État des menaces 2023

Introduction

The 2023 State of Threat Intelligence report examines how and why most organizations have made the collection and analysis of threat intelligence a central element of their cybersecurity programs – and extended its use cases beyond traditional cybersecurity activities.

In August 2023 we surveyed 400 cybersecurity managers and practitioners from a range of countries and industries with knowledge about their organization’s use of threat intelligence. We asked about important use cases and benefits, sources, and plans for improving threat intelligence in the future. We inquired about organizational issues, such as whether they have dedicated threat intelligence organizations or rely on full or part-time contributors on different cybersecurity teams, and the level of maturity of their threat intelligence efforts. We also requested information on their criteria for selecting threat intelligence vendors.

Our objective is to provide CIOs, CISOs, cybersecurity managers, and others with information on how their peers are utilizing threat intelligence and areas they are seeking to improve.

CyberEdge would like to thank our research sponsor, Recorded Future, who conceived this report and whose support has been essential to its success.

Top Five Insights

This report contains dozens of actionable insights on the state of threat intelligence. Here are our top five takeaways:

Les cas d’utilisation et les avantages se sont développés. Aujourd’hui, la plupart des entreprises exploitent les renseignements sur les menaces pour pas moins de 10 cas d’utilisation. Bien que les programmes de renseignement sur les menaces se soient développés en tant que ressources pour quelques tâches de cybersécurité de base telles que le renforcement des outils de sécurité existants, le tri des alertes, la réponse aux incidents et la gestion des vulnérabilités, ils ont élargi leur portée. En plus des tâches opérationnelles de base en matière de cybersécurité, le renseignement joue également un rôle important dans l’évaluation des risques et la gestion des programmes de cybersécurité, ainsi que dans le soutien des activités des équipes de marketing, de sécurité physique, de gestion des risques liés aux tiers et de prévention de la fraude.

Cinq sources (ou plus) valent mieux qu’une. À l’heure actuelle, plus de 90 % des entreprises obtiennent des renseignements sur les menaces auprès d’au moins cinq sources. Il s’agit notamment de leur propre personnel, de flux de données sur les menaces gratuits et payants et d’outils de sécurité sur leurs réseaux. Ils s’appuient également sur des fournisseurs de renseignements sur les menaces qui collectent des données provenant de sources multiples (y compris le dark web), génèrent des alertes automatiques et fournissent une analyse approfondie des menaces.

Les fournisseurs fournissent des compétences et des connaissances spécialisées. La plupart des entreprises travaillent avec des fournisseurs de renseignements sur les menaces principalement pour tirer parti de compétences et de connaissances spécialisées. Cela inclut la connaissance des adversaires et de leurs tactiques, techniques et procédures (TTP), des discussions et des activités sur le dark web, et des menaces ciblant des industries, des applications et des systèmes spécifiques. Les organisations apprécient également la capacité des fournisseurs à fournir des renseignements à jour en temps réel et à intégrer les flux de menaces aux flux de travail de cybersécurité existants.

Des équipes de renseignement sur les menaces dédiées et matures. Aujourd’hui, les programmes de renseignement sur les menaces reposent sur des bases très solides. Pas moins de 71 % des entreprises disposent d’une équipe dédiée à la veille sur les menaces, et 87 % d’entre elles considèrent que leurs activités de veille sur les menaces se situent à un niveau de maturité « intermédiaire » ou « avancé ». De plus, 98 % des personnes interrogées s’accordent à dire qu’une veille complète sur les menaces est essentielle pour leur programme de cybersécurité.

Marge d’amélioration. Les menaces émergentes et le nombre croissant de cas d’utilisation donnent aux entreprises de nombreuses raisons d’améliorer leurs capacités de renseignement sur les menaces. Les objectifs comprennent une collecte de renseignements plus importante, plus efficace et plus rapide, l’utilisation de l’intelligence pour l’analyse des risques et la gestion des programmes de cybersécurité, et une aide en dehors des domaines traditionnels de la cybersécurité, tels que la protection des marques et la gestion des risques liés aux tiers.

About This Report

The findings of this report are divided into three sections:

Section 1: Threat Intelligence Use Cases and Benefits

What are organizations using threat intelligence for? This section of the report looks at the incidence of 10 use cases, ranging from increasing the accuracy of existing security tools, to guiding cybersecurity planning and investments, to reducing online fraud. It also quantifies interest in specific operational benefits related to the activities of SOCs, incident response, vulnerability management and other cybersecurity teams, and in specific strategic benefits related to managing security programs and communicating with executive management.

Section 2: Threat Intelligence Sources and Vendors

In theory, organizations can gather and analyze threat intelligence using their own resources. In practice, this is extremely rare. This section of the report examines why. It reviews what sources most organizations leverage and why they are working with threat intelligence vendors. It also provides insights into what characteristics organizations are looking for when selecting threat intelligence vendors.

Section 3: Threat Intelligence Organizations and Plans

How are organizations organizing and supporting their threat intelligence activities, and what are they planning for the future? This section of the report examines where people working on threat intelligence are located in the cybersecurity group and where survey respondents place their organization on a maturity scale for threat intelligence activities. It also reviews plans for working with threat intelligence vendors and priorities for improving intelligence activities.

Navigating This Report

We encourage you to read this report from cover to cover so you can catch all of the useful details. However, if you are seeking out specific topics of interest, there are three other ways to navigate through the report

• Table des matières. Chaque élément de la table des matières se rapporte à des questions d’enquête précises. Cliquez sur n’importe quel élément pour accéder à la page correspondante.
• Faits saillants de la recherche. La page Faits saillants de la recherche présente les titres les plus importants du rapport. Les numéros de page sont référencés à chaque surbrillance afin que vous puissiez en savoir plus rapidement.
• Onglets de navigation. Les onglets en haut de chaque page sont cliquables, ce qui vous permet d’accéder facilement aux différentes sections du rapport.

Research Highlights

Threat Intelligence Use Cases and Benefits

• Cas d’utilisation. Les entreprises exploitent désormais les renseignements sur les menaces pour pas moins de 10 cas d’utilisation différents. L’intelligence n’est pas seulement un multiplicateur de force pour les équipes de cybersécurité, elle apporte également de la valeur aux groupes de marketing, de sécurité physique, de gestion des risques liés aux tiers et de prévention de la fraude, entre autres.
• Avantages opérationnels. Les principaux avantages opérationnels comprennent l’amélioration de la précision des outils de détection et de prévention des menaces, l’identification d’un plus grand nombre de types de logiciels malveillants et d’URL malveillantes, l’identification des acteurs de la menace et de leurs TTP, et l’amélioration de la chasse aux menaces.
• Avantages stratégiques. Les avantages stratégiques importants commencent par l’amélioration de la capacité à justifier les investissements en cybersécurité, l’anticipation des attaques susceptibles de menacer les nouvelles technologies et les initiatives commerciales, et l’amélioration de la visibilité sur les menaces émergentes.
• Importance pour la cybersécurité. Une écrasante majorité des personnes interrogées sont plutôt d’accord (14 %) ou tout à fait d’accord (85 %) avec l’affirmation selon laquelle « une veille complète sur les menaces est essentielle à un programme de cybersécurité efficace ».

Threat Intelligence Sources and Vendors

• Sources. Plus de 90 % des entreprises interrogées obtiennent des renseignements sur les menaces auprès d’au moins cinq sources. Les principaux sont les recherches effectuées par leur propre personnel, les fournisseurs d’outils de sécurité, les fournisseurs de solutions de renseignement sur les menaces et les flux de menaces payants.
• Raisons de travailler avec des fournisseurs. Les entreprises travaillent avec des fournisseurs de renseignements sur les menaces pour avoir accès à des compétences spécialisées, pour permettre l’intégration avec les outils et les flux de travail de sécurité existants, et pour obtenir des informations sur les TTP des adversaires, entre autres raisons.
• Critères de sélection des fournisseurs. Les entreprises recherchent des fournisseurs de renseignements sur les menaces capables de prendre en charge de nombreuses équipes de sécurité, de fournir des renseignements à jour en temps réel et d’offrir un excellent support client. Le coût n’est pas l’un des principaux critères.

Threat Intelligence Organizations and Plans

• Organisations de renseignement sur les menaces. Parmi les entreprises interrogées, 71 % disposent d’une équipe dédiée à la veille sur les menaces. De plus, 19 % d’entre elles ont des membres des équipes de sécurité existantes qui travaillent à plein temps à la collecte et à l’analyse de renseignements.
• Maturité des programmes. Pas moins de 46 % des entreprises considèrent que leurs programmes de renseignements sur les menaces sont à un niveau de maturité « intermédiaire ». De plus, 41 % d’entre eux se décrivent comme « avancés ». Seuls 13 % se situent au niveau « débutant » ou « basique ».
• Adéquation de l’investissement. Pas moins de 92 % des personnes interrogées sont plutôt d’accord ou tout à fait d’accord avec l’affirmation selon laquelle « mon organisation investit suffisamment dans le renseignement sur les menaces ».
• Plans de collaboration avec les fournisseurs. Pas moins de 44 % des entreprises prévoient de continuer à travailler avec à peu près le même nombre de fournisseurs de renseignements sur les menaces qu’aujourd’hui. Environ 17 % d’entre eux consolident leurs activités, tandis que 28 % prévoient d’en travailler davantage.
• Plans d’amélioration des renseignements sur les menaces. Les entreprises prévoient d’améliorer et d’étendre leur utilisation de la veille sur les menaces de plusieurs manières. Les principales priorités comprennent l’utilisation de l’intelligence pour améliorer l’analyse des risques, la combinaison des données sur les menaces externes et internes pour obtenir plus d’informations, l’intégration de la veille sur les menaces avec des flux de travail de cybersécurité supplémentaires et l’utilisation de la veille sur les menaces pour améliorer la communication avec la direction et les membres du conseil d’administration.

Section 1: Threat Intelligence Use Cases and Benefits

Threat Intelligence Use Cases

How does your organization leverage threat intelligence?

Figure 1: Most important use cases for threat intelligence.

How does your organization leverage threat intelligence?

A few years ago, most cybersecurity groups looked at threat intelligence primarily as a resource for detecting attacks and prioritizing vulnerabilities. Our survey data shows that now organizations are leveraging threat intelligence for as many as 10 different use cases, several of them providing value to groups outside of cybersecurity (see Figure 1).

The most popular use case, (cited by 50.9% of respondents) is increasing the accuracy of existing security tools such as firewalls, intrusion prevention systems (IPS), secure email and web gateways (SEGs and SWGs), and antimalware solutions. This involves primarily automated data feeds that provide malware signatures, suspicious URLs, domains, and IP addresses, and other indicators of attack (IoA) and indicators of compromise (IoC) so security tools can filter out harmful content and block communication with adversaries. Threat intelligence is effectively a force multiplier for existing security investments, enabling them to perform their functions more effectively and reliably.

“Our survey data shows that now organizations are leveraging threat intelligence for as many as 10 different use cases, several of them providing value to groups outside of cybersecurity.”Very close behind are two core operational uses: prioritizing vulnerabilities and exposures (57.8% of organizations) and improving the performance of security operations centers (SOCs) and security information and event management (SIEM) systems (57.0%).

But today threat intelligence is also being used by security leaders for program management and strategic planning. More than half of all organizations are using intelligence to help analyze and model cyber risks and to guide cybersecurity planning and investment (54.3% and 52.8%, respectively).

As new types of threats have emerged, groups outside of cybersecurity have found ways to leverage threat intelligence. This includes marketing groups using intelligence to protect brands and reputations on the web and social media (50.0% of organizations), physical and geopolitical security groups identifying risks to physical locations and facilities (48.5%), supply chain and third-party risk management (TPRM) teams monitoring third party risks (47.2%), and fraud prevention teams trying to reduce fraud (45.0%).

Operational Benefits

Which of the following operational benefits from threat intelligence are the most significant for your organization? (Select up to five.)

Figure 2: Operational benefits of threat intelligence.

We asked respondents to select up to five operational benefits that are most significant for their organization. Strategic benefits are covered in the next question. (See the terminology note in the introduction for our use of “operational” and “strategic.”)

The operational benefits cited most often are improving the accuracy of threat detection and prevention tools (selected by 56.8% of respondents) and identifying more malware types, vulnerabilities, and malicious URLs (55.0%) (see Figure 2). Today, comprehensive, timely intelligence is critical because adversaries are continuously launching attacks from new domains, creating new botnets, and tweaking malware files.

Identifying relevant threat actors and their tactics, techniques and procedures (TTPs) comes third on this list, at 53.0%. Information on TTPs is used by cybersecurity teams to speed up incident response, provide hypotheses for threat hunting, prioritize remediation of vulnerabilities, and align investments with threats.

Improving and automating threat hunting was selected as a top priority by 52.0% of organizations. It was the #1 operational benefit in the government and retail sectors. Threat hunters create hypotheses about likely attacks based on the TTPs of known attackers, then hunt for IoCs associated with them.

Detecting threats to facilities and employees in geographic locations was highlighted by 42.0% of respondents. Public and dark web sources can reveal threats against assets in far-flung locations that might otherwise evade physical security teams and local managements.

The next tier of operational benefits consists of triaging alerts faster and more accurately, identifying fake websites and social media accounts, and better prioritizing remediation activities. Each was selected by about one-third of the respondents.

Monitoring the dark web to find information about current threats and stolen credentials and intellectual property were chosen by just over a quarter of the respondents. This is consistent with other evidence in the survey showing that, while some organizations greatly value monitoring the dark web, most aren’t doing it yet.

Strategic Benefits

Which of the following operational benefits from threat intelligence are the most significant for your organization? (Select up to three.)

Figure 3: Strategic benefits of threat intelligence.

What about intelligence that describes the broad threat landscape, trends in cybercrime and state-sponsored attacks, and newer threats on the horizon? We asked respondents to select the three most significant strategic benefits of threat intelligence for their organization.

A previous CyberEdge Group survey found that in 97% of organizations security leaders are engaging directly with their boards (see the CyberEdge Group 2023 Cyber Defense Report, page 48). Threat intelligence helps them present objective information about current and emerging threats to their organization and the associated risks.

For example, three of every five organizations (61.1%) are using threat intelligence to prioritize and justify cybersecurity investments (see Figure 3). It helps them determine which threats are most relevant so they can compare the potential impact with the costs of mitigation. A related finding is that 44.7% of organizations are using threat intelligence to better communicate their risk posture and security preparedness to corporate leadership and boards (although this practice varies by geography; it’s cited as a major benefit by at least half the respondents in the US, Australia, and Germany, but barely over a quarter in Japan and France).

Over 60% of organizations use threat intelligence to mitigate cyber risks related to business and technology initiatives. For example, a company preparing to deploy a new wireless technology might use intelligence to anticipate attacks against that technology, or one expanding into a new geographic market might prepare for threats targeting that region.

Another major benefit is visibility into emerging threats and attack methods, which allows organizations to start early implementing the right defenses. It’s the strategic benefit cited most often in three of the seven countries in the survey: France, the UK, and Germany.

Using threat intelligence to help manage supply chain and third-party risk is a relatively new use case, but it was cited by about 40% of respondents. This probably reflects the recent visibility of the SolarWinds breach and similar attacks that affected hundreds of organizations.

The Importance of Threat Intelligence for Cybersecurity

Select the option that best describes your agreement with the following statement: “Comprehensive threat intelligence is essential for an effective cybersecurity program.”

Do cybersecurity managers and practitioners think that excellent threat intelligence is a must-have today? They do – overwhelmingly. As shown in Figure 4, 84.6% of survey respondents strongly agree with that statement “comprehensive threat intelligence is essential for an effective cybersecurity program,” and another 13.6% somewhat agree. There are very few doubters: a mere 1.8% of respondents somewhat or strongly disagree with that statement. In fact, as shown in Figure 5, the percentage of those who somewhat or strongly disagreed did not exceed 4% in any country surveyed.

Figure 4: Agreement with the statement that comprehensive threat intelligence is essential for an effective cybersecurity program.

There are very few doubters: a mere 1.8% of respondents somewhat or strongly disagree with that statement.

Figure 5: Agreement that comprehensive threat intelligence is essential for cybersecurity, by country.

In fact, as shown in Figure 5, the percentage of those who somewhat or strongly disagreed did not exceed 4% in any country surveyed.

“Do cybersecurity managers and practitioners think that excellent threat intelligence is a must-have today? They do – overwhelmingly.”

Section 2: Threat Intelligence Sources and Vendors

Sources of Threat Intelligence

How often does your organization obtain threat intelligence from each of the following sources?

Figure 6: How often organizations obtain threat intelligence from sources.

Where do organizations go for threat intelligence? The answer is: multiple sources. In fact, more than 90% of the enterprises surveyed use at least five (see Figure 6). In fact, two-thirds of organizations obtain intelligence "frequently" or "continuously" from those five sources (versus "rarely," "sometimes," or "never").

The biggest source was actually internal teams. Someone in the cybersecurity group performs threat research in all but 3% of organizations.

Also pervasive: tracking IoAs and IoCs with internal security tools like endpoint detection and response (EDR) tools and SIEMs (95.5%), and working with threat intelligence solution vendors (93.6%). The latter were defined as “vendors collecting data from multiple sources, generating automated alerts and reports, and providing analysis.”

Paid threat data feeds are also widely used (92.8%), and so are free ones, although not quite as often (83.6%). Paid feed providers filter out duplicate and outdated items and enrich the data with contextual information while the free providers often don’t.

Finally, industry consortiums and standards bodies also play an important role, often providing industry-specific insights and peer advice not available from other sources.

Reasons for Working with Threat Intelligence Vendors

On a scale of 1 to 5, with 5 being highest, rate the importance of each of the following reasons for working with threat intelligence vendors.

Figure 7: Reasons for working with threat intelligence vendors, on a scale of 1 to 5 with five highest.

Given that 97% or organizations have people doing threat research (see previous question), why use the services of threat intelligence vendors as well? Several reasons stand out.

A huge factor is the worldwide shortage of experts with the skills for acquiring and analyzing threat intelligence. Vendors provide access to those skills (see Figure 7).

Equally important is the fact that threat intelligence vendors have already integrated their output with a wide variety of security and analytics tools. The integration facilitates the orchestration and automation of security workflows, enabling organizations to detect and respond to attacks faster.

Also near the top of the list: Threat intelligence vendors provide actionable information about adversary TTPs, and also have the skills and experience to monitor discussions and activities on the dark web (many of which are conducted in “members only” forums that are difficult to crack, often in Russian or Chinese).

Not all threats are risks to every organization. Threat intelligence vendors help organizations sort out which threats are relevant to their specific industry, applications, and technologies, either through custom inquiries or in in-depth reports or searchable intelligence databases.

Criteria for Selecting Threat Intelligence Vendors

Which of the following characteristics are most important when selecting a threat intelligence vendor? (Select up to five.)

Figure 8: Characteristics most important for selecting a threat intelligence vendor.

We wanted to know what characteristics organizations are looking for in their threat intelligence vendors, and asked respondents to choose the top five from a list.

The number one requirement by a large margin is the ability to support many security teams, e.g., security operations, vulnerability management, supply chain security, brand protection, and risk management. This was highlighted by 61.9% of the respondents (see Figure 8). The strong interest in supporting multiple use cases aligns with the data from an earlier question showing that most organizations are leveraging threat intelligence for many purposes (see Figure 1).

Also at the top of the list: up-to-date data delivered in real time to counteract attacks that mutate rapidly (49.6%) and ease of integration into cybersecurity workflows, to automate and accelerate detection and response (49.1%).

The next tier of selection factors includes excellent customer support (41.4%), the availability of managed services (e.g., alert triaging and domain takedown services) (40.9%), and a wide range of specialized skills and knowledge (38.1%).

“Reasonable cost” is considered a significant factor by 37.1% of the organizations in the survey – which means it is not one of the top five for almost two-thirds (62.9%). This finding indicates that organizations are more concerned with data quality, speed, and other non-financial factors than with cost. It is also consistent with the opinion of a large majority of respondents that their organizations are adequately funding threat intelligence activities.

Section 3: Threat Intelligence Organizations and Plans

Threat Intelligence Organizations

Do you have a dedicated threat intelligence team?

Cybersecurity groups typically progress through a series of organizational steps as their threat intelligence capabilities grow. They start with nobody explicitly responsible for intelligence, to having some people working on it part time, to having specialists on several teams, to having a team dedicated to gathering and analyzing threat intelligence. Today, a strong majority (70.9%) have ascended the ladder to the top rung and have a dedicated threat intelligence team (see Figure 9).

Figure 9: Responses to the question “Do you have a dedicated threat intelligence team?

The countries with the most organizations boasting a dedicated team are the US (87.0%) and the UK (72.0%). The country with the least: Japan (56.0%).

As shown in Figure 10, among industries, the leaders are Technology & Electronics (81.7%), Telecom & Internet (80.6%), and Finance (75.0%). The laggards are Manufacturing (60%), Retail and Consumer Durables (56.1%), and Education (53.8%).

The widespread commitment to investing in threat intelligence is demonstrated by the fact that in every country and in every major industry included in this survey, at least 80% of organizations have people working full time on collecting and analyzing intelligence, either on existing security teams or on a dedicated threat intelligence team.

Figure 10: Responses by industry to the question, “Do you have a dedicated threat intelligence team?”

Maturity of Threat Intelligence Programs

Select the response that best describes the maturity of your threat intelligence efforts.

Figure 11: Maturity of threat intelligence efforts.

Another way of evaluating the state of a threat intelligence program is by assessing its maturity, from beginning level to advanced (see key).

We asked respondents to assess the maturity of their threat intelligence programs. Only a few organizations consider themselves at beginner or basic levels (4.8% and 8.5%, respectively – see Figure 11). A plurality (45.6%) describe themselves as intermediate, while a sizeable number believe they deserve to be considered advanced (41.1%).

Figure 12: Maturity of threat intelligence efforts, by country.

As shown in Figure 12, countries exhibit quite a range in the percentage of organizations considering themselves advanced. They start at 22% in Australia and 28.6% in Japan and rise to 62% in the UK. Interestingly, the country with the most organizations willing to rate themselves as Beginner was the US (10%, versus 2.0%-4.1% for the other six countries).

Investment in Threat Intelligence

Select the option that best describes your agreement with the following statement: “My organization is making an adequate investment in threat intelligence.”

Figure 13 : Réponses à l’énoncé « Mon organisation investit suffisamment dans le renseignement sur les menaces. »

Fortunately, the powers that be in the great majority of enterprises appear to have recognized that threat intelligence is critical for cybersecurity and needs to be well funded. A full 92.2% of survey respondents somewhat or strongly agree that their organization is making adequate investments in threat intelligence (see Figure 13). That includes a full 100% of respondents in the US. Only a modest 7.8% feel their threat intelligence budget is underfunded.

However, there are pockets of discontent. For example, the number of respondents who disagree that threat intelligence funding is adequate is relatively high in Education (15.4%) and in Healthcare & Pharmaceuticals (16.7%) (see Figure 14).

Figure 14: Responses to the statement “My organization is making an adequate investment in threat intelligence” by industry.

Plans for Working with Threat Intelligence Vendors

Select the response that best describes your organization’s plans for working with threat intelligence vendors.

Most organizations are leveraging multiple sources of threat intelligence (see Figure 6). But what are their plans for working with intelligence vendors in the future – are they planning to consolidate or add new ones?

Figure 15: Organizations’ plans for working with threat intelligence vendors.

Our respondents tell us that a plurality (44.4%) expect to keep the number of threat intelligence vendors they work with about the same (see Figure 15).

Of organizations contemplating changes, more are planning to increase the number of vendors (27.8%) than decrease them (17.2%). We think this reflects both an increasing appetite for threat intelligence in general, and the expanding number of use cases where intelligence is providing value.

Figure 16: Organizations’ plans for working with threat intelligence vendors, by country.

Plans varied significantly across countries. Germany, Japan, Canada, the UK, and Australia are planning to significantly increase the number of vendors they work with, while on average the US and France are standing pat (see Figure 16).

Plans to Improve Threat Intelligence

How does your organization plan to improve its use of threat intelligence over the next two years?

Figure 17: Plans to improve threat intelligence over the next two years.

The 400 respondents in our survey highlighted several priorities for improving and expanding their organizations’ use of threat intelligence.

First on the list is using intelligence to enhance risk analysis, planned by 53.9% of organizations. Threat intelligence will help enterprises align their cybersecurity investments with actual risks and business outcomes.

Also mentioned by at least half of our respondents are combining internal and external threat data (51.9%) and integrating intelligence with additional cybersecurity workflows (50.6%). These moves will make threat detection and incident response more accurate and faster.

Just under half (47.9%) will use threat intelligence to improve communication with management and boards. Cybersecurity leaders have gained increased access to top decision makers now, and they need objective information to justify their proposed investments.

We mentioned that groups outside of cybersecurity have found ways to leverage threat intelligence, including marketing and third-party risk management teams. This is illustrated by 45.1% of respondents indicating that their organizations are planning to increase their monitoring of websites and social media platforms to protect brands and reputations and 41.8% saying they plan to increasingly leverage threat intelligence to manage supply chain and third-party risks.

Conclusion

Going deeper and branching out

Our survey provides ample evidence that threat intelligence is firmly established as a core element of cybersecurity while also branching out to address issues of key interest to additional groups in the enterprise. In fact, use cases and benefits can now be viewed as falling in three categories:

• Opérationnel – améliorer la performance quotidienne des équipes de cybersécurité
• Stratégique : aider les responsables de la sécurité et la direction générale à évaluer avec précision les risques et à aligner les activités et les investissements en matière de cybersécurité sur les besoins de l’entreprise.
• Spécialisé : permet à des groupes extérieurs à la cybersécurité (mais alliés à celle-ci) d’atteindre des objectifs tels que la protection de la marque et de la réputation de l’organisation en ligne, la protection des installations physiques et des employés à l’échelle mondiale, la gestion des risques liés aux tiers et la réduction de la fraude en ligne.

In the operational category, threat intelligence is acting as a force multiplier to make existing security tools more effective, helping SOCs triage alerts faster and more accurately, and keeping incident response and threat hunting teams up-to-date on the latest tactics of threat actors. These use cases are well established. The challenge now is to ensure that threat-related data collection and analysis can keep up with emerging threats and new types of adversaries, particularly state-supported hacking groups that are increasingly targeting commercial businesses in addition to governments and defense contractors.

In the strategic category, threat intelligence is helping security leaders fine-tune cybersecurity programs and communicate priorities to executive management and boards of directors. The challenge going forward is to increase the acceptance of intelligence in these roles, especially by converting information about the threat landscape into quantified assessments of risk and potential effect on the enterprise.

The specialized use cases are a growth area for threat intelligence. They partly reflect the need to respond to newer threats (e.g., typosquatting, creating fake social media accounts that post embarrassing and controversial material, embedding malicious software in third-party products) and the need to do a better job defending against existing threats such as online fraud.

Multiple sources and vendors

Survey findings confirm that the vast majority of organizations are obtaining and using threat intelligence from five or more sources. Moreover, most are planning to maintain or increase the number of threat intelligence vendors they work with. This is being driven by the need for access to an increasingly wide range of specialized skills and detailed information on a wide range of adversary TTPs.

The need for an increasingly wide range of threat intelligence is likely to continue. However, as individual threat intelligence vendors add more types of intelligence to their portfolios, it is possible that the need could be met by fewer suppliers, leading to a consolidation in the number of vendors for the average organization.

Nobody resting on their laurels

Threat intelligence programs are not static. Organizations are planning to expand and improve their threat intelligence activities in all three of the categories we discussed above, for example:

• Combining external and internal threat intelligence and integrate intelligence with additional cybersecurity workflows (operational use cases)
• Using threat intelligence to enhance risk analysis and help communication with leadership and board members (strategic use cases)
• Increase monitoring of website and social media platforms to protect brands and using threat intelligence to better manage supply chain and third-party risks (specialized use cases)

Solid focus, funding, and maturity

The survey provides substantial evidence that threat intelligence is on a firm footing in most enterprises (at least those with 1,000 or more employees).

A solid 71% of organizations have a dedicated threat intelligence team. No less than 92% of respondents somewhat or strongly agree that their organizations are making an adequate investment in the program. And only 13% assess the maturity level of their threat intelligence efforts as “beginning” or “basic”: the other 87% selected “intermediate” or “advanced.” In other words, threat intelligence programs are now mainstream, valued contributors to cybersecurity programs in almost all organizations.

Appendix 1: Survey Demographics

This year’s report is based on survey results obtained from 400 qualified participants hailing from 7 countries (see Figure 18). Each participant was required to have a role as a cybersecurity manager or practitioner with knowledge about their organization’s use of threat intelligence (see Figure 19). About two-thirds (67.5%) of our respondents held executive or managerial positions in cybersecurity.

Figure 18: Survey respondents by country.

Figure 19: Survey respondents by role.

All participants in this survey were working for organizations with 1,000 or more employees (see Figure 20). They spanned 8 major industries (plus “Other”) with no single industry composing more than 15% of the total participants (see Figure 21).

Figure 20: Survey respondents by organization employee count.

Figure 21: Survey respondents by industry.

Appendix 2: Research Methodology

CyberEdge developed a 15-question survey instrument in partnership in partnership with Recorded Future. The survey was completed by 400 IT security professionals in the United States, Canada, the United Kingdom, Germany, France, Australia, and Japan in August 2023. The global margin of error for this research study (at a standard 95% confidence level) is 5%. All results pertaining to individual countries and industries should be viewed as anecdotal, as their sample sizes are much smaller. CyberEdge recommends making actionable decisions based on global data only.

All respondents had to meet two filter criteria: (1) they had to have a cybersecurity role; and (2) they had to be employed by a commercial or government organization with a minimum of 1,000 global employees.

At CyberEdge, survey data quality is paramount. CyberEdge goes to extraordinary lengths to ensure its survey data is of the highest caliber by following these industry best practices:

• Ensuring that the right people are being surveyed by (politely) exiting respondents from the survey who don’t meet the respondent filter criteria of the survey (e.g., job role, company size, industry)
• Ensuring that disqualified respondents (who do not meet respondent filter criteria) cannot restart the survey from the same IP address in an attempt to obtain the survey incentive
• Constructing survey questions in a way that eliminates survey bias and minimizes the potential for survey fatigue
• Only accepting completed surveys after the respondent has provided answers to all of the questions
• Ensuring that respondents view the survey in their native language (e.g., English, German, French, Japanese)
• Randomizing survey responses when possible to prevent order bias
• Adding “Don’t know” (or comparable) responses when possible so respondents aren’t forced to guess at questions when they don’t know the answer
• Eliminating responses from “speeders” who complete the survey in a fraction of the median completion time
• Eliminating responses from “cheaters” who apply consistent patterns to their responses (e.g., A,A,A,A and A,B,C,D,A,B,C,D)
• Ensuring the online survey is fully tested and easy to use on computers, tablets, and smartphones

CyberEdge would like to thank Recorded Future for making this research study possible. We’d particularly like to thank Kalpana Singh and Sam Langrock for sharing their threat intelligence knowledge and perspectives with us.

Appendix 3: About Our Sponsor

Recorded Future is the world’s largest threat intelligence company. Recorded Future’s Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure, and targets. Indexing the internet across the open web, dark web, and technical sources, Recorded Future provides real-time visibility into an expanding attack surface and threat landscape, empowering clients to act with speed and confidence to reduce risk and securely drive business forward. Headquartered in Boston with offices and employees around the world, Recorded Future works with over 1,700 businesses and government organizations across more than 75 countries to provide real-time, unbiased, and actionable intelligence. Learn more at recordedfuture.com.

Appendix 4: About CyberEdge Group

Founded in 2012, CyberEdge Group is the largest research, marketing, and publishing firm to serve the IT security vendor community. Today, approximately one in six established IT security vendors with $10 million or more in annual revenue is a CyberEdge client.

CyberEdge’s highly acclaimed Cyberthreat Defense Report (CDR) and other single- and multi-sponsor survey reports have garnered numerous awards and have been featured by both business and technology publications, including The Wall Street Journal, Forbes, Fortune, USA Today, NBC News, ABC News, SC Magazine, DarkReading, and CISO Magazine.

CyberEdge has cultivated its reputation for delivering the highest-quality survey reports, analyst reports, white papers, and custom books and eBooks in the IT security industry. To learn more about how we help our IT security vendor clients succeed, connect to our website at www.cyber-edge.com.