You are on page 1of 17

For Security & Risk Professionals

Vendor Landscape: External Threat Intelligence,


2017
Tools And Technology: The Security Architecture And Operations Playbook

by Josh Zelonis
June 26, 2017 | Updated: July 14, 2017

Why Read This Report Key Takeaways


The threat intelligence market is muddled by Threat Intelligence Marketing Is Not Intelligent
confusing messaging that has hurt security and Threat intelligence refers to a wide range of
risk (S&R) pros ability to succeed with their products and services, which makes it difficult
intelligence capabilities. This report provides to compare offerings. This report brings clarity
a course correction for the industry by clearly to three key differentiators: tactical indicators,
delineating the offerings of 30 vendors that raw intelligence, and finished intelligence. We
provide externally sourced intelligence. It also give examples of each of these offerings and the
offers a guide for using this data to build a vendors that provide them.
successful threat intelligence capability.
Develop Your Security Strategy With Threat
Intel
S&R pros must build their intelligence capability
on a foundation of strategic intelligence to
understand the threat landscape. Develop a
risk register and implement targeted process
improvements, using risk prioritization to justify
your security spend.

Dont Get Hung Up On Trailing Indicators


Tactical indicators are called trailing because
they require observation, analysis, and sharing
before they can be used. Understanding the
fundamental nature of these historical indicators
is essential to identifying their appropriate use
cases.

forrester.com
For Security & Risk Professionals

Vendor Landscape: External Threat Intelligence, 2017


Tools And Technology: The Security Architecture And Operations Playbook

by Josh Zelonis
with Stephanie Balaouras, Bill Barringham, and Peggy Dostie
June 26, 2017 | Updated: July 14, 2017

Table Of Contents Related Research Documents


2 Use External Intelligence To Understand And Achieve Early Success In Threat Intelligence With
Prevent Threats The Right Collection Strategy

External Threat Intelligence Allows You To The Risk Managers Handbook: How To Identify
Detect And Even Prevent Attacks And Describe Risks

Vendors Market Varying Levels Of Processing Top Cybersecurity Threats In 2017


And Analysis As Threat Intelligence

6 Select Vendors According To Your Firms


Maturity, Vertical, And Size

Follow Three Simple Steps When Building A


Threat Intelligence Capability

As Your Intelligence Capabilities Mature,


Target Your Research

Advanced Organizations Can Respond


Aggressively To Threats

Recommendations
12 Develop A Holistic Threat Intelligence
Capability

14 Supplemental Material

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA


+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
2017 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester,
Technographics, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research,
Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing
is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

Use External Intelligence To Understand And Prevent Threats


In The Seven Basic Plots: Why We Tell Stories, Christopher Booker demonstrates that all storytelling,
from Greek drama through Hollywood blockbusters, leverages the same basic plot mechanisms.1
Similarly, there are only so many motivations and techniques for stealing information. The hardest
patterns for attackers to change are their tactics, techniques, and procedures TTPs how they do
things (see Figure 1).2 S&R pros can use external threat intelligence to understand trends and plotlines
of attacks against other organizations, which you can use to better prepare for when those threat
actors inevitably turn their attention toward you.

FIGURE 1 Tactics, Techniques, And Procedures Are The Hardest Patterns For Cyberattackers To Change

Tough!
TTPs

Tools Challenging

Network/
Annoying
host artifacts

Domain names Simple

IP addresses Easy

Hash values Trivial

Source: David Bianco, The Pyramid of Pain, Enterprise Detection & Response, January 17, 2014

External Threat Intelligence Allows You To Detect And Even Prevent Attacks

A cyberattack does not start with exploitation and end with exfiltration. Criminals plan carefully how
they will develop the infrastructure they need to make an attack and then monetize the effort.3 That
means S&R pros must also plan carefully to detect and prevent such attacks. How can external threat
intelligence help? It lets you:

Preempt attempts to defraud customers with impersonating domain registrations. Todays


organizations are aware of the innate reputational risk associated with an attacker impersonating
them to defraud customers. Even if your organization wasnt a part of the attack chain, your brand

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

will suffer. Its important to detect when attack infrastructure is being created to stay a step ahead
of attackers trying to impersonate your organization. One emerging threat that has gained attention
lately is homograph attacks, in which attackers use Unicode characters to create domains that are
indistinguishable from legitimate domain names.4

Track exploit kits to prioritize patching. Understanding attack trends and the use of exploit kits
is a critical first step in developing a strategy to combat ransomware and other similar malware-
based attacks.5 By collecting tactical intelligence from exploit kit advertisements, you can identify
common vulnerabilities and exposures (CVEs) being exploited and prioritize patching to prevent
your organization from being compromised.6

Detect breaches by monitoring darknet marketplaces for stolen data. One place you can
intercept an attack is at the point of data commoditization. Although detecting the sale of stolen
data is not an ideal time to identify an attacker moving against your organization, considering
dwell times for external attackers average 107 days its better to be aware of the breach than to
unknowingly allow it to persist.7 For example, a credit card processor identified GameStop as the
common link between cards being sold online this year.8

Vendors Market Varying Levels Of Processing And Analysis As Threat Intelligence

The intelligence cycle is the process by which a question is asked, researched, and answered. During
this process, organizations collect, process, and analyze data to turn it into a finished intelligence
product (see Figure 2). Organizations will take over this analysis at different stages of the intelligence
cycle, depending on their operational maturity, which is why vendors offer three types of intelligence
tactical indicators, raw intelligence, and finished intelligence.

Tactical indicators are useful if theres enough context. Indicators of compromise (IoC) are file
hashes, domain names, IP addresses, or other patterns that S&R pros can use to detect a threat
or compromise. One important caveat is the need for context when using these indicators. The
STIX language uses 12 different domain objects to describe threats, with indicators only being one
of them.9 You must understand the context surrounding an indicator to understand the implication
to your organization when triggering an alert based on this indicator. For instance, Symantec has
assigned a very low risk level to the Trojan.Corentry malware.10 How would your organization
respond to the knowledge there was a malware-infected system on your network? What if it was
a very low risk? What if the implication was the CIA had infiltrated your organization?11 You simply
should not spend money on indicator feeds that dont provide context beyond indictment.

Raw intelligence has been collected and processed but not analyzed. Frequently, raw
intelligence is offered through API access, enabling search or alerting based on keywords or other
information (see Figure 3). One example is pastebin alerts, which allows users to specify keywords
that, if pasted, will generate email alerts.12 This is raw, not finished, intelligence because the alert
just shows that you have a keyword match and does not include the sentiment or details of the
user who pasted the text. Similarly, while a reverse engineer may be said to analyze a piece of

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

malware, that analysis does not become part of a finished intelligence product until its paired with
additional context, such as where it has been observed in the wild, associated threat actors, and
motivations to better understand the risk posed by the malware.

Finished intelligence is consumable and doesnt require final analysis. Finished intelligence is
more than just reportage; it requires interpretation and putting the raw intelligence into context. For
instance, during analysis and production, the CIA take[s] a closer look at all the information and
determine[s] how it fits together, while concentrating on answering the original tasking.13 There
are several types of finished intelligence; each category represents a unique task for your external
threat intelligence service provider with requests for intelligence (RFIs) as your ability to leverage
directed research (see Figure 4).

FIGURE 2 The Synthesis Of Quantitative Analysis And Qualitative Judgment

Relationship of data, information, and intelligence

Operational
Data Information Intelligence
environment

Collection Processing Analysis


and and
exploitation production

Source: Joint Intelligence/Joint Publication 2.0 (Joint Chiefs of Staff)

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

FIGURE 3 Raw Intelligence Does Not Provide Context

Malware analysis Detailed analysis performed by reverse engineers or forensic


investigators to identify critical elements such as network/host
artifacts, vulnerabilities exploited, and other related indicators that
help you understand the tactics, techniques, and procedures in use

Compromised account data The ability to query or alert on accounts compromised in public
breaches or leaked from covert sources

Raw intelligence access API or portal-driven search capability for querying collected data for
keywords related to brand, identity, or other indicators

FIGURE 4 Finished Intelligence Puts Raw Intelligence Into Context

Executive protection Monitoring against impersonation, defamation, or hijack of accounts,


targeted threats and exposure to untargeted threats due to travel, as well as
leaked personal information

Fraud intelligence Monitoring for information leakage, laundering schemes, and other
evidence of scams targeting the organization. An important part of
delivering this as a finished product is the ability to track down the source
of the information leak that fraudsters are attempting to commoditize

Brand protection Monitoring against impersonation, defamation, or intent to damage the


revenue or reputation of the brand

Vulnerability risk Reporting on exploitation trends to allow businesses to prioritize


vulnerability remediation efforts in the context of their threat landscape

Threat actor data Detailed profile of an actors tactics, motivations, and capabilities to allow
an organization to assess risk, combined with associated indicators to
assist with detection, attribution, and removal of the threat

Insider threat Monitoring of websites and forums for the recruitment of insiders or
monitoring attempts to sell privileged data

Third-party risk Assessment and scoring of third parties security posture, susceptibility to
attack, and evidence of data leakage to identify risk of incorporating them
into your supply chain

Strategic intelligence Executive consumable intelligence reports that inform security strategy and
provide understanding of the threat landscape

Request for intelligence Ability for customers to request an enriched, targeted investigation

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

Select Vendors According To Your Firms Maturity, Vertical, And Size


A common question we hear from clients is, What indicator feeds should I subscribe to? Unfortunately,
theres no simple answer. Recommendations vary based on your companys maturity, vertical, and size.
To help S&R pros make sense of the landscape, choose a vendor, and build a road map for integrating
external threat intelligence into their organizations, weve charted 30 external threat intelligence vendors
and their capabilities. And because its also important to understand where the information comes
from to properly assess how to prioritize and ingest it, weve included the vendor-reported ratios of the
intelligence sources they use for collecting their data (see Figure 5 and see Figure 6).

FIGURE 5 Understanding The Major Sources Of External Threat Intelligence

Surface web The surface web is the part of the internet that is indexed by search engines, where
information is freely accessible. While this type of intelligence is occasionally met
with disdain because it is collected from public sources, this disdain ignores two
critical factors: Criminals face a market imperative of providing an accessible
marketplace for their goods, and people commonly make mistakes with operational
security. The reality is that there is a lot of valuable information that you can derive
from open sources, but theres no guarantee that what you are getting isnt
repurposed marketing material.

Deep/dark web The deep web represents a collection of sites that are censored by search engines,
require authentication, or are only accessible via specific network protocols to
access. The dark web is a subset of this, requiring the use of TOR or similar
protocols to establish exclusivity and anonymity. Frequently, the information
gathered from the deep web requires a human to establish credibility to gain
access to assets, making this a very specialized and sensitive source of
intelligence.

Social media Social media could arguably be categorized as deep web since it is not indexed by
search engines; however, social is so pervasive that it would be fairer to think of it
as shallow web. Social media monitoring is frequently associated with reputation
risk, which is why this is frequently seen in messaging by digital risk monitoring
companies.

Sensor networks Sensor networks vary, from network monitors across the globe that detect the
registration of new domains, to endpoint products performing static analysis of
unknown files, to SIEM alerts coming out of global managed security service
providers. This information tends to be very tactical and requires a lot of further
analysis to attribute to an actor before it can become finished intelligence.

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

FIGURE 6 External Threat Intelligence Vendors And Capabilities

Finished intelligence

Vu pr en on
Raw intelligence

d llig ti
ln ote ce

Th ori hre a
n
an te tec

m sid tor k
it r t at
ird ng at
Tactical indicators

Th rab ctio

lli gi sk
i s
on e d
r
Br in ro

te te ri
at ty

ge c
p

e
in tra rty
re ili

nc
au v e

In c

S pa
a
Fr uti

-
d

e
ec

FI
Vendor Focus

Ex

R
4iQ Identity, digital risk monitoring

AlienVault Open, threat sharing network

CrowdStrike Adversarial intelligence, endpoint


monitoring

Digital Analyst-curated, tailored intelligence


Shadows

DomainTools Breadth of domain registration data

FireEye Adversarial intelligence, real-time


detection

Flashpoint Targeted data acquisition, analyst


expertise

Group-IB Targeted intelligence, Russian expertise

IBM Reputation services and actionable intel

InfoArmor Operatively sourced threat intelligence

Intel 471 Human collection of closed source,


cybercrime

Kaspersky Sensor-driven, advanced persistent


threat (APT) research

LookingGlass Breadth of collection, automated


integration

Optiv Threat intel collected from MSSP clients

PhishLabs Directly sourced cybercrime intelligence

PhishMe Human-vetted, antiphishing


intelligence

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

FIGURE 6 External Threat Intelligence Vendors And Capabilities (Cont.)

Finished intelligence

Vu pr en on
Raw intelligence

d llig ti
ln ote ce

rin re a
n
an te tec

m sid tor k
ito r th at
g at
Th ra ctio

lli gi k
In ac is
Tactical indicators

te te ris
on e d
r
Br in ro

at ty

ge c
p

e
in tra ty
re bili

nc
au ve

S ar
Fr uti

-p
d

ird
ec

FI
Vendor Focus

Th
Ex

R
Proofpoint Analyst expertise, global sensor
network

PwC Strategic focus on global and targeted


threats

Q6 Cyber Analyst expertise, underground sources

Recorded Breadth of collection, automated


Future processing

RiskIQ Breadth of collection, automated


processing

SecureWorks Diverse collection of internal sources as


MSSP

Security Brand protection, third-party risk


Scorecard

SenseCy Analyst language proficiency,


automation

SurfWatch Individualized analyst services,


Labs unlimited RFI

Symantec Adversarial intelligence, global sensor


network

Terbium Dark-web monitoring, fuzzy hashing of


results

Threat Analyst-curated, open source


Connect intelligence

Webroot Automated analysis with machine


learning

ZeroFOX Automated collection, machine learning


analysis

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

FIGURE 6 External Threat Intelligence Vendors And Capabilities (Cont.)

Intelligence
Finished intelligence sources
Raw intelligence
Tactical indicators

ito s

ce
e

n
g
ur

tio

un om s
in

at ed

en
si s

co pr ysi
at

eb
e

ta

t d is

lig
hi ash

gn

a
n

ne ns a
pu

w
a

eb
ss tel
on

Se edi
io

an

rk
h

re

w
om tat

tw or
ce in

ks
m
ng

m
Ph re

da
e
n

ar

ac m
pu

ac aw

or
et
a

ac
ai

al
p/
o
w

w
tn

re

ci
is

rf
R

ee
al

al
Vendor
Bo

So
Su
IP
M

M
D

D
4iQ 15% 70% 15% 0%

AlienVault 1% 1% 0% 98%

CrowdStrike 25% 25% 25% 25%

Digital 68% 10% 20% 2%


Shadows

DomainTools 0% 0% 0% 100%

FireEye 15% 25% 15% 45%

Flashpoint 10% 80% 5% 5%

Group-IB 5% 49% 1% 45%

IBM 1% 36% 0% 63%

InfoArmor 30% 50% 5% 15%

Intel 471 0% 100% 0% 0%

Kaspersky 7% 5% 3% 85%

LookingGlass 30% 26% 13% 31%

Optiv 60% 10% 5% 25%

PhishLabs 5% 10% 10% 75%

PhishMe 0% 0% 0% 100%

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

FIGURE 6 External Threat Intelligence Vendors And Capabilities (Cont.)

Intelligence
Finished intelligence sources
Raw intelligence
Tactical indicators

ito s

ce
e

n
g
ur

tio

un om s
in

at ed

en
si s

co pr ysi
at

eb
e

ta

t d is

lig
hi ash

gn

a
n

ne ns a
pu

w
a

eb
ss tel
on

Se edi
io

an

rk
h

re

w
om tat

tw or
ce in

ks
m
ng

m
Ph re

da
e
n

ar

ac m
pu

ac aw

or
et
a

ac
ai

al
p/
o
w

w
tn

re

ci
is

rf
R

ee
al

al
Vendor
Bo

So
Su
IP
M

M
D

D
Proofpoint 0% 0% 0% 100%

PwC 10% 10% 5% 75%

Q6 Cyber 10% 50% 10% 30%

Recorded 31% 24% 11% 34%


Future

RiskIQ 20% 25% 25% 30%

SecureWorks 12% 11% 11% 66%

Security 40% 20% 15% 25%


Scorecard

SenseCy 15% 50% 25% 10%

SurfWatch 35% 35% 30% 0%


Labs

Symantec 8% 15% 12% 65%

Terbium 0% 100% 0% 0%

Threat 99% 0% 0% 1%
Connect

Webroot 0% 5% 5% 90%

ZeroFOX 20% 15% 65% 0%

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

Follow Three Simple Steps When Building A Threat Intelligence Capability

Many Forrester clients question not only the effectiveness of threat intelligence capabilities in the
enterprise but also the cost of products, feeds, and headcount. Fortunately, you can obtain and
demonstrate immediate benefits with your initial investment in three simple steps:

1. Focus on finished intelligence to reduce staffing requirements. You dont need to make any
immediate hiring decisions to get started with threat intelligence. Many of the vendors we surveyed
provide finished-intelligence-as-a-service, which you can consume immediately. Dont fall into the
trap of investing in tactical indicator feeds right away; your organization wont be able to leverage
this type of intelligence effectively.

2. Use strategic intelligence and RFIs to understand the threat landscape. Your initial goal with
threat intelligence should be to evolve your own security strategy decision making beyond best
practices and into informed decisions based on the current and evolving threat landscape. Learn
and ask questions. From this vendor survey, use an RFI to leverage the intelligence vendor for
reverse engineering capabilities on unknown files. Not only will this new vendor relationship help
you understand and communicate threat more effectively, youll also immediately expand the
capabilities of your security operations center (SOC).

3. Look for vendors that collect data from multiple sources. Specific use cases will factor into
your decision making when you develop a complex collection strategy using multiple feeds. Threat
intelligence is a nuanced art form. As you make your initial investments, focus on vendors that
collect and analyze data from a breadth of sources.

As Your Intelligence Capabilities Mature, Target Your Research

As you go through the intelligence cycle, keep an eye on how you can improve the process and overall
output. Armed with an understanding of the threat landscape and how these attacks manifest in your
organization, tailor your collection strategy to operationalize your new intelligence capability. At this
point you will need to bring an analyst on staff to help develop your collection strategy, manage the
intelligence data, and prepare briefings.

Create a risk register to track identified threats to your organization. Your strategic intelligence
capability should produce a document that identifies key risks, actors, and business impact of
these threats.14 Be prepared to address these threats and show how your security strategy is
aligned to reduce these risks. Enrich your intelligence capability by focusing on these specific
threats to your organization. This report outlines many types of finished intelligence offerings to
help you get started.

Deconstruct attack patterns and target intelligence at various stages. Next, invest in raw and
finished intelligence offerings to gain more visibility into the threats youve identified. Heres where
intelligence from specific sources such as the deep web can help you target the intelligence youre
collecting. Use a sensor network to capture events such as domain registration as adversaries are

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 11
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

building attack infrastructure. Subscribe to feeds that track the advertising of exploit kits on social
media to identify new features and vulnerabilities being exploited. Monitor the resale of stolen
credentials on the dark web, not only to identify information leaking from within your organization,
but also to stay alert for customers who may be susceptible to credential stuffing.

Understand that no single vendor will be able to serve your needs. Vendors that specialize in
collecting from sources like the dark web will offer particular insights that you can benefit from.
Other vendors, such as ones with a sensor network that blankets the internet, will collect and
report on events in a different time frame and of a different nature. Having diversified sources will
allow you to reap the benefits of these perspectives, but youll need a multivendor solution.

Advanced Organizations Can Respond Aggressively To Threats

The biggest mistake technologists make with intelligence is thinking its something they can just
put into their security information management (SIM) or security analytics platform. While its
understandable to want to get something intelligent out of your SIM, this is not an effective use of this
data, and it will lessen the operational effectiveness of your SOC. Instead:

Manage your threat intelligence in a central location. As your organization begins working with
large quantities of intelligence data, its important to have a place to centralize the collection and
analysis of this data. Threat intelligence platforms automate a lot of these tasks and may even
integrate with your orchestration tools to automatically enrich alerts, which will make your SOC
more efficient.

Perform link analysis on detected threats to hunt for further compromise. The value of tactical
indicators is in their relationships. Even without attribution to a threat actor, being able to associate
two indicators that were observed in the same time and place allows you to infer that they may be
related. Herein lies the challenge of real-time streaming analysis IP addresses, DNS names, and
other tactical indicators are too transient for you to efficiently detect, share, and monitor. Searching
historical data for loosely correlated events, however, can expose a wider compromise.

Hunt for artifacts of the threat actors associated with your risk register. Understanding your
adversary, including their tactics, sophistication, and funding, enables you to defend proactively
against a known offense. Knowing how they are tooling and other attributable information about
them will allow you to actively hunt for signs of intrusion, reducing your time to detection on events
your mitigation strategies didnt identify. You cant do this without strategic intelligence.

Recommendations

Develop A Holistic Threat Intelligence Capability


To successfully detect and prevent cyberattacks, S&R pros must look both outside and inside of
their organizations:

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 12
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

Make strategic intelligence the foundation of your security program. An understanding of the
threat landscape allows you to effectively prioritize security spend, focusing on mitigation of threats
your organization needs the most. Tooling for the adversary will not only decrease alert volume, but
ensure that generated alerts are more salient.

Try it before you buy it; ask vendors for sample or redacted reports. These will help you
understand the final work product you are subscribing to. While this recommendation is tailored
more toward finished intelligence, in the age of the customer, external threat intelligence vendors
should be happy to demonstrate the quality of analysis and writing behind their research.

Close the loop with your own internal intelligence. External intelligence provides valuable
information about the threat landscape and what is going on beyond your own perimeter. That said,
dont neglect your internal sources. Intelligence generated from within your organization is the most
relevant and actionable intelligence available to you, and its free!

Engage With An Analyst


Gain greater confidence in your decisions by working with Forrester thought leaders to apply
our research to your specific business and technology initiatives.

Analyst Inquiry Analyst Advisory Webinar

To help you put research Translate research into Join our online sessions
into practice, connect action by working with on the latest research
with an analyst to discuss an analyst on a specific affecting your business.
your questions in a engagement in the form Each call includes analyst
30-minute phone session of custom strategy Q&A and slides and is
or opt for a response sessions, workshops, available on-demand.
via email. or speeches.
Learn more.
Learn more. Learn more.

Forresters research apps for iPhone and iPad


Stay ahead of your competition no matter where you are.

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 13
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

Supplemental Material

Companies Interviewed For This Report

We would like to thank the individuals from the following companies who generously gave their time
during the research for this report.
4iQ PhishMe

AlienVault Proofpoint

CrowdStrike PwC

Digital Shadows Q6 Cyber

DomainTools Recorded Future

FireEye RiskIQ

Flashpoint SecureWorks

Group-IB SecurityScorecard

IBM SenseCy

InfoArmor SurfWatch Labs

Intel 471 Symantec

Kaspersky Terbium

LookingGlass ThreatConnect

Optiv Webroot

PhishLabs ZeroFOX

Endnotes
Source: Kasia Boddy, Everything ever written boiled down to seven plots, The Telegraph, November 21, 2004 (http://
1

www.telegraph.co.uk/culture/books/3632074/Everything-ever-written-boiled-down-to-seven-plots.html).

Source: David Bianco, The Pyramid of Pain, Enterprise Detection & Response, January 17, 2014 (https://detect-
2

respond.blogspot.com/2013/03/the-pyramid-of-pain.html).

While not all cyberattacks are motivated by profit, the ability to make money from cyberattacks warrants the capital
3

investment of time and architecture to perform the attack.

Source: Mohit Kumar, This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera, The
4

Hacker News, April 17, 2017 (https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html).

See the Forrester report Top Cybersecurity Threats In 2017.


5

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 14
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals June 26, 2017 | Updated: July 14, 2017
Vendor Landscape: External Threat Intelligence, 2017
Tools And Technology: The Security Architecture And Operations Playbook

Source: Bye Empire, Hello Nebula Exploit Kit. Malware dont need Coffee, March 3, 2017 (http://malware.
6

dontneedcoffee.com/2017/03/nebula-exploit-kit.html).

Source: M-Trends Reports, FireEye (https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html).


7

Source: Steven Petite, Gamestop.Com Customers Credit Card Information May Have Been Compromised, Digital
8

Trends, April 8, 2017 (https://www.digitaltrends.com/gaming/gamestop-online-security-breach/).

STIX stands for Structured Threat Information eXpression. Source: About STIX, Github (https://oasis-open.github.io/
9

cti-documentation/stix/about.html).
10
Source: Trojan.Corentry, Symantec, November 26, 2015 (https://www.symantec.com/security_response/writeup.
jsp?docid=2015-111823-1849-99).
11
Source: Longhorn: Tools used by cyberespionage group linked to Vault 7, Symantec Official Blog, April 10, 2017
(https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7).
12
Source: Pastebin My Alerts, Pastebin, April 17, 2012 (https://pastebin.com/PNxAR80G).
13
Source: The Intelligence Cycle, Central Intelligence Agency, March 23, 2013 (https://www.cia.gov/kids-page/6-12th-
grade/who-we-are-what-we-do/the-intelligence-cycle.html).
14
See the Forrester report The Risk Managers Handbook: How To Identify And Describe Risks.

2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 15
Citations@forrester.com or +1 866-367-7378
We work with business and technology leaders to develop
customer-obsessed strategies that drive growth.
Products and Services
Core research and tools
Data and analytics
Peer collaboration
Analyst engagement
Consulting
Events

Forresters research and insights are tailored to your role and


critical business initiatives.
Roles We Serve
Marketing & Strategy Technology Management Technology Industry
Professionals Professionals Professionals
CMO CIO Analyst Relations
B2B Marketing Application Development
B2C Marketing & Delivery
Customer Experience Enterprise Architecture
Customer Insights Infrastructure & Operations
eBusiness & Channel Security & Risk
Strategy Sourcing & Vendor
Management

Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.

Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
For more information, visit forrester.com. 136769