The Threat Intelligence Buyer’s Guide

There are many challenges that threat intelligence can help organizations overcome. We recommend evaluating threat intelligence solutions that can help you tackle the five challenges below, which based on market research and interviews with Recorded Future clients, often keep executives and security professionals awake at night:

• Ransomware Mitigation – In 2023, companies, individuals and other victims of ransomware attacks paid hackers more than $1.1 billion in exchange for unlocking their data (The Record). Threat intelligence can help security teams narrow their focus on the threat actors targeting their organization, and fortify their defenses against their common tools, tactics and procedures (TTPs).
• Automating Security Workflows – According to the Tines Voice of the SOC report, security professionals report that “spending time on manual work is the most frustrating aspect of the job”. Threat intelligence automates the collection, processing and analysis of information, which can help security teams automate workflows. Look for solutions that support a range of integrations.
• Digital Risk Protection – Growing digital estates create challenges for organizations to secure their digital assets and data from external threats such as brand and executive impersonation, account takeovers, and data leakage. Evaluate threat intelligence solutions that provide actionable context on digital risks and automate the process of collecting and alerting on new digital risks.
• Supply Chain Risk – Third party vendors and physical locations introduce potential threats to an organization, but many supply chain risk management practices take a static approach to assessing risk. Threat intelligence can help you look at risks associated with third party vendors your organization is looking to onboard, and provide real-time alerts on threats to the third and fourth parties in your supply chain.
• Exposure Management – As your organization embraces their digital growth strategy and takes advantage of cloud-based resources, your external attack surface is likely in a constant state of change. Without visibility into external assets, organizations can have hundreds of unknown or poorly managed assets, greatly increasing the risk of a cyberattack. Some threat intelligence solutions help organizations identify and inventory internet-facing assets, prioritize remediation efforts such as vulnerability patching, and accelerate the remediation of high-risk exposures.

• Applicable to you - The intelligence from the vendor has information directly related to threats and risks relevant to the organization and industry.
• Accurate - An organization needs to make sure that the intelligence they get is accurate enough for how they intend to use it.
• Real-time - The information is providing insight into threats in time for the organization to make informed risk decisions.

• Machine-readable - The data is provided in a structured format that can be processed in an automated manner.
• Consumable - The data can be accessed and converted into information that is used by operational processes in a timely manner.
• Actionable - The data can be converted into information that is used directly by decision-making processes within the timeframe that making the decision has value.

IS IT RELEVANT?

IS IT USABLE?

The short answer is yes, but let’s unpack this topic: Priority Intelligence Requirements (PIRs) help organizations determine the questions that are critical to be answered for the overall success of the organization. Instead of looking at every risk with the same intensity, they help organizations focus their intelligence efforts on the most critical and relevant threats and risks.

These requirements tell your audience what they need to know in order to act, and more importantly, they let your analysts know what questions need to be answered.

Having these requirements also makes your life easier because they let you know what’s important to leadership, so when you’re stuck in the weeds you know what needs to be prioritized above something else.

Some examples of Priority Intelligence Requirements include:

• Which threat actors are most likely to target our organization?
• What threats are there to my organization's brand?
• How is my organization’s digital infrastructure vulnerable to exploitation?
• What risks are we facing due to our supply chain or third-party vendor partnerships?
• What major security threats is our industry/industries facing?

Building out your PIRs prior to onboarding a new threat intelligence solution can help you identify ways in which a vendor can help you meet your requirements, and evaluate which vendors provide more value to your team.

• Comprehensive Intelligence Platform - Unlike feed aggregators, intelligence providers provide threat data (including all types of feeds) and information collected from open, technical, and dark web sources, using a combination of machine-learning techniques including natural language processing (NLP). The collected information is used to produce relevant and actionable intelligence at scale which is typically disseminated to users through a SaaS-based portal that allows for querying and deep analysis or through tailored alerts. Leading solutions will also offer human intelligence services powered by their technology.
• Direct Integrations with Security Tools & APIs - Security teams should be able to get intelligence delivered directly to the tools they use through out of the box integrations with SIEMs, SOAR platforms, vulnerability management, endpoint, ticketing, link analysis, and more. Advanced security teams could also leverage an API to expand on the existing integrations, or to create specialized threat intelligence integrations with their custom or proprietary security products and workflows.
• Finished Intelligence - Report writing is one of the most time-consuming functions of a security team. With threat intelligence you can outsource the production of intelligence reports by consuming finished intelligence reports written by an intelligence vendor.
• Managed Services - Instead of receiving alerts directly, a security vendor will consume massive quantities of information on your behalf. If they deem something relevant to your organization, you’ll be informed via a reporting service — typically, via an online portal, and they will assist with potential actions you can take. In addition, if the vendor identifies fraudulent websites, social media handles, or typosquatted domains, they will get them taken down on your behalf.

Get buy-in from leadership

The C-suite and other leaders must assess and manage risk by balancing limited available resources against the need to secure their organizations from ever-evolving threats. In order to get buy-in from leadership, they need to understand that threat intelligence helps map the threat landscape, calculate risk, and give security personnel the context to make better, faster decisions.

Today, security leaders are tasked with:

• Assessing business and technical risks, including emerging threats and “known unknowns” that might impact the business
• Identifying the right strategies and technologies to mitigate risks
• Communicating the nature of the risks to top management, and justify investments in defensive measures

Get buy-in from security leadership

Threat intelligence helps leaders across all of these activities and is a critical resource, providing information on general trends, such as:

• Which types of attacks are becoming more (or less) frequent?
• Which types of attacks are most costly to the victims?
• What new kinds of threat actors are coming forward and which assets and enterprises are they targeting?
• Which security practices and technologies have proven to be the most (or least) successful in stopping or mitigating these attacks?

Threat intelligence also enables security teams to assess whether an emerging threat is likely to affect their specific enterprise based on factors such as:

• Industry — Is the threat affecting other organizations in our vertical?
• Technology — Does the threat involve compromising software, hardware, or other technologies used in our enterprise?
• Geography — Does the threat target facilities in regions where we or our suppliers have operations?
• Attack Method — Have methods used in the attack, including social engineering and technical methods, been used successfully against our company or similar ones?

With this level of intelligence, gathered from a broad set of external data sources, security decision makers are able to gain a holistic view of the overall risk landscape and prioritize the greatest risks to their enterprise.

Here are five key areas that you can bring forward to security leaders to help them understand the value intelligence brings by making them more informed and educated on the risks impacting their organization:

• Assessing Risk — With so many threats stemming from cyber, physical, influence, and your supply chain, it’s hard to understand which you should care about and what you should do about them. Threat intelligence helps leaders assess threats in the context of risk to their business so they can prioritize the threat vectors and actors that can actually cause harm to their people and assets and stop wasting time and resources on threats that don’t matter.
• Threat Mitigation — Threat intelligence helps security leaders prioritize the vulnerabilities and weaknesses that threat actors are most likely to target, giving context on the TTPs those threat actors use, and therefore the weaknesses they tend to exploit.
• Communication — CISOs are often challenged by the need to describe threats and justify countermeasures in terms that will motivate non-technical business leaders, such as cost, impact on customers, and new technologies to implement. Threat intelligence provides powerful ammunition for these discussions, such as the impact of similar attacks on companies of the same size in other industries or trends and intelligence from the dark web indicating that the enterprise is likely to be targeted, or that supply chain vendors are being mentioned on ransomware extortion sites.
• Supporting Leadership — Threat intelligence can provide security leaders with a realtime picture of the latest threats, trends, and events, helping them respond to a threat or communicate the potential impact of a new threat type to business leaders and board members in a timely and efficient manner.
• Reducing the Security Skills Gap — CISOs must make sure the IT organization has the necessary human capital to carry out its mission. But because of the skills shortage in cybersecurity, existing security staff are frequently burdened with unmanageable workloads. Threat intelligence automates some of the most labor-intensive tasks, rapidly collecting data and correlating context from multiple intelligence sources, prioritizing risks, and reducing unnecessary alerts. Powerful threat intelligence also helps junior personnel quickly “upskill” and perform above their experience level.

Whether you’re new to threat intelligence and beginning the process of adding a threat intelligence solution to your cybersecurity tech stack, or you’re looking for new strategies to consider for your program, we hope you found this Buyer’s Guide insightful.

At Recorded Future, our belief is that threat intelligence is the essential force multiplier for the modern security stack, which enables organizations to mitigate today’s fast moving attacks by providing valuable insights to act on, quickly.

If you’d like to learn more about Recorded Future, the world’s most comprehensive and independent threat intelligence cloud platform on the market, book a demo or talk to your account manager.

How Recorded Future Benefits Security Teams

• Assessing Risk - Recorded Future clients report a 61% increase in visibility into potential threats
• Threat Mitigation - Clients report being 48% faster at identifying a new threat
• Communication - Clients report saving 9.2 hours per user per week on threat investigations and hunting
• Supporting Leadership - 90% of clients report having a better understanding of their threat landscape
• Reducing the Security Skills Gap - Clients report that 21% of work that could previously only be done by senior analysts before using Recorded Future can now be shifted to junior analysts