The early 2000's saw the development of IP and URL blacklists. These were, in hindsight, the precursors of ‘Threat Intelligence’, although the concept of ‘threat intelligence’ was not yet formulated. Event management (SIEM) and next generation firewall (NGFW) security products integrated data from these blacklists and generated alerts and reports. Security researchers then searched for threats 'manually' and sent out daily updates to their customers.
From 2010 onwards, the explosion of the dark web and malign activities exposed the limitations of these existing security controls, not designed to consume and process such huge numbers of Indicators of Compromise. During the next years it became apparent these tools alone would not be effective at identifying and processing tens of millions (and increasing) highly customised malicious domains, IPs and other threats.
Cybersecurity vendors responded by harnessing machine learning and AI to automate and correlate data on an unprecedented scale. They put in place millions of sensors and their data feeds collected massive amounts of information which was analysed and processed by increasingly sophisticated big data tools. Automated systems began to be utilised to perform complex detection covering all attack surfaces. Big data technology led to the development of the concept of ‘threat intelligence’.
2015 saw the next stage in the evolution of TI: the realisation of the vital role of Human Intelligence in delivering threat intelligence. An unintended consequence of utilising machine learning and AI was the overwhelming numbers of daily false security alerts. It became clear that AI and big data tools alone were not producing useful intelligence. Security experts were increasingly deployed not only to oversee intelligence collection in a manner that reduced false positives but also to improve visibility into threats and attack methodologies specific to their organisations, enabling more rapid detection and response activities that emphasised vulnerability discovery and prioritisation.
Starting from 2018 the ‘threat intelligence’ industry expanded significantly, with hundreds of new cybersecurity companies entering the market, offering specific and targeted services focusing on the quality of the data sources, with the aim of providing relevant guidelines for decisions and actions. Also, organisations buying threat intelligence products and services began to focus on more effective deployment, by adapting data collection to specific security requirements, prioritising information correctly and establishing relevant data collection points.
By 2019, a standard of ‘threat intelligence’ had been formulated and accepted: multiple intelligence sources providing relevant, targeted data converted into immediately actionable intelligence and integrated into an organisation’s security operations, through a single point of entry and communicating seamlessly with an organisation’s existing security controls, to provide unique insights into emerging threats, and enable security teams to prioritise alerts, maximize resources and accelerate decision-making processes.
What can we expect from 2020 onwards? The Threat Intelligence market is both maturing and expanding in market size, estimated by leading research company MarketsandMarkets to reach 12.9 billion USD by 2023. Organisations of all sizes are now actively deploying Threat Intelligence as part of their cybersecurity apparatus. Cybersecurity vendors are already integrating their products and services with those of other vendors to offer comprehensive Threat Intelligence packages. Sharing best practices will be the new norm leading to better prepared defences against rising threats such as malware-less attacks.
This new decade will witness the transition from reactive to proactive cybersecurity. Collaboration and cooperation will take centre stage as an essential component in delivering proactive Threat Intelligence.
The role of security teams will expand, covering tactics, techniques, procedures, strategic assessments and threat behaviours, all immediately accessible at all levels and within multiple business groups of an organisation. Security teams will become responsible for the delivery of proactive Threat Intelligence that not only protects organisations from threats but also aligns with and helps shape business goals, identifies risks (M&As, Business Intelligence, etc.) and helps determine security budgets. The goal from 2020 onwards is to operationalise Threat Intelligence to effectively predict and prevent attacks at the earliest stages. Ultimately Threat Intelligence programs will underpin the whole concept of both proactive cybersecurity and organisational risk.
