Industry Innovators 2016: Cyberthreat analysis and intelligence
Cyberthreat analysis and intelligence has become a staple of next-generation security tools. However, as a group by itself it contains some of our most noteworthy Innovators. In fact, it is not uncommon for these tools to provide the threat feeds that drive tools that incorporate threat intelligence in their products. Over the past two or three years as these tools have evolved we find that they are coalescing into a couple of types.
First, there are what we call the bits and bytes tools. These pass digital data in a more or less structured format. An example of these tools would be products that analyze malware using next-generation techniques and then pass those data to other tools to be incorporated into their analysis along with other threat feeds.
The second type usually is more unstructured in its data types. In reality, it is usually a mix with both structured and unstructured data. However, its value comes from its content, which almost always is predominantly unstructured. These data come from a variety of sources that fit into two major categories: open and closed source. Two of our Innovators in this section include one of each – open and closed source.
The methods for collecting data range from screen scraping – the main source for open source – and human intelligence – humint – which requires boots on the ground in the underground forums. This is the main source for closed source data. As one of our Innovators explained, for open source it's all about the data, but for closed source it's all about the access.
The bits and bytes folks pretty much all have APIs that allow connection directly into their analysis engines. One of the more popular uses for this is Maltego, an internet link analyzer that is free for the community edition and commercial for corporate use. These APIs allow Maltego to incorporate the source's data in its analysis. Interestingly, there also are APIs for the two free-form tools which we assessed this year. And, not surprisingly, they both can feed Maltego – among many other analysis tools.