Threat Intel vs. Adversary-Generated Threat Intel : What’s the Difference?

The numerous threat intel products on the market all promise to reduce risk, prevent loss, and increase efficiency—yet attacks continue to rise and security teams just are not getting the results they were promised and expected.

Generic Doesn’t Cut It — Close the Expectation Gap with Adversary-Generated Threat Intel

The Gartner report, Use Adversary-Generated Threat Intelligence to Improve Threat Detection and Response, attributes this expectation gap to the fact that most threat intelligence offerings are based on “generic” threat intel[1]. This includes intel about general attack vectors, indicators of compromise (IOCs), and TTPs. Generic threat data is gathered globally, interpreted widely, and applied broadly to a wide range of organizations and environments. Having some threat intelligence is better than having none, but for most organizations, it isn’t specific enough to make important security decisions. Worse, it leaves vital questions unanswered, like:

• Are my existing controls effective against nation-state-level attackers? Have we prioritized defenses correctly for our most critical assets? 

• Should we defer planned projects or take budget from another area to strengthen our defense or response capabilities? 

• And, gravest of all, is there already someone targeting us or operating covertly in our environment?

“Most threat intelligence offerings are based on “generic” threat intel,  but this is not enough for organizations to make important security decisions”

For these reasons, Gartner analyzed the value of gathering adversary-generated threat intel. Adversary-generated threat intel is a type of threat intelligence delivered directly to you by the attackers themselves as they target assets and operate in your environment. While they test tools and attempt to move through your network, every action is seen, documented, and analyzed. Adversary-generated threat intel is uniquely useful because it:

• is unique to your attack surface.

• can be delivered in real time.

• provides you with operational intelligence, such as IOCs and malicious IP addresses, as well as attacker TTPs—enabling you to detect and respond to adversary threats faster.

Cyber Deception Delivers Adversary-Generated Threat Intelligence

How can you gather this revolutionary type of threat intelligence, and do so safely? 

Deception technology enables you to detect threat actors before they attack or in the midst of an attack. Cyber deception is the deliberate deployment of highly credible—but fake—digital assets. Digital “breadcrumbs” lead adversaries to these fake assets, which they begin to interact with as they test their tools against your defenses. Unbeknownst to them, every move and every decision is captured in deception environments that allow you to observe and collect this adversary-generated threat intelligence.

“Adversary-generated threat intelligence can be fed directly into your existing tech stack.”

Cyber deception, when done correctly, confuses and misdirects attackers. They don’t know they’re operating in an instrumented environment, even if they test assets for credibility to ensure that they aren’t in a sandbox or emulated environment. As the actor interacts with deceptive assets, their activities generate real-time intel. That intel can be fed into Security Information and Event Management (SIEMs), Endpoint detection and response (EDR), Extended detection and response (XDR), and other tools to improve detection capabilities and enable a rapid, targeted response.

Deception-based solutions can deliver the adversary-generated threat intel described by Gartner. Organizations of all sizes and levels of security maturity can benefit from deception’s fast, accurate detection and prevention capabilities, automation, high-fidelity alerts, and a lack of false positives.

If SIEM, EDR, or XDR solutions are in place, a deception-based solution is even more effective at providing adversary-generated threat intelligence, providing a cost-effective way to deploy campaigns that map attackers before they get into the network. Deception enables them to fuse prevention with detection for a single, in-depth solution. 

It’s not just cutting-edge systems that can generate this type of threat intel. Solutions can be deployed in operational environments (SCADA, OT, IoT) where traditional security tools are not viable options. Automated deception campaigns can help teams map adversary behavior and objectives to gather data on multiple threat types for making decisions that reduce costs and risks.

Faster Detection of Real Threats: Here’s What Happened at one Financial Institution

World-renowned financial institutions, government bodies, pharma, retail, industrial, and law-enforcement agencies are defending their organization with adversary-generated threat intelligence. One Financial Institution used a deception based solution and resulting intel to detect lateral movement in a SWIFT network.

Using the deception-based solution, the Financial Institution was able to detect and respond to an adversary quickly—before any other internal systems detected it. Current IT controls, EDR, and intrusion detection systems (IDS) can’t detect an adversary already moving laterally in the network. Within two weeks of deploying the deception-based solution, it alerted teams to a red team and unauthorized users accessing a SWIFT portal five times within an hour. However, this SWIFT portal was a decoy, allowing the security team to gain adversary-generated threat intel that was specific to the bank’s actual environment—TTPs, intentions, and motivations. With this valuable data, they were able to respond quickly. The data enabled them to review policies, harden security in their SWIFT environment, and provide strategic communications to bank executives and board members. 

Adversary-generated evidence is the best intel available. Deception enables you to detect and respond to adversary threats faster with highly specific, actionable intelligence. You can begin using deception immediately to reduce the risk of a damaging intrusion.

If you’d like to learn more about deception-based solutions and best practices, reach out to the SafeHouse Initiative organization.