1、SurveySANS 2022 Cyber Threat Intelligence SurveyWritten by Rebekah Brown and Pasquale StirparoFebruary 20222022 SANS Institute2SANS 2022 Cyber Threat Intelligence SurveyExecutive SummaryTwo major cybersecurity events that showcased the role of cyber threat intelligence(CTI)in network security operat

2、ions bookended this years survey.The SolarWinds software supply chain attack1 broke as we finished up the 2021 survey,and the Log4j vulnerability response process2 was in full swing as we worked to wrap up the 2022 survey.Both events highlighted the need to rapidly gain situational awareness,context

3、ualize vast amounts of shared information,and prioritize remediation of significant threats.The 2022 SANS CTI survey shows that many CTI programs can meet the challenge.While some programs are just getting started due to increased cybersecurity needs and a growing,complex threat environment brought

4、on by the rapid shift to remote work,organizations can rely on CTI providers and information-sharing groups to fill in gaps as their programs mature.Key takeaways:More organizations are beginning to develop their CTI capabilities,with an increasing number of respondents reporting that they are early

5、 on their CTI journey and still developing processes and going through the same growing pains that many robust CTI programs previously faced.Several promising trends from past years,such as collaboration between CTI teams and business operations groups,have been in decline since the shift to remote

6、work in response to the COVID-19 pandemic.It takes effort to build bridges,and organizations may find coordination that was already not as intuitive or ingrained when organizations were primarily in person even more difficult now.Quite an important percentage of respondents,21%,said that they could

7、not measure whether their CTI program was indeed useful and valuable to their organizations.This result highlights the need for more and better ways to measure the effectiveness of CTI programs,the tools,and the sources,a call to action for both practitioners and vendors alike to find better and eas

8、ier ways to measure CTI success.Threat intelligence platforms are still not the main tool used by CTI teamsnot in the top fourwith“spreadsheets/emails”leading the way once again,while one out of two respondents still prefers homegrown CTI platforms.Reasons behind this may differ,but vendors can cert

9、ainly improve analysts experiences by continuing to understand use cases and share more of the requirements between practitioners and vendors.However,the encouraging trend in response to this is the small increase in commercial and open source CTI management platforms with regard to automation/integ

10、ration.1 “A Worst Nightmare Cyberattack:The Untold Story Of The SolarWinds Hack,”www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack2 “Apache Log4j Vulnerability Guidance,”www.cisa.gov/uscert/apache-log4j-vulnerability-guidance 3SANS 2022 Cyber Thre

11、at Intelligence SurveyThis year we had representatives from more than 200 organizations participate in our Cyber Threat Intelligence Survey.These organizations spanned multiple sectors and were of various sizes,but we did see some interesting trends in responses this year.First,we saw a significant

12、increase in respondents in the education sector,who made up 10%of respondents this year as opposed to 3%last year,likely due to more educational institutions working online.As with previous years,respondents came from organizations comprising fewer than 10,000 people.Last years survey highlighted so

13、me of the impacts of the shift to remote working and schooling and the increased need for cybersecurity and threat intelligence staff at organizations that may not traditionally have had a dedicated staff.As many organizations,including many in the education sector,continue to have a remote or hybri

14、d presence,hopefully their staff will continue to grow,and we will see reflections of the field expanding reflected in future surveys.Figure 1 provides a snapshot of the demographics for the respondents to the 2022 survey.Banking and fi nanceTop 4 Industries RepresentedEach gear represents 5 respond

15、ents.Organizational SizeSmall(Up to 1,000)Small/Medium(1,0015,000)Medium(5,00115,000)Medium/Large(15,00150,000)Large(More than 50,000)Each building represents 10 respondents.Top 4 Roles RepresentedSecurity operations/Security analyst CTI analyst Security manager or directorIncident responderEach per

16、son represents 5 respondents.Operations and HeadquartersGovernment EducationCybersecurity service providerOps:154HQ:130Ops:53HQ:5Ops:31HQ:4Ops:47HQ:5Ops:40HQ:7Ops:63HQ:10Ops:79HQ:13Ops:101HQ:48Figure 1.Demographics of Survey Respondents4SANS 2022 Cyber Threat Intelligence SurveyCTI People and Proces

17、sesCTI is analyzed information about the intent,capabilities,and opportunities leveraged by adversaries targeting computer networks.CTI can be generated by an organization that analyzes its own data about previous data breaches or network intrusions.Organizations can also consume it based on externa

18、l sources such as threat intelligence vendors or information-sharing groups.Often organizations use a combination of the two types:harnessing the power of their internal data while relying on outside expertise to provide a more robust picture of the overall threat landscape.Regardless of where the i

19、nformation comes from,organizations need people and processes to integrate findings and insights into their cybersecurity programs.This years survey shows an increase in collaboration between internal threat intelligence teams and CTI vendors,with more organizations both analyzing their own threat d

20、ata and utilizing external support for CTI programs.It Takes Teamwork to Make the Dream WorkIn its early days,many believed that only large organizations with existing robust cybersecurity teams in place utilized CTI.Since 2019,we have seen that more and more organizations are leveraging threat inte

21、lligence capabilities,whether or not they have a dedicated team devoted to CTI.This year,33%of respondents work for organizations with fewer than 1,000 employees.While respondents reported a consistent trend in the presence of purely in-house capabilities,which holds steady at 36%year over year,ther

22、e was an increase in reports of service-provider support for threat intelligence teams,which is the highest it has been since 2017.From 2021 to 2022,service provider support increased 5%.Although this increase indicates that many organizations are building out more robust capabilities in response to

23、 an increased online presence,it is important to note that those capabilities are not mutually exclusive.Many organizations with a CTI team on staff or with the task of CTI spread out across other teams also work with external teams for support for everything from strategic threat modeling to tactic

24、al threat detection.In fact,more than half(51%)of respondents reported that their organization uses a hybrid model with both in-house capabilities and external support.See Figure 2.Figure 2.In-House Versus Service ProviderAre your CTI functions and activities handled in-house,by a service provider,o

25、r through a combination of the two?In-house Service provider Combination of both Other36.1%51.3%0.5%12.0%5SANS 2022 Cyber Threat Intelligence SurveyTeam Structure and OrganizationWhen it comes to in-house teams,organizations with formal dedicated threat intelligence teams continue to grow;it is up t

26、o 47%this year,after a brief drop in 2021(see Figure 3).However,organizations reporting that they have no formal CTI team and no plans to create one also increased this yearthe percentage actually aligns with the increase in service provider support mentioned earlier.This indicates that organization

27、s continue to see the value of CTI but are comfortable outsourcing it.Although we have not seen this trend in the past few years,it speaks to the evolution and accessibility of managed threat intelligence providers and their ability to support organizations of different sizes and maturity levels.In

28、past years,survey respondents reported that the majority of analysts on a CTI team or handling CTI functions came from a security operations center(SOC)role.This year we see that number drop to 47%,with the difference spread across the other teams,with 1%2%in each of the other areas(aside from busin

29、ess groups,which decreased).Responses to the question also indicate that organizations are hiring more analysts directly into CTI roles instead of pulling them from elsewhere on the security team,emphasizing the professionalization of the field.Several respondents also reported that they brought CTI

30、 analysts in from cybercrime and fraud teams,highlighting how a team with diverse experience across the threat landscape can help an organization respond to a wide variety of threats.Year-over-Year Growth in Formal Teams50%40%30%20%10%0%41.5%201849.5%202047.0%202220232019202141.1%44.4%Figure 3.Organ

31、izational CTI ResourcesCTI Threats in 2022In this years survey,we heard a great deal about the types of threats that keep CTI analysts and their leadership up at night.While all organizations will have slightly different threat models and priorities,we picked up on some trends in the industry.Email-

32、Based ThreatsEmail remains a significant entry point for adversaries into a network.Several respondents reported that many of their CTI processes focus on email-based threats.Some proactively work using filters to block malicious emails,and some focus on raising awareness of employees regarding phis

33、hing campaigns.Examples from our respondents include:We have shared new variants of malicious email attachments and novel phishing email techniques in a security forum.Survey RespondentConstant monitoring of email and malware threats that are seen globally.Using that information to add additional pr

34、otection to systems.Survey RespondentRansomware ThreatsRansomware is high on everyones list of concerns this year,with actors targeting organizations large and small.Another concern is the interconnected nature of networks with contractors,vendors,and other dependencies that could adversely impact a

35、n organization even if it is not directly compromised.Because email introduces many ransomware threats,many of the tactics mentioned above are directly aimed at preventing ransomware from entering a system.Other ways CTI works to mitigate this threat include:Identifying third party vendors impacted

36、by ransomware and taking action to mitigate their access to our data and infrastructure.Survey RespondentThreats to Reputation or BrandYou know you have made it in this field when public relations wants to talk to the CTI team.With both ransomware and misinformation on the rise,organizations have a

37、lot to lose with even the perception of a security breach that impacts customer data.In addition to intrusions targeting sensitive user or company data,organizations must prepare for attacks attempting to hijack the social media accounts of executives as well as the spread of misinformation about co

38、mpanies with the goal of damaging brand reputation.For media companies,we specifically monitor for external threat actors(action groups,hacker collectives,foreign governments)and their targeting of social media.Survey Respondent6SANS 2022 Cyber Threat Intelligence SurveyCTI Processes:The Intelligenc

39、e ProcessFor CTI teams to operate consistently among team members,it is important to have processes and frameworks in place as a scaffolding against which team members can perform analytic work.One of the foundational processes in CTI is the intelligence process,also known as the intelligence cycle.

40、Both process and cycle are acceptable terms,although cycle often refers to a cyclical process,where when you move on to the next step you do not return to that step until the cycle has made a full rotation.In intelligence,you may move forward from one step to the next,or you may realize that you nee

41、d to go backward to gain more clarity or get more information before you can proceed forward again.For the first time,we have been able to capture insights from the 2022 CTI survey across all aspects of the intelligence process,including requirements,collection,data exploitation,analysis,and dissemi

42、nation.Defining CTI RequirementsThe intelligence process starts with understanding the requirements for the CTI work that a team or individual is tasked with.Once organizations identify these requirements,analysts can focus on answering the key questions of decision makers and can optimize their rem

43、aining processes as much as possible.This year,fewer respondents reported that their organizations have formal requirements,and a there was a 5%increase in organizations without plans to develop requirements.See Table 1.Although fewer organizations report having formalized requirements,the organizat

44、ions that do have requirements are making it a priority to update them.Only 3%of respondents reported that their requirements have never been updated.Ad hoc is still the most frequent cadence for updating,with just over 40%having reported that they have no schedule or plan for updating requirements

45、and that they are updated as needed.See Figure 4.Although it can sometimes seem unimportant to plan a time to update requirements,having something scheduledeven just an annual reviewhelps keep the idea that requirements are not static top of mind.Table 1.Intelligence Requirements Year over YearYes,w

46、e have documented intelligence requirements.30.3%43.8%39.0%35.4%No,our requirements are ad hoc.37.0%29.7%36.1%33.5%No,but we plan to define them.26.0%20.4%18.8%20.1%No,and we have no plans to formalize requirements.6.7%6.1%6.1%11.0%20022Figure 4.Reviewing and Updating CTI RequirementsHow

47、often does your organization review and update its CTI requirements?Select the best answer.40%30%20%10%0%3.4%Never13.8%Monthly40.2%Ad hoc11.5%Weekly16.1%Yearly14.9%Unknown7SANS 2022 Cyber Threat Intelligence SurveyIn addition to having formal requirements that get updated periodically,it is also a b

48、est practice to include all CTI program stakeholders in the development of these requirements.This year,respondents reported that security operations is the team that contributes most to requirements,with 75%of respondents reporting their participation.The examples of CTI uses and analysis,covered l

49、ater in this report,indicate that many organizations are directly engaged in support to security operations,and that even though they may not have formal requirements,they are working directly to support their stakeholders,which represents a great step in the right direction.CTI CollectionOnce a tea

50、m has requirements it wants to address,the next step requires that they start collecting the information needed.This year,more CTI teams are leveraging external reporting sources such as media reports and news(up to 82%from 77%in 2021).With the number of major intrusions and adversary activity break

51、ing in the news,CTI teams cannot ignore this type of reporting.See Figure 5.Community feeds decreased,but information from respondents own networks(such as IDS logs and application logs)increased.CTI AnalysisWe are so excited that we could add questions about CTI analysis into this years survey.Anal

52、ysis is complicated and an often individualized process and can be difficult to capture in a survey question,but through a combination of multiple choice and write-in responses we put together a good view of how organizations conduct CTI analysis.What type of information do you consider to be part o

53、f your intelligence gathering?Select all that apply.Vulnerability data71.7%54.8%54.8%46.4%45.8%44.0%Security data gathered from our IDS,firewall,endpoint,and other security systems Other formal and informal groups with a shared interest Incident response and live forensics SIEM platformCommunity or

54、industry groups such as information sharing and analysis centers(ISACs)and computer emergency readiness teams(CERTs)Network traffic analysis packet and flowThreat feeds from general security vendors Threat feeds from CTI-specific vendors57.8%66.9%72.9%81.9%72.3%65.7%Open source or public CTI feedsAp

55、plication logsExternal sources such as media reports and news 0%20%80%40%60%37.3%33.1%31.9%27.7%25.3%24.7%Closed or dark web sourcesShared spreadsheets and/or emailSecurity analytics platform other than SIEM Forensics(postmortem)User behavior data Honeypot data4.8%OtherFigure 5.Sources of Intelligen

56、ce GatheringCoordinating with Incident RespondersThis years survey responses indicate a brief shift away from incident response(IR)and CTI collaboration.IR teams contributed less to requirements than last year,and forensics contributes less to data collection.While it is difficult to pinpoint the ex

57、act reason behind this shift,the data from this survey points at two contributors.First,many respondents this year are newer CTI organizations who are just developing their capabilities.CTI and IR coordination is a critical part of an overall cybersecurity program,but it takes some time to build bot

58、h the processes and trust that facilitate robust collaboration.If you are a new CTI program just getting started,make sure to make connections with your IR team,whether in-house or external,to establish connections.You will find it much easier to establish communications before a large-scale inciden

59、t hits.The second contributor to this is likely the fact that the past year has been incredibly difficult for IR teams and CTI teams as well.We had fewer respondents this year than in past years,likely due to heavy workloads and higher-than-is-healthy levels of burnout in the field.Last years survey

60、 touched a bit on the mental health impact of remote work and isolation,and those impacts have likely been increasing with the number and severity of significant security incidents across the profession.IR teams:Take care of yourselves and each other,and we hope to see you back in next years survey.

61、8SANS 2022 Cyber Threat Intelligence SurveyThe most frequently used analytic method was intuitive or experience-based judgment.In fact,only 16%said that they never leverage this method(see Figure 6).Conceptual models,such as the diamond model for intrusion and analysis(kill chain models are also fre

62、quently used),with several respondents specifically identifying the MITRE ATT&CK framework as a model they have found significantly valuable.Organizations use structured analytic techniques(SATs),a mainstay of traditional intelligence analysis,the least,with 33%of respondents reporting that they nev

63、er use them,and only 19%reporting that they frequently use them.Organizations do not commonly use SATs because,unlike conceptual models,very few CTI analysis tools or platforms have integrated these methods into their workflows.Instead,tools more commonly directly allow an analyst to categorize or t

64、ag data by kill chain phase or diamond model axis,whereas the few productized SATs are often standalone tools,such as tools made specifically for one of the more popular SATs:analysis of competing hypothesis(ACH).SATs prove valuable for addressing biases in analysis and removing occurrences such as

65、group think and for analysis.Increased integration of some of these techniques into tools used for CTI may make it easier for CTI teams to leverage them.CTI DisseminationOnce CTI has made it through the intelligence process all the way through analysis,the intelligence needs to get to the right audi

66、ence in a timely manner.Intelligence dissemination varies depending on the type and urgency of the information.This year,respondents reported emailed documents as the most common way they disseminate CTI,followed by reports.Both of these indicate a narrative form of threat intelligence dissemination

67、 rather than just technical pieces of information such as IP addresses and domains.See Figure 7.A high demand still exists for this type of technical-level dissemination,with 55%of respondents indicating that they integrate directly with threat intelligence platforms to facilitate tasks such as thre

68、at hunting,email filtering,and malware detection.What methods are leveraged in CTI analysis?For each of the following methods,indicate if they are used frequently,used occasionally,or not used.Use of conceptual models such as the diamond model,kill chain methodology,or target-centric models32.2%43.2

69、%19.5%Systems analysis methods23.7%39.8%26.3%Other5.1%6.8%11.0%Inductive reasoning/Graph-driven analysis23.7%38.1%30.5%Use of structured analytic techniques,such as key assumptions check,clustering,or analysis of competing hypothesis(ACH)18.6%40.7%33.1%Threat modeling28.0%44.1%22.0%Intuitive or expe

70、rience-based judgement50.8%27.1%16.1%0%10%40%20%50%30%Used frequently Used occasionally Not usedFigure 6.Leveraging Methods of CTI AnalysisFigure 7.Utilization and Dissemination of CTIHow is CTI information utilized or disseminated by your organization?Select all that apply.Integration with threat i

71、ntelligence platforms(commercial,open source,or homegrown)54.5%OtherReports4.1%62.0%73.6%55.4%BriefingsEmail or documents such as spreadsheets or PowerPoint 0%20%80%40%60%9SANS 2022 Cyber Threat Intelligence SurveyAs with many things in the CTI space,dissemination depends on several factors,includin

72、g the situation itself.One respondent articulated this point very well,identifying that there are standard processes and then processes to escalate to a wider audience when needed:Post-analysis intelligence is disseminated to team leads to further dissemination as required to their teams.In the even

73、t it is determined a wider audience is required,department heads are brought in.During large-scale events that have the potential to affect the organization as a whole,briefings are created for the C-staff and/or board.Survey RespondentThis years survey showed a promising trend when it comes to peop

74、le and processes:More organizations are beginning to implement threat intelligence capabilities in their organizations.Although those organizations are in the early stages of development,the field of CTI has come a long way since SANS first began surveying CTI professionals,and these organizations w

75、ill have a wealth of information to help them on their way to successful programs.Uses and Value of CTIThreat intelligence has many different uses within an organization,from tactical to strategic,from supporting the risk-assessment team to helping prioritize patching.Also,depending on the maturity

76、level of each organization,one can go from simply consuming intelligence to full production.As expected,and as it normally should be,most organizations are consumers of intelligence.From our respondents,the types of intelligence consumed are mostly published threat intelligence(58%)and contextual th

77、reat alerts(50%),but a significant number also consume raw threat data(48%).We could expect this,because the number of organizations with a higher maturity level and with the need to produce intelligence should indeed be lower.See Figure 8.What is interesting though,and a sign that CTI as a discipli

78、ne is growing and maturing,is the number of organizations that both consume and produce intelligence,with answers between 33%36%across the three types of intelligence proposed.With regard to consumption,it is always interesting to see the variety of uses of CTI across organizations.Mitigation is one

79、 of the most frequent use cases,with several respondents crediting CTI with helping assess and prioritize patching when new vulnerabilities are announced(as well as detection and threat hunting based on published reports and IoCs).Finally,security awareness for staff,including training and ongoing s

80、ituational awareness for the C-suite,is a very common use case.All these answers reinforce the notion of relevance and applicability of CTI to the specificity of an organization,as well as the need to be able,for those who do,to produce different types of threat intelligence products/outputs.Figure

81、8.Production Versus Consumption of CTIIndicate whether your organization produces or consumes CTI in terms of raw data,contextual threat alerts,and/or published threat intelligence reports.Produce12.8%11.7%5.6%Both32.8%35.6%33.3%Consume47.8%50.0%58.3%0%10%40%20%60%50%30%Raw threat data Contextual th

82、reat alerts Published threat intelligence10SANS 2022 Cyber Threat Intelligence SurveyValue and Usefulness of CTI TypesOne of the main reasons to have a threat intelligence program in a company is to improve the overall security posture of the company and to help other teams make better decisions(whe

83、ther about responding to an incident or about assessing the risk exposure of the organization).When asked whether CTI has improved the security prevention,detection,and response of their organization,75%of respondents confirmed this was the case,and this result aligns with previous years as well.How

84、ever,aside from this positive trend,21%of respondents said that they do not know.This is an important result to note because it may highlight the need for more and better ways to measure the effectiveness of CTI programs,the tools,and the sources.Not being able to measure the value of something is w

85、hat could eventually be the end of it,as teams wont be able to justify the need for more resources,new people,new tools,etc.This is a call to action for both practitioners and vendors alike,to find better and easier ways to measure success in CTI.We have already said that CTI has multiple types and

86、formats,and we wanted to understand what type of threat intelligence respondents find most useful now as well as what they might find helpful in the next 12 months.According to our respondents,technical information about malware attackers use(81%)and information about current targeted vulnerabilitie

87、s(80%)represent the two most useful types of CTI currently.This is consistent with 2021 results,except the two positions have switched.When considering the future,52%of respondents think that more detailed and timely information about adversary groups in their industry and geography will prove most

88、useful.Timeliness and relevance are indeed key to intelligence,and while respondents are asking for more of it,which is good,a positive sign is that the satisfaction with context(from 59%to 61%),analytics(from 52%to 55%),and relevance(from 66%to 67%)of CTI data has increased from last year.These rep

89、resent small improvements but are a positive sign nevertheless.See Figure 9.Two things have slightly decreased in terms of satisfaction:strategic reporting and searching and reporting.Finally,confirming the trend from the previous year,respondents were still mostly not satisfied with the removal of

90、expired IOC,a common problem that can lead to numerous false positives.What types of CTI are currently most useful to your operations?What would be most useful in the future?Select all that apply.Broad information about attacker trends79.0%34.5%72.3%79.8%32.8%35.3%64.7%73.1%4.2%52.1%40.3%5.0%80.7%37

91、.8%42.0%49.6%47.1%52.9%41.2%Detailed and timely information about adversary groups in your industry and geographySpecific IoCs to plug into IT and security infrastructure to block or to find attacksOtherInformation about how stolen information is being monetized or used by attackersSpecific threat b

92、ehaviors and tactics,techniques,and procedures(TTPs)of adversariesThreat alerts and attack indicators specific to your brand,VIPs,and intellectual property(IP)Information about vulnerabilities being targeted by attackersDetailed information about malware being used in attacksInformation about who th

93、e threat actors are or who performed the attack(true attribution)0%20%80%40%60%Current Next 12 months78.2%Figure 9.Most Useful CTI11SANS 2022 Cyber Threat Intelligence SurveyCTI ToolsAnalysts always find the tools topic contentious,with threat intelligence platforms(TIPs)representing both the instru

94、ment to accelerate and enhance the intelligence cycle as well as sometimes a source of pain and frustration for the analysts.The tools should support automation and scaling.After all,with the amount of data to correlate and analyze daily,it would be unthinkable not to have such features integrated.I

95、t is important to serve different type of customers(including internal ones,like SOC,IR teams,etc.)but also allow enough room for the analysis itself,the human aspect that cannot be taken out of the loop completely(no matter what).First we asked what type of management tools our respondents use to a

96、ggregate,analyze,or present CTI information.Unsurprisingly,spreadsheets/emails held No.1 place again,with 44%of respondents saying they use these forms manually/independently.However,if we look at what tools organizations use the most to support some level of automation/integration,SIEM(40%)and netw

97、ork traffic analysis tools(38%)are the favorite technologies.These results seem to remain consistent across the years.We want to note a couple of interesting points about this specific topic.The first is that TIPs are not the main tool used by CTI teams yet;among the top four tools used,none is a CT

98、I platform.The second striking result is that more than one in two CTI practitioners(56%)uses a homegrown CTI platform,which is a sign that should not be underestimated.Vendors can certainly improve the analysts experience in this area by continuing to understand use cases and share more of the requ

99、irements between practitioners and vendors.In addition,CTI teams should really focus on what their core requirements are to confirm whether a custom homegrown CTI platform is really the answer.However,consider this encouraging trend regarding the point above:Since 2021,the use of commercial and open

100、 source CTI management platforms with some automation/integration has grown from 35%and 30%,respectively,to 37%for both.This increase in adoption is a good sign that the development of such platforms is recognizing analyst needs and requirements more and more.Although much work remains to be done,th

101、e industry seems headed in the right direction.With regard to processing of informationwith the expected exception for reversing engineering of malware samples,for which the majority of respondents indicating manual processing(41%)every other type of processing has a low percentage of responses towa

102、rds full automation(15%on average across all responses).All other responses have been toward semi-automation,with manual processing still getting very high numbers(roughly 30%on average).See Figure 10.Figure 10.CTI ProcessingWhat processing is done to CTI information to make it more usable?Select al

103、l that apply and indicate if the process is manual,semi-automated,or fully automated.De-duplication of informationEnrichment of information using internal data sources25.9%32.8%41.4%35.3%18.1%16.4%Enrichment of information using external commercial sourcesStandardizing information into a common form

104、at27.6%30.2%40.5%38.8%17.2%13.8%Enrichment of information using external public data sourcesReverse engineering of malware samples30.2%40.5%44.0%24.1%15.5%9.5%0%10%40%20%50%30%Manual Semi-automated Fully automated12SANS 2022 Cyber Threat Intelligence SurveyEven though correlation does not imply caus

105、ation,if we look at this data in light of the previous point,we can see that the need exists for more automation.So,CTI platforms that offer more automation may help their adoption rates,and increased automation may help CTI teams reduce the amount of manual and semi-manual processing(which is still

106、 high).Finally,the importance of integrating the many different tools usednot only the tools used by the CTI teams themselves but also by the others like SOC,IR,vulnerability team,etc.is paramount today.In this regard,the first result is that only 46%of respondents integrate their threat intelligenc

107、e within their defense and response systems.This is not great,as we would all hope to see a much higher number,but the good news is that this represents a significant increase from the 41%of last year.Indeed,this positive trend reinforces all responses received about tools:We still have a long way t

108、o go,but the direction seems to be right.Organizations integrate CTI information into defense and response systems most commonly via CTI platform(67%of respondents),followed by intelligence service providers(59%)and vendor APIs(45%).Again,this shows that vendors currently play an important role in m

109、aking such integration happen.Moving ForwardCTI requires both collaboration and communication.Although it appears that the shift to remote work,increased threats,and high workloads impacted some key components of collaboration over the past two years,organizations can address these factors by both p

110、rocesses and tools.Organizations should assess whether they have lost communication channels with key stakeholders and should identify ways to build up those channels again.In some cases,organizations may need additional tools to facilitate collaboration.Many CTI tools,such as TIPs,have built-in col

111、laboration functionalities that teams can explore to see if they fit with existing processes and workflowsand dont be afraid to make new processes.Many CTI teams have gone through a lot of changes,and it is natural to adjust to what will work in current situations.This years survey dove into specifi

112、cs of analysis,finding that many analysts leverage the analytic models and frameworks such as the diamond model and ATT&CK.Models and frameworks are easiest to use when directly integrated into the tools that analysts use every day.Thats not to say that a diamond model markup on a whiteboard isnt a

113、solid way to conduct analysis,but it is much easier to capture,share,and replicate findings when they are easily captured.If your organization is one of the 55%using a homegrown CTI platform,consider integrating the models you use most often,or the ones you would like the teams to begin to use more.

114、Those building and maintaining commercial platforms should continue to identify models that customers find useful and provide resources for those(while remembering that analysis is rarely one-size-fits-all).Having more than one option for models will allow analysts to apply the right frameworks to t

115、he right situations.And while were at it,lets integrate some structured analytic techniques as well!13SANS 2022 Cyber Threat Intelligence SurveyDiscussions about tooling are always a hot topic in InfoSec,and CTI is no exception.The discourse around TIPs has been going on for a while,as on one side p

116、ractitioners develop new and better requirements,and on the other side vendors come up with new functionalities to meet them.As we saw from the survey,TIPs are still not in the top three tools used by CTI teams,and half of the respondents use some sort of homegrown CTI platform.Moreover,most of the

117、processing is still done manually,with a low percentage being able to go full automation.Even though the use of automation and integration in commercial and open source CTI management platforms has increased,representing a positive trend with the development of such platforms,this is a strong signal

118、 that should not be underestimated.This is an area where CTI vendors can improve the experience of analysts by continuing to better understand their use cases and requirements and,mostly drastically,by increasing automation.Considering the number of different data formats and the increasing volume o

119、f such data the industry is dealing with,higher automation in processing and correlation is the way to go.If you cant measure something,you cant improve it.One interesting takeaway came from asking our respondents if CTI has improved their security(prevention/detection/response).Even though in a des

120、cending trend,a high percentage of organizations still cannot measure the effectiveness of CTI programs,the tools,and the sources.Measuring the value of an intelligence program means that teams will be able to justify the need for more resources,new people,new tools,etc.,ideally moving organizations,and in turn the industry,toward a higher maturity level.This represents a call to action for both practitioners and vendors alike to find better and easier ways to measure success in CTI.SponsorsSANS would like to thank this surveys sponsors: