A core part of my teaching at Paralus is guiding attendees towards mechanisms of fusing internal telemetry and understanding with external data sources and feeds to arrive at a more robust understanding of threat actor operations and behaviors. This perspective is reflected in my work on intelligence production and development as well, such as my work on intelligence “pivoting” and looking at technical indicators as “composite objects.” Historically, for many organizations the primary obstacle to achieving this perspective was availability of and visibility into internal data sources due to telemetry limitations or data capture, storage, and search capability. Meanwhile, external feeds of intelligence information, such as on malicious file or network objects, merely required a subscription and either familiarity with dedicated search consoles or APIs for functionality. Both have costs, but the external feed cost was typically more transparent than the much more complex issue of security engineering and visibility for internal sourcing.
Now, things have changed. Many organizations, especially more mature security programs, have implemented SIEM and SOAR solutions combined with endpoint and network telemetry gathering to dramatically enhance both collection and search of data. While the expense of such programs is non-trivial, they roll directly into security program functions (and increasingly, necessity) making them obvious areas for maintenance and continued investment. Organizations may attempt to economize on these items, but eliminating them entirely while maintaining a modern security program is difficult to outright impossible.
Conversely, external data feeds, while certainly improving in depth and capability, are becoming more difficult to work with or justify. More data, whether malware samples or enriched network infrastructure information, is available than ever before. In isolation, this enhanced availability may seem quite good. However the cost of such data is rapidly becoming prohibitively expensive. Six figure licensing costs in US dollar terms (and not low six figure) are rapidly becoming the norm for robust use cases, in many cases matching or even exceeding the cost of the analysts who would use such data. Making the case for subscriptions to commercial data feeds for threat intelligence information is thus becoming more difficult due to price considerations, especially as day-to-day security operations costs (which arguably have a more obvious and necessary pay-off) also increase.
However we must also consider the payoff to such data feeds in operations. Many adversaries, and especially many of the most concerning entities from Volt Typhoon to Scattered Spider, are moving away from classic indicator-rich operations full of custom malware samples or easily trackable network infrastructure characteristics. In their place are the use of “living off the land” mechanisms or proxy networks of compromised third-party infrastructure. These items are trackable, but require considerable more effort (and data) to enable successful operations, boosting the cost of threat intelligence enrichment to levels that may be unsustainable for many organizations in terms of both time and money.
We thus arrive at a position where the cost of external feeds is rising to eye-watering levels just as their utility is also potentially in question. From an intelligence analyst perspective, this is truly unfortunate as options still exist for tracking adversaries across available signals, but the subscriptions necessary to do so effectively (especially multiple such sources) may no longer be a justifiable spend in many cases. That the providers of such data continue to increase costs thus seems curious—while likely explainable given the vast expansion in data collection and processing to a degree, continued movement in this direction will almost certainly result in such feeds and services catering to an ever smaller market of entities.
Two observations emerge from the above considerations. First, threat intelligence practitioners must become more creative in data sourcing and use. The days when a shop could potentially afford multiple, overlapping feeds to inform file and network investigations are disappearing (or have already passed) for all but the most well-resourced entities. As a result, program managers will need to prioritize on what makes the most sense to invest in relative to internal capability, and look for low (or no) cost opportunities to fill in gaps where possible. Second, the commercial threat data providers need to determine where their businesses are going in terms of not just customer base, but also long-term sustainability. Determining whether such businesses remain viable in a field where only the Fortune 50 and some governments are able to afford their services will be an important question. It may very well be the case that emerging market dynamics mean only a handful (or just one) entity can sustainably operate in any specific telemetry area given increasing costs and a shrinking customer base.
From the perspective of security program managers, the days of robust internal intelligence programs that can leverage external feeds for in-house fusion analysis may be ending for all but the wealthiest entities. In their place, reliance on third-party intelligence functions that can aggregate across customers to justify the cost of commercial data sources may become necessary, shifting the work from internal analysis to consuming externally produced intelligence. In this state, the majority of programs may only need a CTI function capable of orienting such information to internal needs and applications. Notably, this need not necessarily be a dedicated CTI analyst, but can instead be CTI-aware persons on the security operations team or similar that ingest and apply externally-sourced information to the defended network.
In terms of economies of scale, the above approach makes sense, especially in an environment where contracting and outsourcing remain strong trends across many industries and functions. The CTI “boomlet” where many organizations thought it made sense to invest in an internal, dedicated CTI function may thus be ending due cost, to be replaced with outsourced CTI functionality housed in a number of large consultancies, dedicated providers, or consortiums such as information sharing and analysis centers (ISACs). Where matters are uncertain is what such a development would mean for the actual security outcomes for organizations that can no longer justify nor afford to maintain an internal CTI function capable of fusion and similar analysis.
On the one hand, entrusting specialist organizations with CTI work may be highly beneficial in outcome as the resources freed up from duplicating capabilities internally could be reallocated elsewhere in the security program. Given the shifts in adversary behavior to more difficult to track actions, from living off the land methodologies to identify-focused attacks arising from social engineering or other vectors, replacing (some) CTI cost with investment in resilience, visibility, and business continuity may make perfect sense in improving security outcomes and increasing organizational durability.
On the other, reduction of CTI functions to a handful of commercial third-party providers and the few, very large and well-resourced organizations that can afford an independent program seems suboptimal. A drop in diversity would presumably result in fewer opportunities for new, emerging, or unique analytical outcomes. There is also the consideration of fewer overall CTI opportunities for analysts, which we may already be seeing (at least in North America) in the job market.
Overall, the economics of security, along with that of data collection, ingest, and processing, may be rapidly pricing out many organizations from being able to effectively participate in core functions of classical CTI activity. In its place, organizations will either need to emphasize more focus on purely internal sources for analysis, combined with open/free sources and perhaps one or two commercial feeds, or abandon internal CTI functions entirely and outsource this analysis to commercial analysis providers or similar. What this means for security is indeterminate at the moment, but that things “will change” if only due to extreme cost pressures seems clear. Whether there are as many CTI analysts in five years from now as there were merely two years prior remains a very open question.
