Threat Intelligence Sources Explained
As part of the requirements phase in the intelligence cycle, it’s important to assess where your threat intelligence comes from. Threat intelligence usually comes from outside sources, so it’s critical to evaluate these sources based on several key factors:
1. Timeliness
2. Relevancy
3. Accuracy
4. Confidence Level
Key Factors for Evaluating Threat Intelligence Sources:
Timeliness:Threats can change quickly as attackers adapt. After an adversary is exposed, they may change their tactics to avoid detection. It’s important to choose intelligence sources that can provide timely updates about evolving threats.Relevancy:The intelligence needs to be relevant to your specific needs. For example, if your systems are mainly cloud-based, threat intelligence about Windows vulnerabilities might not be very useful. You need to make sure the intelligence aligns with your organization’s environment and use cases.Accuracy:Accuracy means that the information is reliable and validated. It also refers to how specific intelligence is. Can it be used to create automated security rules, or is it more general and strategic? Good threat intelligence should be specific enough to be directly applied to your systems and security measures.Confidence Levels:Not all intelligence is equally reliable. Confidence levels help you determine how trustworthy the information is. Some sources use a grading system, like the Admiralty scale, which rates both the reliability of the source and the credibility of the information. For example, a rating of “A1” would mean the source is reliable and the information has been confirmed by multiple sources, while a lower rating means less certainty.
For example, the MISP Project (misp-project.org/best-practices-in-threatintelligence.html) codifies the use of the admiralty scale for grading data and the use of estimative language for grading analyst opinion. The admiralty scale rates sources with letters from a (reliable) to g (purposefully deceptive) and information credibility from 1 (confirmed by multiple sources) to 6 (cannot be validated).ed by multiple sources) to 6 (cannot be validated).
Leave a Reply