With each passing year, the threat landscape grows exponentially. In 2021, there were a total of 20,061 vulnerabilities recorded in the NIST National Vulnerability Database (NVD) — 9.3% over the prior year and the most ever recorded of any year since the database began. For those in the business of threat detection, the stakes keep getting higher and figuring out how to get ahead of – or even keep up with – adversaries requires leveraging a multitude of resources and different types of threat intelligence feeds including both open-source threat intelligence (OSINT) and commercial threat intelligence. And while it’s important to use both, many organizations view the options as either/or — OSINT vs commercial — with the upfront acquisition costs being a primary factor in the decision. This blog post weighs some of the pros and cons for each type of threat intel.
Open-Source Threat Intelligence (OSINT)
Open-Source Threat Intelligence legally gathers information from a variety of free and publicly available sources – websites, blogs, online communities, books, public speeches, conferences, images, etc.
As a free source of intelligence that leverages the brain trust of the greater threat intelligence community, open-source threat intel is one of the most widely leveraged types of threat intelligence. As OSINT is the first stage in passively acquiring intelligence, there are numerous ways it gets applied to an organization’s security strategy: Penetration testers use it to profile potential victims to better understand vulnerabilities and risks; Threat hunters use it to understand an organization’s attack surface; Security professionals use it to enrich the internal telemetry gathered from within an organization’s network.
The greatest disadvantage of OSINT vs commercial threat intelligence is also that it’s free and easily acquired. And all the same benefits that defenders can derive from OSINT are also readily available and used by threat actors. Threat actors are notorious for using any available free tools as it helps maximize their profits and OSINT is no exception. OSINT very clearly defines which vulnerabilities are and are not an active concern to analysts, arming the attackers with exactly the information they need about which vulnerabilities to leverage for an attack. Strategically speaking, you won’t get ahead of the adversaries if they have access to all the same details as your security analysts, and you won’t be competitive against other solutions in an over-saturated cybersecurity market.
Another disadvantage of OSINT vs commercial threat intel is the actual cost. Like many solutions that present a low barrier to entry, the bargain price of ‘free’ actually comes at a cost that is likely to nullify any of the cost investment benefits over time. Put succinctly, free is not actually free. As a general point of reference, the hard costs associated with collecting, processing, and analyzing all of the data is, at minimum, more than $1 Million USD per year. And those are just the ‘bare bones’ costs for infrastructure and personnel. There are numerous other considerations and hidden costs when it comes to developing, implementing, and managing threat intelligence solutions. From a cost perspective, it’s critical to understand what your solution will really cost and we recommend reading a recent article that goes into greater detail about the cost of in-house threat intelligence. This article dives into the cost of ‘curating’ OSINT data for use in production environments or security products.
OSINT threat feeds can be an effective way to gain generalized threat information about which industries are being targeted, but its usefulness is extremely limited. However, think of raw OSINT data as ‘pre-curated’ data. Most sources of raw cyber threat data are undependable and lack the quality details like timeliness, verifiability, and low false positive ratios required to turn raw threat data into actionable cyber threat intelligence. So, while you may get some basic level malicious detections which can be used for blocking, without the large investments necessary to perform the ‘curation’ process, you will end up consuming massive volumes of irrelevant data only to generate poor quality data that fail to prioritize the right threats and wastes time and resources investigating stale or irrelevant threats. If the end goal is a reactive approach and to simply block based on threat detections, OSINT is a better starting point than nothing. But if the end goal is proactive detection and response, open-source alone will not suffice as it lacks the visibility and context required to be effective.
Commercial Threat Intelligence
By contrast, Commercial Threat Intelligence has a number of benefits that you won’t find with open-source threat intelligence. Commercial threat intel providers do all of the collection, processing, analyzing, and validating active threats which are then consolidated into digestible format that can be easily integrated into various security tools. Commercial feeds typically leverage a combination of open-source threat intelligence and a variety of commercial feeds. Some commercial feeds have an added value by including proprietary threat detections which are unique to their traffic sources, and therefore, their feed. The inclusion of this proprietary threat data, along with key insights and expertise, can prove to be invaluable when it comes to gaining a competitive edge.
Think of Commercial Threat Intelligence as formula:
Commercial Threat Intel = “Raw OSINT Data” + “Curation” + “Commercial Feeds” + “Proprietary Detections” + “Data Enrichment”
Greater Visibility into Threats, Attacks, and Motives
Commercial cyber threat intelligence provides rich contextual data that can be used to gain a greater understanding of targets, TTPs, attacks, and motives of the attackers. Having a greater technical context, with a focus on the IOCs themselves, related linkages, and whether or not they might be found within an organization’s unique environment, allows defenders to focus efforts on protecting the most high-risk targets. Additionally, having enhanced visibility aids in identifying new threat groups, new malware variants, social engineering techniques, and more.
Faster Detection, Response, and Remediation for Targeted Attacks
Commercial threat intelligence feeds highlight the most critical threats for better threat prioritization and mitigation which reduces alert fatigue and accelerates security outcomes. The higher the quality of threat feeds you put into your security stack (SIEM, SOAR, DNS, SWG, CASB, XDR, SASE, etc.), the more effective and efficient your outcome will be. Many commercial threat intelligence vendors will indicate severity levels for different IOCs and related alerts to help your analysts triage and prioritize threats with ease.
Support Strategic Planning and Investment Decisions
Threat intelligence can also be used for making risk-based decisions regarding things like staffing, technologies, cybersecurity requirements, and ultimately, budgets that support efforts to reduce costs and/or increase the ROI of existing infrastructure. While open-source threat intelligence can be somewhat informative in terms of top-level trends, it lacks the context required to understand exactly how badly a particular threat might affect your environment and how to mitigate the impact.
Evaluating Threat Feeds
When it comes to evaluating threat feeds, regardless of whether those feeds are OSINT vs commercial threat intel, below are a number of guidelines to keep in mind and weigh against the outcome you are trying to achieve. For vendors that are simply looking for a basic blocking approach, some of the criteria below will be less crucial. Vendors who choose to pursue a maximum protection model that will support both threat detection and response are advised to critically evaluate the key areas below as these will make or break your solution.
- Threat Detection Speed. How quickly are new and emerging threats detected — hours, days, longer? While the average time to detect can be tricky to pinpoint, it can be evaluated by measuring one threat feed provider against another. It goes without saying, the fastest time to detect is crucial to threat protection.
- Accuracy. While the fastest time to detect may be a leading priority, it should not be considered independently of accuracy. A lack of accuracy, or high false positive rate can ultimately work against you.
- Coverage. Your visibility into the threat landscape, and ability to protect users and endpoints, depends on having extensive coverage of the ActiveWeb and global clickstream traffic.
- Curation vs Aggregation. Data curation itself is another fuzzy definition. There are threat feed providers claiming to curate threat feeds, but what they are really doing is aggregating a selection of feeds, as opposed to actually curating the data that comes from those feeds to have maximum coverage with the lowest possible amount of false positives.
- Content Classification. A premium domain database will also have excellent coverage for all forms of objectionable and other content, providing the vendor with the opportunity to offer content-based filtering to supplement the phishing and malicious threat protection.
- Real-Time Detection/Update Capability. What constitutes ‘real-time’ in terms of technology applications can vary from minutes to hours. It’s important to understand how each threat feed provider defines real-time detections, as well as real-time updates (the time between which a threat is detected and the time that threat propagates to deployments).
- URL Level for Blocking. It’s important to have the ability to filter and block URLs at various levels depending on the implementation — domains, subdomains, IPs and full-path. In some cases, blocking at the domain and subdomain is perfectly fine. Other times, full-path URL blocking is necessary to protect against threats more deeply embedded in commonly whitelisted sites like google docs, Dropbox, etc.
When it comes to OSINT vs commercial threat intelligence, it’s important to know that each serve a purpose depending on who is using it, and how it will be applied, and the expected outcomes required. And while OSINT is better than nothing, and it does offer a certain amount of value in terms of enriching your internal telemetry, free intel comes at a high cost and it simply isn’t enough to really protect against the current threat landscape.
zvelo Threat Intelligence vs OSINT | Threat Intelligence Comparison and Cost Analysis
An analysis of the data, costs and business justification for zvelo threat intelligence vs open-source threat intelligence (OSINT).