Open-Source vs. Commercial Threat Intelligence

During my latest on-demand webinar, “How to Maximize Value From Your Threat Intelligence (TI) Program," Merritt Maxim, Forrester Vice President and Research Director, and I fielded a question from one of our listeners that I thought was worth expanding upon.

The question was: “I have integrated several open-source threat intelligence feeds into my security information and event management (SIEM) platform. What is the value of purchasing threat intelligence from a commercial firm?"

As the Senior Product Director of Threat Intelligence at Rapid7, I found this question fascinating to ruminate on, and it's worth discussing the differences between open-source and commercial threat intelligence and why both are important to your overall cybersecurity strategy.

A Look at Open-Source Threat Intelligence

For starters, there are two primary advantages of open-source intelligence:

1. It pulls on the diverse expertise of an entire community of security professionals who are willing to work together to build out the intelligence you can leverage.

2. It's free.

That said, because open-source intelligence platforms are free to use, that means anyone can access the information. As a result, some threat actors may tap into that data to understand what vulnerabilities are not being focused on by the community and take advantage of those overlooked exploits, essentially hitting organizations where they may least expect it.

What Are the Advantages of Commercial Solutions?

There's no getting around the cost factor of adopting a commercial threat intelligence (TI) solution, but that cost comes with clear advantages. Having worked in the space for so long, I've recognized that there are three key areas where you can get major value from a commercial TI solution like IntSights, and those are:

1. Visibility

2. Triage

3. Context

Let's take a closer look at each.

Expanding Your Visibility

When you only look at feeds streaming to your SIEM for specific vulnerabilities, as is often the case with open-source feeds, you're missing all the threats that can be identified on the dark web or on the surface, which can provide you valuable intelligence to prevent future attacks.

With a more robust solution in place, instead of waiting for a threat actor to attack you and then identifying the exploit based on indicators of compromise (IOCs), you can identify when your credentials are out there before they're even being used within your environment. You can also scan for specific vulnerabilities: For example, you could identify and block a phishing domain before you're being targeted by a spear phishing attack.

This level of coverage is broader and more expansive than what a select open-source community can focus on, providing you with more holistic threat intelligence and enabling you to be more proactive, rather than reactive, with your security actions.

Improving Triage

Often, you may receive alerts from your environment or in your SIEM that need more context. Are the indicators within this alert high-severity or low-severity? Has anyone ever found them to be malicious, or are they benign?

This is where commercial threat intelligence comes into play: It can provide severity levels for IOCs and related alerts, which can help you triage and focus on what's really important for your team to address.

The same goes for triaging vulnerabilities. Keeping up with the amount of vulnerabilities out there today is proving more difficult with each passing year. In 2020, for example, more than 18,362 vulnerabilities were documented — a 6% increase over 2019 and a 185% rise from just five years prior. With so many vulnerabilities to triage, it's hard to know where to start, and that's why you want — and need — to know how these issues rank in terms of severity or priority.

Threat intelligence can also help you understand what threat actors want to leverage and what is being talked about and exploited the most at the moment, which can help you with triage. It can also reduce the number of false positives you have to sort through.

Delivering Better Context

Many times, when you see an alert within your environment or identify a specific vulnerability, you need even more intelligence context to know what action you need to take next.

For example, if you know an alert is related to a specific malware, then you have a lot more tools at your disposal with a commercial solution. By seeing how you were affected by this malware, it can inform how to handle threat hunting. This will provide more focus and understanding for your next steps.

Level Up Your Threat Intelligence Capabilities

The advantages provided within the three key areas of visibility, triage, and context make a world of difference when it comes to the effectiveness and efficiency of your organization's threat intelligence efforts, and that's why you should consider partnering with a commercial provider.

That said, leveraging open-source intelligence feeds is a great way to start with TI, but it certainly shouldn't be the endgame of your TI strategy. It can provide a good jumping-off point — for example, maybe you can utilize open-source insight to lock down certain vulnerabilities that are particularly high-risk for your industry. But for more comprehensive coverage, you should combine these efforts with a solution that comes from an experienced commercial provider for better overall intelligence.

It's not about which one is better than the other — it's more about how they can be leveraged in tandem to level up your threat intelligence capabilities, enhance your cybersecurity strategy, and better protect your organization from threats.

Curious to learn more about growing your organization's threat intelligence capabilities? Listen to our full on-demand webinar, “How to Maximize Value from your Threat Intelligence Program," or contact us at Rapid7 today.