what the single most promising stock of the next 24 hours will be. There’s not even a reliable way to know that an apparently promising stock won’t tank today or tomorrow.
That’s why even the most experienced stock traders keep diversified investment portfolios. It’s not just a matter of making sure not to overinvest in a single stock or bond category. Portfolio diversification can involve investing in stocks from various industries, small caps alongside big caps, blue chips alongside start-ups, and more. Diversifying an overall investment portfolio can also mean including stocks and other types of assets, such as bonds or real estate.
Not only does this approach protect investors from the risk that a single investment will collapse, but it allows them to effectively hedge their bets in case of a broader negative trend – such as if an entire industry sees its stock prices tumble.
There’s a valuable lesson there for those of us who work in cyberthreat intelligence: For a portfolio of cyberthreat intel feeds to reliably keep a company or organization safe, it must be diversified.
How can looking to the examples set by financial professionals help us defend ourselves from cyberthreats efficiently? To answer that question, let’s take a look at four main aspects of various threat intel feeds: information source, timing of alerts, quality of information, and scope of supplementary details. As we will see, you can minimize the risk of a sudden cybersecurity disaster by using a collection – a portfolio – of feeds that vary with regard to all four of these traits.
The source of information for any given threat intel feed is critical because it plays a major role in determining that feed’s other key traits. Not only do some sources of information allow for threat alerts to be sent earlier than others, but information sources play a major role in determining the quantity and quality of these alerts. And while each threat intel company can choose how much detail to provide to its clients, the source of its information is also an important factor in determining how much supplementary detail the client receives in any given threat alert.
Broadly speaking, we can divide cyberthreat intel feeds into three categories based on their main sources of information:
- Telemetry-based feeds, in which a threat intel company collects digital footprints left during a cyberattack, analyzes them, and provides alerts to its clients based on its analysis.
- Information sharing and analysis center (ISAC) feeds, in which companies and organizations within a specific vertical cooperate to alert each other to threats they discover (usually at no charge).
- Dark web-based feeds, in which a threat intel company analyzes messages left on underground forums, identifies indications that a cyberattack may be forthcoming, and alerts its clients to its findings.
Timing of alerts
Different cyberthreat intel feeds will alert their clients to indicators of compromise (IOCs) at different stages in the Cyber Kill Chain. Naturally, receiving a threat alert before a cyberattack has started gives a SOC the opportunity to prepare for the attack and hopefully prevent it or mitigate its damage. But receiving an alert after a cyberattack has already begun also has its advantages, as a later update can be both more comprehensive and more fully verified. By getting updated via various feeds at various stages, a SOC can benefit from both advance notice (to act quickly upon) and thorough, vetted information (to mitigate an ongoing cyberattack and prepare to prevent future attacks).
So how do the various types of cyberthreat intelligence feeds compare when it comes to the timing of their alerts? Generally, dark web-based feeds can provide alerts well before telemetry-based feeds, while feeds from ISACs vary in this regard.
But the information source isn’t the only factor that determines the timing of a threat alert. Feeds built on automation and machine learning can send these alerts more quickly and efficiently than those that rely more heavily on manual work and human analysis of IOCs.
Quality of information
Each cyberthreat intel feed differs in both the quality and quantity of the alerts it provides. In many cases, there is an inverse relationship here: Feeds that set a higher bar for issuing alerts are more likely to issue relatively few alerts, although they offer clients a higher degree of certainty that any given alert should be taken seriously. Similarly, feeds that offer SOCs a narrower focus (for example, by issuing alerts based on a client’s industry, geographic region, or infrastructure) deliver greater relevancy while reducing the total number of alerts any client can expect to receive.
But isn’t it better to have too many cyberthreat alerts than too few? Not necessarily. Not only can false positives reduce employee morale and waste time and resources, but they can have a significant business impact on a company. Moreover, dealing with many false positives can distract a SOC with background noise, decrease employees’ confidence in the reliability of their threat alerts, and ultimately reduce the chance that a legitimate and urgent IOC will be taken seriously.
On the other hand, if a threat intel feed does not have any false positives at all, that typically indicates that the feed is purely reactive rather than predictive.
In other words, setting the bar for cyberthreat alerts too low can create a “boy who cried wolf” effect – while setting the bar too high can let critical intelligence slip through a SOC’s fingers. Here, again, the key is to rely on a variety of feeds with different standards of relevancy and accuracy.
In the table below, a diversified portfolio of threat intel feeds should be able to check every box:
Even if two different feeds each provide an alert about a given threat at the same time, the details included within the two alerts may be different. Although variability regarding information sources, automation, and machine learning can influence the scope of the detail that a threat intel company has at its disposal, ultimately it is up to that company to decide for itself which details are worth including in the alerts it sends out.
For example, some cyberthreat intel feeds provide background information on the threat actors associated with any given IOC. Additionally, some provide confidence scores for every alert, letting a client know how reliable the information given in the alert is estimated to be. By providing details such as these, a feed can make it easier for clients to effectively triage their alerts so as to mitigate the threats behind them.
A (largely) fitting comparison
Can we really compare cyberthreat intelligence feeds to stocks?
There are certainly important differences between the two. For starters, investors can experience both positive and negative surprises. Stocks that appear solid and promising can suddenly crash, and other stocks can skyrocket due to circumstances that few had seen coming (for example, Zoom since the start of the coronavirus outbreak).
Not so in the world of threat intelligence, where surprises are rarely cause for celebration.
But, despite this and other major differences, both financial investing and threat intelligence are fields that are all about handling uncertainty and risk. And in the face of those challenges, it is critical to keep a diversified portfolio – whether of stocks or of threat intel feeds.
Because – let’s face it – these are both fields in which hindsight is the only thing that is 20/20.
How can Sixgill’s Darkfeed bolster your cyberthreat intel portfolio by automatically collecting and analyzing information from the dark web? To see for yourself how our technology can protect your business or organization, request a demo today.