A different cup of TI? The added value of commercial threat intelligence

Xander Bouwman, Harm Griffioen, Jelle Egbers, Christian Doerr, Bram Klievink, Michel van Eeten

Research output: Contribution to conferencePaperScientificpeer-review

47 Downloads (Pure)

Abstract

Commercial threat intelligence is thought to provide unmatched coverage on attacker behavior, but it is out of reach for many organizations due to its hefty price tag. This paper presents the first empirical assessment of the services of commercial threat intelligence providers. For two leading vendors, we describe what these services consist of and compare their indicators with each other. There is almost no overlap between them, nor with four large open threat intelligence feeds. Even for 22 specific threat actors – which both vendors claim to track – we find an average overlap of only 2.5% to 4.0% between the indicator feeds. The small number of overlapping indicators show up in the feed of the other vendor with a delay of, on average, a month. These findings raise questions on the coverage and timeliness of paid threat intelligence.

We also conducted 14 interviews with security professionals that use paid threat intelligence. We find that value in this market is understood differently than prior work on quality metrics has assumed. Poor coverage and small volume appear less of a problem to customers. They seem to be optimizing for the workflow of their scarce resource – analyst time – rather than for the detection of threats. Respondents evaluate TI mostly through informal processes and heuristics, rather than the quantitative metrics that research has proposed.
Original languageEnglish
Number of pages18
Publication statusPublished - 2020
Event29th USENIX Security Symposium - Online event, Boston, United States
Duration: 12 Aug 202014 Aug 2020
https://www.usenix.org/conference/usenixsecurity20

Conference

Conference29th USENIX Security Symposium
CountryUnited States
CityBoston
Period12/08/2014/08/20
Internet address

Fingerprint Dive into the research topics of 'A different cup of TI? The added value of commercial threat intelligence'. Together they form a unique fingerprint.

  • Cite this

    Bouwman, X., Griffioen, H., Egbers, J., Doerr, C., Klievink, B., & van Eeten, M. (2020). A different cup of TI? The added value of commercial threat intelligence. Paper presented at 29th USENIX Security Symposium, Boston, United States. https://www.usenix.org/conference/usenixsecurity20/presentation/bouwman