10(ish) Questions to Ask Every Threat Intelligence Vendor
In this episode of the Dr. Dark Web podcast, we share the top 10(ish) questions to ask yourself and your CTI vendor.
Episode Summary
Picking a good cyber threat intelligence vendor is an important decision. And you’ve got to prepare some strategic questions to ask your potential vendors if you want to make sure you end up with a reliable and professional partner.
But first, you have to know yourself; most importantly, you have to know your WHY.
Key Insights
Know thyself. You should know your main goals and motivation before picking a threat intelligence vendor. One of the most important questions to ask yourself is why you are doing what you’re doing. “For me, the top things are — there are two real big ones. And the whole point of the ‘why’ comes down to a couple of different things. Are you doing it for efficiency? In other words, we don’t know what we don’t know, and we want to understand it. And how do we do it in the most efficient way possible? So that’s part number one. Are we doing it for visibility and awareness? In other words — back to the ‘we don’t know what we don’t know’ — if we’re going to put our head above the parapet, how do we actually tell what’s useful, usable, scalable, and actually effective to help with? […] Then the other big one is basically justification. So if you’re looking at next year’s budget or you’re looking at even going through this year’s or when your fiscal year ends or headcount — if you’re having to justify, to some degree, your existence — understanding internal and external threats, the threat actors themselves, and the risks associated with them is a really good way to start on that ‘why are we doing it’ exercise.”
Strategic, tactical, operational, OR other types of intelligence? The next step is to determine what type of intelligence your potential vendor can provide and the multiple sources it collects data from. Also, think about what type of intelligence matches your goals. “Strategic. How are you looking at the market itself? How are you looking at geopolitical areas? How are you looking at critical infrastructure and the threat landscape as a whole or whatever your area is? Tactical. Well, what the heck is going on? APT group, ABC, Cozy Bear over here, and a whole bunch of Muppets in a different direction. What the Smurf are doing is great to know for incident response and to prioritize threats, but then you’ve actually got to bring in, ‘Well, why do I care?’ And then operationalizing that data as well is that other part of it. In other words, you’ve told me that IP sucks. Well, why? For how long? How long has it been? What’s happened with it, and what the heck am I going to do with it?”
Whose data are they collecting, where are they getting it from, how and is it in real time? The following questions revolve around data collection. “All of this is information that you need to understand what they’re collecting because if you understand what they’re collecting, you could also understand what they’re missing. […] So the data is another interesting one. Take a messaging stream — this is a perfect example of what kind of data. Are they collecting 24 hours’ worth of messaging? And how can you disseminate what’s good, bad, and what’s ugly, and how are they doing it?”
Top 10(Ish) Questions To Ask
Why are we doing it?
Who’s the consumer of the data we will produce?
Do I want (and do you have) strategic, tactical, operational, OR other types of intelligence?
Who’s data are you collecting and is it in real time?
Where are you collecting it from and are you collecting it from multiple sources?
How are you collecting it, how are YOU sorting the woods from the trees?
What context are you providing along with any raw threat data?
What do your threat intelligence platforms support? (commercial, open source, community, internal, etc.)
Can I customize the inbound data, if so how?
How (if any) are rankings, scoring, or risk metrics applied (method, madness?)
What happens if I want more threat intelligence platforms, systems, seats, etc?
Where’s MY data kept? The stuff I’m building (or you are) about MY company? (the intel packet?)
Talk to me about your methodology (Plan, Collect, Process, Analysis, Dissemination, AND Feedback)
Discover how Cybersixgill’s products can support your business
Contact our experts to discover which solutions are the best fit for your company's needs