Battling Threat Intelligence Decay

There’s a good reason why organizations invest heavily in cyber threat intelligence (CTI) and threat intelligence platforms (TIPs) - they provide security teams with an edge in the fight against attackers. Instead of taking a finger-in-the-air approach, CTI enables companies to better understand, contextualize, and prioritize risk for their business. Despite this, businesses still have an appetite to get more value out of their CTI investments.

In this blog, we’ll take a look at the current state of CTI and explore a specific gap that stands between the current advantage and a universe of additional value.

The Threat Intelligence Landscape 

Like most things in technology, there’s a broad spectrum of things that constitute CTI. On one side of the spectrum, you’ve got loads of open-source and community-driven feeds, which we can thank the good-natured security world for. On the other end, you’ve got your commercial TIPs and CTI subscriptions that offer heavy-hitting, first-party intelligence powered by technology and/or first-party researchers. This is to say, the CTI game doesn’t really preclude businesses based on budget, only bandwidth.

Outside of the CTI technology and feed market, there’s also the reality of in-house threat intelligence personnel - who have their own type of maturity curve. Some of these people might be poring over IOCs and dangling honeypots. Others might be collecting and analyzing TTPs of incidents across their environment and creating relationships across those patterns.

Regardless of how a business approaches CTI, the outcomes are generally the same: present findings to security leaders so they can understand risk and mobilize a response. There’s nothing wrong with this at all. As a matter of fact, every CISO should have a direct line of communication with a trusted threat intelligence resource.

So, what’s the rub? All the CTI and TIPs in the world won’t help you be more secure unless you’re able to rapidly use the information.

Threat Intelligence Decay, Explained

The term "threat intelligence decay" describes how threat intelligence gradually loses value and efficacy over time. The data that was once essential for recognizing and reducing risks becomes old and less helpful as adversaries constantly adapt their tactics, techniques, and procedures (TTPs). This idea emphasizes how cybersecurity is dynamic and requires constant intelligence updating to be effective.

Essentially…old threat intelligence is less valuable than new threat intelligence. 

Attackers are moving faster than ever. Once their tradecraft is observed, attackers can modify their tradecraft (sometimes, trivially) to slip through defenses without detection - this oftentimes leaves defenders where they started, or close to it.

It could take ages to collect threat intelligence, assess relevance and risk, and put it into action.

Recent examples of cyber threat intelligence decay can be seen through the various trends and incidents we see today:

• Business Email Compromise: Financial losses from business email compromises have significantly grown, with attackers employing sophisticated tactics such as phishing emails to gain valid credentials and using MFA fatigue tactics to bypass multi-factor authentication methods. Once inside the network, threat actors often expand access to multiple accounts, searching for sensitive information or payment information to steal or use to commit fraud. Constantly shifting initial access and defense evasion techniques demonstrates the evolution of the adversary and the decay of previous intelligence assessments on their methods.
• Supply Chain Vulnerabilities: The exploitation of supply chain vulnerabilities has become more frequent and damaging, as seen with the MOVEit transfer flaw, where threat actors exploited a zero-day vulnerability to gain unauthorized access and exfiltrate data. Another evolving area of decay as exploit development speed has increased substantially in recent years.
• Ransomware and Malware: The continued evolution of ransomware and malware, including significant activities by groups like CLOP and the widespread use of malware strains like QAKBOT, REDLINE STEALER, AMADEY, and AGENT TESLA, highlights the adaptive nature of cyber threats. The decay of intelligence around these threats is evident as attackers continuously modify their techniques to evade detection and increase their impact.

This concept of threat intelligence decay highlights a pressing challenge: the information that was once a golden nugget of defense can quickly turn into fool's gold, leaving organizations exposed to new threats.

Operationalizing Threat Intelligence

The solution to threat intelligence decay? Actionable threat intelligence. This is what we refer to as CTI that can be quickly operationalized to produce a defense-improving outcome. Whether this is used for a hunt, detection engineering, or something in between, the information should be leveraged to disrupt the cyber kill chain or move left in the NIST Cybersecurity Framework (CSF) stages.

At Prelude, we’ve introduced new AI-enabled capabilities that turn even the most complex, novel threat intelligence into actionable formats.

These capabilities eliminate the time-consuming phases of making threat intelligence useful to an organization. Simply upload a piece of threat intelligence into your Prelude Detect account, and Detect will generate a new detection and accompanying test. Organizations can then quickly deploy a net-new, validated detection to your XDR in less than five minutes.

For threat intelligence personnel, this means you can spend less time processing threat intelligence and more time gathering TTPs of incidents across the environment and creating relationships from these patterns.

For detection engineers, this means you can save a ton of time that would otherwise be used writing new detections and testing them. Instead, detection engineers can focus on developing other proactive security measures and expanding detection coverage to more areas.

For offensive security teams, this means you can spend less time building tests derived from CTI and more time in engagements, building tooling, or producing high-quality reports that can help harden an organization's defenses.

Now, not every organization has these functions as part of their security program. But if we circle back on the bandwidth issue of CTI, this is much less of an issue. Detect is capable of eliminating the bandwidth and maturity barrier to entry of CTI.

These new capabilities save a ton of time and dramatically improve the throughput of a security team. The result is a rapidly improving threat-informed defense. If you’d like to learn more, request a demo or drop by our Discord.