A different cup of TI? The added value of commercial threat intelligence

Authors: 

Xander Bouwman, Delft University of Technology, the Netherlands; Harm Griffioen, Hasso Plattner Institute, University of Potsdam, Germany; Jelle Egbers, Delft University of Technology, the Netherlands; Christian Doerr, Hasso Plattner Institute, University of Potsdam, Germany; Bram Klievink, Leiden University, the Netherlands; Michel van Eeten, Delft University of Technology, the Netherlands

Abstract: 

Commercial threat intelligence is thought to provide unmatched coverage on attacker behavior, but it is out of reach for many organizations due to its hefty price tag. This paper presents the first empirical assessment of the services of commercial threat intelligence providers. For two leading vendors, we describe what these services consist of and compare their indicators with each other. There is almost no overlap between them, nor with four large open threat intelligence feeds. Even for 22 specific threat actors – which both vendors claim to track – we find an average overlap of only 2.5% to 4.0% between the indicator feeds. The small number of overlapping indicators show up in the feed of the other vendor with a delay of, on average, a month. These findings raise questions on the coverage and timeliness of paid threat intelligence.

We also conducted 14 interviews with security professionals that use paid threat intelligence. We find that value in this market is understood differently than prior work on quality metrics has assumed. Poor coverage and small volume appear less of a problem to customers. They seem to be optimizing for the workflow of their scarce resource – analyst time – rather than for the detection of threats. Respondents evaluate TI mostly through informal processes and heuristics, rather than the quantitative metrics that research has proposed.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {255290,
author = {Xander Bouwman and Harm Griffioen and Jelle Egbers and Christian Doerr and Bram Klievink and Michel van Eeten},
title = {A different cup of {TI}? The added value of commercial threat intelligence},
booktitle = {29th {USENIX} Security Symposium ({USENIX} Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {433--450},
url = {https://www.usenix.org/conference/usenixsecurity20/presentation/bouwman},
publisher = {{USENIX} Association},
month = aug,
}

Presentation Video