Solidifying Threat Intelligence Foundation with Incident Forensics Regulation

Solidifying Threat Intelligence Foundation with Incident Forensics Regulation

November 18, 2021 | Jie Ji

Author: Richard ZHAO

Incident Investigations and Threat Intelligence

Threat intelligence, as the cornerstone of defenses against advanced threats, has had its significance fully recognized by the administration and the security community, as demonstrated in lots of conferences and forums held across the globe, numerous reports written around threat intelligence, and related products and subscriptions emerging in an endless stream as well as inspiringly active threat intelligence R&D activities. Despite this positive trend, how to gradually create and solidify the foundation of the threat intelligence ecosystem, including intelligence collection, analysis, aggregation, sharing, and applications, remains a challenge for the security industry.

Overall, threat intelligence may be collected from the following sources: (1) industry or alliances that share, sell, or trade threat intelligence; (2) security protection system operations; (3) researchers’ independent studies; and (4) security incident investigation and forensic activities. In my opinion, the last one, in particular, is a living source that is crucial to the entire ecosystem because of being capable of continuously contributing threat intelligence and verifying the authenticity of threat intelligence sourced otherwise. Threat intelligence and best practices drawn from analysis of numerous cross-industry, cross-region incidents shared by others can become an effective weapon in cyber defenses.

An example of this is Verizon, a leading network operator in the USA. For many years, the company has released an annual data breach investigations report (DBIR) every year. Over the years, its contributors have expanded from only Verizon to include more than 80 agencies, security vendors, and service providers, such as the Department of Homeland Security, United States Computer Emergency Readiness Team (US-CERT), and Secret Service. The number of confirmed data breaches covered in Verizon’s such reports also increased from 761 in 2010 to 5258 in 2021.

SECURITY INCIDENTS64,19942,06853,00041,68632,00229,207
CONFIRMED DATA BREACHES2,2601,9352,2162,01339505,258

Table 1 Number of contributors of and incidents presented in DBIR in 2016-2021

These figures are informative and, to some extent, reflect the foundational work the US security community has done in threat intelligence.

Today, many countries have promulgated cybersecurity laws and regulations, potentially making a cybersecurity incident a serious offense. Obviously, such legislation has significantly improved information system owners’ and operators’ awareness of and investments in cybersecurity. However, it is a common practice in the industry to keep the mouth shut after falling a victim to some security incident. Besides, cybersecurity legislation further increases the “cost” of incident reporting and disclosure. Without additional incentives or constraints, it would be more difficult to conduct effective investigations and forensics, especially high-quality analysis by professionals. As a result, less data would be shared, eroding the foundation of the threat intelligence ecosystem for sustainable development.

“Sound Cycle” and “Worsening Cycle”

Cyber attackers and security teams fight each other all the time. When one side behaves aggressively, the other side may lay back. After an attack is initiated, a security protection system may

  1. Ignore
  2. Track, or
  3. Detect and Identify

In the first case, the attacker easily achieves his or her purpose of gaining profits and therefore is eager for more profits. At the same time, the attacker obtains more “intelligence” about the defending side, preparing himself or herself for further attacks. In the second case, the protection system detects some traces of the attack. Subsequently, the defending side may ignore such traces, as described in the first case. Alternatively, the defending side may locate the source by tracking the attack, and then update the threat intelligence database and detection system for accurate detection and prevention of this attack, thus evolving into the third case. In the third case, the attack is blocked and ends up in a wild-goose chase. In addition, the source is probably located and the attacker may be brought to justice. During this process, the defending side, thanks to its investigation and forensics, enriches its threat intelligence database, having a clearer idea of attack resources and tactics, techniques, and procedures (TTPs). This makes it more difficult for attackers to invent new attack methods and tools and more possible for attacks to be detected. As a result, attackers may think twice before attacks or even give up attacks for good. The following figure illustrates the “sound cycle” and “worsening cycle”.

Figure 1 “Sound Cycle” and “Worsening Cycle” in cyber defense

Apparently, the first case and ignoring the attack in the second case both lead to increased profits for attackers, more frequent attacks, and more adverse cyber security environments, thus constituting a “worsening cycle”. The third case and the investigation in the second case give rise to enhanced protection capabilities and a higher possibility of locating the attack source, making quitting the only option for attackers. As a result, the cybersecurity environment will be clean under effective governance. This is what we call a “sound cycle”.

As shown in Figure 1, the most clear-cut divide between the “sound cycle” and “worsening cycle” is when traces of an incident are detected, at which the defending side may choose to ignore the traces or initiate an investigation, depending on its capabilities, resources, or a tradeoff between the input and output.

Ignore or Investigate?

There is no such thing as 100% security. This means that “accidents” inevitably happen here or there in a network owing to defects in the protection system. These “accidents” are an objective existence, regardless of whether they are detected, ignored, investigated, or analyzed for the root cause.

The scenes of accidents usually convey a lot of information about attackers. Investigating such a scene calls for a huge input of resources, with the output of root cause analysis, attacker profiles, TTPs, and the cause of protection failures. The input of resources is deeply felt. In contrast, the preceding output and the value of such output are quite uncertain for the small- and medium-sized non-professional security operations teams. Therefore, small- and medium-sized enterprises (SMEs) with limited security capacities are not capable enough and some large enterprises capable enough are not willing to conduct the investigation. This is one of the tokens of cybersecurity externality.

The professional division of duties is conducive to the resolution of the “incapability” issue. The issue of “unwillingness” can be resolved by appropriately rewarding those who collect more threat intelligence following root cause analysis instead of punishing those with security issues.

Threat Intelligence and Cyber Insurance

By reference to traffic and insurance rules, it is advisable to introduce the “insurance” role in the cybersecurity ecosystem, which will help us out of the “externality” and “lemon market” traps. According to a General Accountability Office report[i], cyber insurance adoption is picking up.  the take-up rate for cyber insurance rose from 26 percent in 2016 to 47 percent in 2020.

Figure 2 is a schematic diagram of the cybersecurity ecosystem with an insurance role introduced. Drawn by the author, it depicts three situations in two parts: before an incident; during an incident; after an incident.

The supervision sector establishes rules concerning cyber insurance. An information system operator independently develops security products and services or purchases such products and services from a professional security vendor to harden its protection system. Then the operator buys the cyber insurance to cover all other residual risks. The insurer evaluates the operator’s current security posture and the reliability of the adopted security products and services before determining the premium rate. When an incident happens, the information system operator asks the security vendor to investigate and analyze the incident, and then submits detailed incident information and analysis results to the insurer for compensation. The claims adjuster verifies incident causes and remedial measures and then the insurer pays for the claim and updates its case base, threat intelligence database, and premium rate accordingly.

Thanks to the cyber insurance, the information system operator becomes willing to investigate rather than ignore security incidents; the security vendor can obtain the first-hand threat intelligence for investigation and forensics; and the effectiveness of security products and services is objectively verified through incident analysis and reflected in the premium rate. In this way, the security ecosystem can work better against cyber threats.


As Sun Tzu said on the art of war, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Threat intelligence is the key for you to “know the enemy and know yourself” on the cyber battlefield, with continuous accumulations from incident investigations and analysis as the most important springhead.

Undoubtedly, it is very important to, by legislation, increase the punishment for cybercrime and enhance the cybersecurity awareness of information system owners and operators. On the other hand, it is equally important to realize that security incidents are inevitable, to encourage incident investigations and forensics, and to recognize effective analysis processes and results. The possibility of getting compensated for an incident by an insurer encourages organizations to disclose incidents and share related data, thus feeding industry insiders with more security data that will inform standardization and best practices, which would otherwise be difficult to achieve due to the lack of data support and verification. In the long run, the large base of cases will contribute to the sustainable development of threat intelligence.

[i]Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market | U.S. GAO

About Richard ZHAO

Dr.  ZHAO Liang (Richard) is Chief Operating Officer, International Business, of NSFOCUS. He has over 24 years of professional experience in telecom and network security areas. Before he transferred to current business role, he was Chief Technology Officer, managing the product, research and development for the company. He was one of earliest recipients of CISSP, BS7799, ITIL certificates in China.

Richard is proud of being an active contributor to cyber security community and organizations in his career. He is the Executive Director of China Cyberspace Security Association. He was the founder of Greater China Chapter and a Board Member of Silicon Valley Chapter of Cloud Security Alliance. He won Ron Knode Service Award of CSA in 2012. More details about his ideas and insights can be found at LinkedIn (