The annual SANS Cyber Intelligence Survey always provides interesting insights into how organizations are using cyber threat intelligence (CTI). In this blog, we take a look at some of the key insights from this year’s survey.
CTI Use Continues to Expand
The use of threat intelligence continues to expand. This is not surprising given the sustained increase in the size and sophistication of attacks. Over the last few years, we have seen numerous high profile and high impact attacks like the SolarWinds supply chain attack and Log4j. The recent conflict between Russia and the Ukraine has only served to heighten concerns about the potential for increased cyber attacks.
CTI is becoming a critical component of organizations’ cybersecurity efforts because it provides valuable information about the threat environment. Security teams are using threat intelligence because it increases visibility into threats and significantly improves prevention, detection, and response efforts.
While CTI has historically been heavily used by large enterprise organizations with significant resources, its use continues to broaden. For example, this year’s SANS survey saw a significant increase in respondents that work for organizations with fewer than 1,000 employees and a significant increase in respondents from the education sector.
Phishing & Ransomware Threats Remain a Top Concern
Not surprisingly, phishing and ransomware threats remain a top concern. The survey points to email-based threats as remaining a significant entry point for adversaries to gain access to a network. Email is commonly a key component of phishing attacks. Ransomware also remains a top concern with organizations not just worried about direct exposure to ransomware attacks but also indirect exposure given interconnections with third-party partners, suppliers, etc.
External Threat Intelligence Continues to Be a Top Source of Cyber Intelligence
As far as where organizations are sourcing cyber intelligence, external sources continue to be the top sources. For example, threat feeds from CTI-specific vendors continue to be at the top of the list with open source threat intel (OSINT) and community or industry threat intelligence (i.e. ISACs and ISAOs) also ranking high. The largest growth in sources in this year’s survey was external reporting sources, such as media reports and news. This is likely a function of the increased volume of high profile attacks garnering media attention.
Source: 2022 SANS CTI Survey
A key takeaway from the survey data is that all of these external sources of threat intelligence rank ahead of using threat feeds from general security vendors. This is an important point because it validates the increasing importance of using external cyber intelligence to protect against modern threats.
CTI Adds Significant Value to Organizations’ Security Efforts
75% of respondents confirmed that CTI was helping their organizations improve prevention, detections and response. As far as the types of CTI organizations found most useful, the top five included:
- Detailed information about malware being used in attacks
- Information about vulnerabilities being targeted by attackers
- Broad information about attacker trends
- Specific threat behaviors and tactics, techniques, and procedures of adversaries
- Specific indicators of compromise (IOCs) to plug into IT and security infrastructure to block or to find attacks
The survey also pointed to 46% of respondents integrating threat intelligence within their defense and response systems, which was up meaningfully from 41% last year.
The 2022 SANS CTI Survey reinforces the fact that threat intelligence adds broad value to organizations across the cybersecurity spectrum. It can be used proactively to help prevent attacks but it also can be used to improve threat detection and response.
This aligns well with our vision at ThreatBlockr and the capabilities of our SaaS-based platform. ThreatBlockr uses large volumes of cyber threat intelligence from multiple sources to proactively block threats on your network. This includes cyber intelligence from multiple sources including commercial, open source, government, and industry sources. Organizations are increasingly using ThreatBlockr as a critical component of their security component and as means to actively defend their networks against today’s modern threats.