A different cup of TI? The added value of commercial threat intelligence
Xander Bouwman, Delft University of Technology, the Netherlands; Harm Griffioen, Hasso Plattner Institute, University of Potsdam, Germany; Jelle Egbers, Delft University of Technology, the Netherlands; Christian Doerr, Hasso Plattner Institute, University of Potsdam, Germany; Bram Klievink, Leiden University, the Netherlands; Michel van Eeten, Delft University of Technology, the Netherlands
Commercial threat intelligence is thought to provide unmatched coverage on attacker behavior, but it is out of reach for many organizations due to its hefty price tag. This paper presents the first empirical assessment of the services of commercial threat intelligence providers. For two leading vendors, we describe what these services consist of and compare their indicators with each other. There is almost no overlap between them, nor with four large open threat intelligence feeds. Even for 22 specific threat actors – which both vendors claim to track – we find an average overlap of only 2.5% to 4.0% between the indicator feeds. The small number of overlapping indicators show up in the feed of the other vendor with a delay of, on average, a month. These findings raise questions on the coverage and timeliness of paid threat intelligence.
We also conducted 14 interviews with security professionals that use paid threat intelligence. We find that value in this market is understood differently than prior work on quality metrics has assumed. Poor coverage and small volume appear less of a problem to customers. They seem to be optimizing for the workflow of their scarce resource – analyst time – rather than for the detection of threats. Respondents evaluate TI mostly through informal processes and heuristics, rather than the quantitative metrics that research has proposed.
View the full USENIX Security '20 program at https://www.usenix.org/conference/usenixsecurity20/technical-sessions