A large majority of security organizations look at open-source intelligence to improve security operations center (SOC) workflows and arm security analysts with more knowledge. Gathering open source threat feeds seems advantageous at first glance, yet the process of collecting, analyzing and curating thousands of indicators a day can quickly diminish the expected benefits—or worse, expose the organization to new risks when half-baked intelligence is produced.
Here are some specific challenges customers may face when using open source threat intelligence:
- Publicly-known intelligence must be contextualized and deduplicated. Just collecting indicators in lists and throwing them to analysts is often a recipe for disaster. Analysts need more context such as: When was it seen? Which actor or malware could be behind this indicator? Can I trust this indicator? To get these core questions answered, users need a more rigid analytic collection process, which often requires a threat intelligence platform, putting substantial incremental workload and capex on already stretched SOC teams.
- Managing the lifecycle of open-source threat intelligence still requires training. Before using publicly shared threat insights, security organizations must invest time and resources in learning how to approach and build out the correct and relevant threat intelligence. Basically, threat analysts need to understand which type of intelligence is needed by their internal security risk teams so they can select the right data sources and produce actionable results for their internal stakeholders.
According to the 2020 Cyber Threat Intelligence (CTI) survey from Cybersecurity Insiders, more than 80% of threat analysts are not trained on collecting from open source or the dark web and report a lack of training, tools or oversight. Given the existing economic status, many organizations simply cannot proceed with managing open source intelligence and life cycle improvement initiatives quickly die off because of lack of knowledge, time or resources.
- Not all threat intelligence is relevant or trustworthy. Cyber threat intelligence practitioners are often exposed to outdated intelligence, describing old historical artifacts that have no relevance to their current business environment. Even worse, intelligence teams can be part of a targeted attack containing counterintelligence efforts. Simply put, embedding threat intelligence into a SOC workflow is not without risks and some actors may purposely release intelligence to mislead security teams.
Free Confidence Scoring and Context for Publicly-Known Indicators
Mandiant Advantage Free not only captures, aggregates and deduplicates threat indicators such as internet protocol address, domain and file hashes from more than 70 selected open-source feeds, it also arms customers with powerful search functionality that pairs search results with an M-Score, Mandiant’s data-driven confidence rating that combines expert knowledge with cutting-edge machine learning. This rating is based on Mandiant’s unparalleled front-line intelligence, which includes more than 100,000 hours in incident response annually, machine intelligence from millions of endpoints and advanced adversarial research from more than 300 Mandiant threat analysts located over 25 locations around the world, in more than 30 languages.
Instead of solely relying on expensive, often unreliable, outdated publicly-known indicators, Mandiant Advantage customers can get free transparency on threat indicators such as confidence scoring, origin type, threat category and time details of when it was first or last reported. The M-Score and context helps users to reduce alert fatigue, prioritize resources when critical security information is presented, and adequately align investigation resources.
Mandiant Advantage offers unmatched, up-to-the-minute, front-line threat intelligence that allows customers to prioritize the threats that matter to their business right now, increasing efficiency of existing tools and resources.
Register today for Mandiant Advantage Free, a no-cost version of our threat intelligence platform.