Experts often say every cyber threat intelligence team needs a threat intelligence platform, but what is it really and how do you choose the best one for your company? Andreas Sfakianakis, in his recent SANS Institute CTI Summit 2021 talk titled “Excelling at Threat Intelligence Platform Requirements,” inspired us to take a deeper look.

Why a Threat Intelligence Platform Is Necessary

A threat intelligence platform allows cybersecurity researchers and analysts to scrutinize published indicators of compromise (IoCs) using their entire stack of security solutions and systems. It also lets them enrich IoC lists and share their findings with peers in real-time. In sum, the platform is useful throughout a threat’s entire life cycle within an infected or compromised network. It provides detailed information on the threat’s every movement from the time it entered a network to identification, analysis, and removal.

Organizations use threat intelligence platforms in every stage of the intelligence cycle depicted in the right image.

How to Choose the Right Threat Intelligence Platform

Sfakianakis identified what users should expect from their threat intelligence platforms in each phase of the intelligence cycle, which he described in great detail in this spreadsheet and we summarized below.

• Planning and direction setting: A threat intelligence platform should be able to collect and manage identified production, intelligence, and data collection requirements. They should identify knowledge gaps and key performance indicators (KPIs) for each intelligence cycle stage. And they should be able to easily provide stakeholders the necessary threat information.
• Data collection: Threat intelligence platforms should be able to collect threat data from various sources, regardless of format and means. This information should include tactical, operational, and strategic intelligence from internal or external sources. More advanced platforms should be configurable to gather data automatically, securely, and in accordance with regulations. The data volume should not matter. Users must be able to search for the intelligence they need from the repository.
• Data processing and system exploitation: A threat intelligence platform should be able to normalize all stored data in a common format, standard, or model so it can be correlated with other information. It should have the capacity to link together indicators, campaigns, threat actors, and relationships. More advanced platforms should be configurable to apply custom tagging and marking manually or automatically. They need to be able to keep track of what and how much data is shared and with whom. The information it processes should allow for enrichment using WHOIS, Domain Name System (DNS), and passive DNS records, along with malware, sandbox, and passive Secure Sockets Layer (SSL) intelligence. Data processing should support data fusion, clustering and analytics.
• Threat analysis and solution creation: Threat intelligence platforms should provide a human interface and support strong end-user authentication. All of their functionality should be accessible through this interface. Their application programming interfaces (APIs) should be easy to configure and modify if needed. Analysts should be able to create custom workflows on the platforms. The platforms should have a built-in communication application for knowledge sharing and stakeholder collaboration. They also need to have tasking, alerting, and logging capabilities. Users should be able to create graphs using the platform’s interface. The platforms should be integrable to standard tools, such as Maletgo, and relate tactical to strategic intelligence. Users should be able to monitor operational intelligence and threat bulletins with them as well. The platforms should be able to build and manage a threat actor library and register relevant tools, tactics, and procedures (TTPs). They need threat actor, campaign, incident, and topic management and tracking capabilities. In sum, they need to help analysts prioritize IoCs and threats.
• Solution dissemination: A threat intelligence platform should allow users to share information easily with internal and external stakeholders. It should be able to exchange data, regardless of standard and model. Users should be able to receive notifications and reports from it periodically. To do that, the platform should support standard transfer protocols for threat information exchange while considering the level of access the recipients have.

Only by knowing your company’s cybersecurity requirements can you choose the right threat intelligence platform. Today’s platforms, however, may have limited support for the entire threat intelligence cycle but you can lessen your chances of making the wrong choice by following these recommended steps:

Threat intelligence platforms should match enterprises’ needs, use cases, data sources, users’ technical expertise, and budget. You can refer to the guide Sfakianakis created as a baseline. The ideal threat intelligence platform has all the functionality mentioned in the spreadsheet.