Get smart about threat intel tools and services

alphaspirit - Fotolia


How to use threat intelligence metrics to attain relevant data

Threat intelligence services can be valuable, but enterprises must first determine the right threat intelligence metrics. Char Sample explains the best ways to achieve this.

Threat intelligence is a large and expanding area in the ever-growing field of cybersecurity. The growth of the...

field promises a rush to spending on threat intelligence services, much like the spending witnessed with the advent of intrusion detection and prevention systems, firewalls, VPNs and other security products.

To begin the threat intelligence process, threats must be placed in the proper perspective as functions of risk. It is important to attain accurate and relevant threat intelligence metrics. The first step in the process is obtaining a thorough understanding of the organization's environment.

Understanding your organization's environment requires a deep knowledge of its current vulnerabilities and their relationship to the organization's risk profile. This understanding must be in place before threat intelligence gathering and threat analysis begin. Why? Because the threat intelligence metrics used must be relatable in order to be relevant.

Understanding the risk and success profile, preferably in quantitative terms, enables the problem to become bounded. A bounded problem is a key component to making threat intelligence metrics meaningful. Furthermore, when the problem is unbound, usually due to the organization having an improper understanding of risk and success, a perspective emerges where every threat by each threat actor is improperly assessed and prioritized. In some cases, this creates problems where none previously existed.

Bounded threat intelligence metrics

Attaining bounded threat intelligence metrics in an unbounded environment is tricky, but not impossible. Even a basic risk analysis will provide the input necessary for this first step. The risks that are found can be thought of as the "known bad" or risky. The areas that are "known good" can also be quantified. Ultimately, the quantified understanding of your organization's home environment is necessary for accurate and effective threat metrics.

Dependency modeling provides the most accurate approach (this will be discussed in a future article). Thus, the first unit of measurement comes from examining the threats against existing vulnerabilities, along with the cost. The goal here is to understand the exact cost of a breach. The next step is putting the threats in perspective.

While many organizations like to gather metrics relating to their specific industry vertical, the real goal is to continue operations and resist the threats while maintaining awareness of their existence.

Moving to the actual threat metric, the desire is to first weed out the echo chamber that occurs when multiple feeds report on the same actors and events. In an effort toward increased efficiency and accuracy, those who use multiple threat intelligence services can track the date/time distribution of threats. When matching threats are identified and distributed, they should be captured (date/time, threat actor and exploit identified) and tracked against competitors. The two metrics of most interest are the time of distribution and its relevance to the existing identified risk areas. This will help you determine which vendors provide information in a timely manner and help enterprises reduce the noise, and help you to understand the relevance and importance of the feed.

Measuring success

The next, and possibly the most important, metric is how the organization is performing with regard to the threats. While many organizations like to gather metrics relating to their specific industry vertical, the real goal is to continue operations and resist the threats while maintaining awareness of their existence. Thus, one of the most overlooked metrics is how many of the identified threats are attempting to exploit the organization's existing vulnerabilities. An early indicator in many cases occurs when the threat actors attempt to perform reconnaissance on secure services. Therefore, knowing how many attempts were repelled would be a worthwhile.

Of course, a 99% repel rate still fails if 1% of attacks get through, but all of the activity needs to be placed in the risk and cost perspective. Assuming the dreaded 1% success creates a breach situation, the next metric will involve the restoration metric. How much time is required to actually restore the system(s) to the original clean version with the necessary patch in place?

In addition to tracking the typical date/time of an entry, discovery and action metric, it's important to pay attention to the vector class and the actor data. Information indicating whether the attack came from internal or external sources is very important, as is the nature of the attacker. For example, a successful phishing scheme typically involves an uninformed insider with an external originator. These actors need to be captured in their groupings in order for the threat actor metrics to have value.

Discovery time and time to determine the extent of the damage also require tracking. Ultimately, this metric, along with the other identified metrics, should be tracked over time. At a minimum, quarterly tracking should be performed for those sites that may lack the resources for a threat intelligence metrics team. Other, more resource-intensive sites may want to track metrics weekly, so that trends may be tracked along with the typical weekly, monthly, quarterly and annual reports.


There are many aspects to threat intelligence metrics, and the level of depth an organization wishes to invest into threat metrics largely depends on the value of their assets. Threat analysis services lack the customization that individual sites need, but they have the resources that many small to medium-sized businesses lack. Larger organizations can, and should, invest in a threat metrics team, complete with data scientists who can not only examine the threats to an organization, but who can also incorporate the role of other data, such as geopolitical, economic and natural disaster data, into the mix.

Whether the organization is large or small, threat intelligence metrics must track existing risk areas. Thus, all of the work should begin with a detailed, quantitative understanding of risk in the organization's environment. Only then can the obtained threat metrics provide meaning and value.

Next Steps

Read more on threat intelligence services in this Buyer's Guide

Find out how advanced security analytics is used in enterprises

Discover the best ways to create an enterprise risk management plan

This was last published in December 2016

Dig Deeper on Risk assessments, metrics and frameworks