- By Industry
- By Use Case
Threats come from every angle today, making the task of monitoring and staying ahead of them seem monumental. From well-known and reputable threat intelligence feeds to a company's workforce, there are nearly as many sources of threat intelligence as there are sources of threats. But how do security teams prioritize the many sources of threat intelligence, and which are the most crucial to monitor continuously?
To gain some insight into the most important sources of threat intelligence today's security teams should be paying attention to, we asked a panel of security professionals to answer this question:
"What are the most important sources of threat intelligence for security teams today?"
Meet Our Panel of Security Pros:
Tim Bandos, CISSP, CISA is senior director of cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm with a heavy focus on Internal Controls, Incident Response & Threat Intelligence.
From my own personal experience deep within the trenches of incident response engagements...
I’ve discovered that the best sources of intelligence come from internal data on breaches that have already occurred within your network. When specifically speaking about state-sponsored attacks or APTs, the groups that are targeting you will exhibit their own tradecraft and leverage various tools and infrastructure to complete their objective. In most cases, this doesn’t mean using malware that has already been submitted to VirusTotal, previously known command and control infrastructure, or an IP address fed to you from some open source threat intel site. These attacks and techniques are very targeted and specific, so keeping track of that intel and developing a dossier on the attackers observed in your environment is imperative. Of course, the prerequisite here is knowledge that you have been breached and having the ability to forensically extract every bit and byte of information that you can to bolster you own internal threat intel. This strategy has proven to be highly successful at decreasing your cycle time of initial infection to detection when faced with some of the more advanced adversaries.
With regard to commodity-based malware or attacks that aren’t necessarily targeted but more opportunistic in nature (such as an end user with an outdated version of Java visiting an infected website), there are a ton of great free intelligence sources that you can consume from in order to provide context to your own data. Some of my favorites include sites like AlienVault, ThreatConnect, Malc0de, VirusTotal, and Emerging Threats. Digital Guardian’s Managed Services Program consumes around 40+ feeds which aid in deterring and detecting malicious activity.
Determining the quality and efficacy of threat intelligence feeds can be very difficult. What works for one organization may not work well for another. My recommendation would be to set up a tool like the Collective Intelligence Framework from CSIRTGadgets, consume from a variety of feeds, and determine which works best for you. Commercial feeds do provide some value if you’re not open to building it out yourself, but where’s the fun in that? Plus, I’ve found that those commercial feeds can be fairly redundant in nature with what they provide versus the free feeds. Preparing to now take heat for that comment…
Dr. Jules Pagna Disso
Dr. Jules Pagna Disso is the Head of Reseach & Innovation from cyber security consultancy, Nettitude.
"Threat intelligence is still considered in the majority of cases as tactical or geopolitical know-how gathered from the information collected and analyzed. However..."
Successfully protecting a company requires the involvement of every single person and at every level of the organization.
Threat feeds or threat sources should be useful to every level of the organization. The knowledge gained from various intelligence exercises should help non-technical users from departments such as HR, together with the technical users in the IT department.
There are few criteria that make a source of information invaluable. As one of the very first steps, a company should understand what its threat surface is. There is very little benefit in buying a threat feed that originated from web monitoring or general honeypots when trying to protect against a DDoS (denial of service) attack.
Each threat source or threat feed should be aligned to one or more objectives of the security strategy. Whilst there are many threat feeds or threat sources, threat sources that have been reviewed, corrected and optimized are generally the best. A fully automated source does not appear to provide many benefits until they have been optimized. There are many good threat sources around:
- Threat sources managed by the government intelligence sharing groups. This should be an intelligence-sharing group in the same industrial sector. It is also interesting to use sharing groups that share the same type of business functions even if they are not in the same industrial sectors.
- Managed security providers are a good source of intelligence, as they would have intelligence gathered based on real events, not just honeypots.
- Threat intelligence reports: these generally provide a good overview of information that can be used to create training material as well as informing the board of directors what security threat trends exist, hence guiding them through their priorities.
- Research organizations: using techniques such as advanced deception technologies, research organizations can gather first-hand information that reflects a real-life attack as the attackers are lured to believe that they are in a real environment. In this case, companies should invest in experts who are able to sanitize and optimize OSINT (open source intelligence).
- OSINT: open source intelligence is very powerful when used appropriately. There is a lot of information available on the Internet. Such information is available either voluntarily or by human mistake. This category will include all social media information. However, the information needs to be sanitized and optimized to be useful in most cases.
- Security blogs: many security analysts and researchers provide invaluable information on their blogs that can be used both by the executive and technical staff.
- An organization's security logs should be the starting point for threat sources. The questions should be: who is behind the attacks? what is their purpose?
In general, if a threat source is optimized by qualified individuals, it can be aligned to a security defense objective and then it is likely that the intelligence gathered will be useful. Without a security strategy, and a drive to reach each objective in that strategy, there is very little to gain in acquiring threat information.
James Carder is the CISO & VP of LogRhythm Labs. He brings more than 19 years of experience working in corporate IT security and consulting for the Fortune 500 and U.S. Government. At LogRhythm, he develops and maintains the company’s security governance model and risk strategies, protects the confidentiality, integrity, and availability of information assets, oversees both threat and vulnerability management as well as the Security Operations Center (SOC). He also directs the mission and strategic vision for the LogRhythm Labs machine data intelligence, threat and compliance research teams. Prior to joining LogRhythm, James Carder was the Director of Security Informatics at Mayo Clinic where he had oversight of Threat Intelligence, Incident Response, Security Operations, and the Offensive Security groups.
"I'm a big believer that the absolute best source of threat intelligence is..."
Your own data. To use your own data as a source of threat intelligence, you must understand what normal is for your business, your employees, your processes and your technologies, and what type of threat actors have an interest in those resources. If you understand what is normal, anything that falls outside of that spectrum is an indicator of potential compromise and should be investigated. Are you a company that has interest from nation state threat actors? Do you have business operations outside of the United States? Or are you more a target for financial crime groups? Are you in a specific industry that is commonly attacked by the same threat actors going after the same types of data? These are all important to understand when determining what threat intelligence to operationalize first, as it will be both highly valuable and produce a low level of false positives. Fitting your business to the right threat intelligence source is critical.
One of the biggest pitfalls I see security teams make is to buy all the threat intelligence sources out there. More is not always better. In fact, more may end up meaning more distractions as your team investigates a high number of false positives, deterring them from more important activities in your security operation. Another pitfall I see companies make is to try and consume threat intelligence without a clear path on how to operationalize it. Having your security team manually search for indicators of compromise from a threat intelligence source is time consuming and may divert attention away from more important security tasks. If threat intelligence is operationalized correctly, you can be more proactive about your security program, achieve scale and efficiency with automation, and reduce the overall time to realization of your threat intelligence. In very successful firms, I've seen them take in threat intelligence data as an initial source for investigation and, secondarily, use threat intelligence as a validation point for events and incidents in their environment to trigger automated events to contain or remediate events and incidents without an analyst ever having to touch a console and before a breach ever happens. That is operationalizing intelligence in its finest form.
There is a time to value as it relates to threat intelligence data as attackers often change their tactics, techniques, and procedures. The last thing you want to do is find yourself in a situation where you've paid into outside threat intelligence data, but don't have a great method for operationalizing it, and still find yourself days and weeks behind the attackers, all the while your company stays compromised.
Michael Tanji is the Managing Director of Wapack Labs, a cyber intelligence analysis company. He is the former head of the DOD’s cyber threat warning system, responsible for warning against strategic cyber threats against DOD networks from nation-states and non-state actors.
"The best sources of threat intelligence depend on what it is you’re trying to protect..."
There is no shortage of companies who will sell you a feed of data that may or may not help inform your cybersecurity decision-making process. Your security team needs to have a solid understanding of what their priorities are, which should translate to what the business cares about the most. With that knowledge, you can begin to sort through the range of threat intelligence offerings to identify those that supply the kind of information you will need to most effectively warn against new threats and combat ongoing ones.
I would also note that there is a distinct difference between real threat intelligence and threat data. Security teams are already drowning in data; adding one more “threat intelligence” feed is like throwing a drowning man a brick. A true intelligence offering helps security teams derive meaning from all that data and put it into context so that they can make sound decisions. Someone selling a feed isn’t selling intelligence, they’re selling data. The value of any given piece of data is short; good intelligence retains its value long after it is delivered to a security team.
Richard Rauch is President and CEO of APCON. Richard Rauch has built an internationally recognized technology company with a global workforce delivering network monitoring solutions to Fortune 1000 enterprises and midsize organizations in 40 countries. Through the years, APCON has forged innovative solutions in data privacy and security for diverse sectors including government, finance and healthcare.
"When it comes to threat intelligence, no single source can provide adequate protection to a company or organization..."
Attackers are continually looking for ways to breach the network, and they'll find new tools and techniques to get the job done. While the old way of doing things may no longer be effective, there are a number of new tools and applications to help mitigate the risk of intrusion.
Any highly functioning cyber defense strategy should offer broad coverage of threats, provide significant overlap in the area of emerging threats, and be customized to meet the types of threats an organization is facing. Different classes of applications will be appropriate for different businesses and situations, because not every organization will face the same threats. For example, healthcare and financial institutions may require strong compliance applications, while retail organizations may focus on advanced analytics tools, and companies operating in the defense industry may look for robust DLP and end-node protection tools.
So, which threat intelligence feed to use? Any organization that is subjected to constant APTs should defend accordingly, by using layers of threat intelligence. Personally I like specialist providers, as their feeds are generally broad and can be trusted. Additional community driven intelligence feeds will provide overlap and also should help with emerging threats. Select a provider that has a proven track record, is broad in its analysis, and has a great reputation. These providers should be able to provide both the research and consultation that are essential. Think of this provider as a key member of your defense team, as you should be able to trust their perspective and judgement.
Be sure to keep an eye on STIX/TAXII (OASIS) for threat intelligence, as this is an area that is developing rapidly.
Finally, it's important to identify best-in-class tools for each specific need. And you must be able to monitor the output of these tools effectively. The best intelligence will be completely ineffective if the resulting alerts are ignored, misinterpreted, or addressed too late. Be sure to carefully manage the alerts and notifications generated by the applications, and maintain a continuous and determined approach to network and security monitoring.
VertitechIT Network Architect Duane Norton has been providing complex IT solutions for businesses in the healthcare, financial, legal, and educational industries since 1999. He combines his experience in managing a wide variety of network and server environments with an in-depth knowledge of routing, switching, information security, and virtualization technologies.
"Some of the best sources of threat intelligence for security teams include..."
A well-instrumented enterprise network, incorporating automated log and alert information from thousands of devices, can generate an enormous flood of threat data. In addition to real-time sources (e.g. server and network log analysis, NetFlow session information, and IDS/IPS alerts), it is important that your security team maintain a situational awareness tuned to your infrastructure's critical vendors. Properly filtering out extraneous threat information makes the sum total of your threat data manageable by busy security staff, and actually actionable within your specific infrastructure. Many major manufacturers (e.g. Cisco, VMware, Microsoft) publicly distribute security-specific RSS feeds and blogs, ensuring that their customers can be proactive in updating their products to guard against the latest threats. Outside of specific vendors, there are many community and government sources for up-to-date security information. Three of our favorites are the SANS Internet Storm Center, US Computer Emergency Response Team, and DarkReading.com.
Mr. Carlos Goveo is a Certified Protection Professional, (CPP) board certified in security management through ASIS International. He is the CEO of Juggernaut Security Consulting, LLC and a retired Army Officer with over 21 years of honorable service. He is a member of the ASIS Physical Security Council – Tactical Solutions Committee, the Executive Protection Council, and the Association of Threat Assessment Professionals.
"The first step to identifying the most relevant sources of threat intelligence is to..."
Have an accurate and current threat definition as part of the enterprise risk assessment process. During threat definition information is collected about the different adversaries or conditions. The next step would be the design basis threat (DBT) which requires specific consideration of the threat's tactics, mode of operations, likelihood of occurrence, capabilities, etc.
When searching for sources of information in order to stay informed and enhance the safety and security of clients and/or facilities, security teams outside of the government rely mostly on open source intelligence (OSINT). OSINT is intelligence collected from publicly available sources and provides a significant level of situational awareness when properly analyzed and compared with other sources of information. In today's social media environment the speed of change is near real-time, as sources at the event location can instantly provide updates and pictures through various social media platforms.
Security teams, depending on their size, might have a dedicated security operations center (SOC) with analysts that can stay on top of social media inputs and articles through the use of social media monitoring software tools, Google alerts on specific topics, and internally established standard operating procedures and reports.
Another great source of information are newsletters and daily news summaries from the different security organizations and associations. For example, Overseas Security Advisory Council (OSAC) and many others. Other means of acquiring threat intelligence are government agency websites that provide tools to assist in the security and safety of the general public, such as the state department website, which provides advisories, warnings, and alerts for the different countries that a security team might have to operate in or monitor.
Lastly, professional contacts in different organizations are an invaluable asset for information exchanges as everyone will have different areas of expertise and experience.
Jake Margolis was selected as the Chief Information Security Officer (CISO) in August 2016 for the County of Orange. He served as the Interim CISO since January 2016. Jake joined the County in June 2015 as the Cyber Security Policy and Compliance Manager on the OCIT Information Security team. Before joining the County, Jake was the Information Assurance Manager for the California National Guard and California Military Department. As the CISO, Jake is responsible for managing the design, development, implementation, operation, and maintenance of Countywide information security programs.
"There are multiple threat intelligence sources..."
Security teams can rely on news groups, credible intelligence sources such as those provided by third-party companies, DHS advisories, Multi-State Information Sharing & Analysis Centers, and their end users. A security team will also look at trending information on integrated dashboards that pull data from network security appliances and software. The most important intelligence sources I have leveraged are the reports I get from my intelligence service advisories and heads up emails and phone calls from neighboring organizations. It is important to foster relationships with other entities to broaden your depth of intelligence sources, but there is no single best source. The value of a given source is often hard to substantiate given one may never be the victim of an attack referenced through various channels. The value is often determined by how quickly and effectively one is able to respond to a cyber-attack based on the intelligence provided from a given source. Therefore, the value of a given intelligence source will vary.
Shiu-Kai Chin engineers trustworthy systems and has over 40 years of experience at Syracuse University, General Electric, and the Air Force Research Laboratory.
"The best source of threat intelligence for security teams is..."
Intelligence gathered and shared by your community of interest. The US Government has the “IC,” intelligence community. Banks such as JP Morgan Chase have their own intelligence operations which interface with law enforcement, presumably to give law enforcement information on what attacks they are seeing and, in exchange, get from law enforcement a global picture of threats and attack patterns. Smaller operations must rely on so-called ISACs (information sharing and analysis centers) or be part of a community of interest if they cannot afford to run their own intelligence operations.
Isaac Kohen is the founder of Teramind and has over 15 years' experience in helping companies in the financial sector protect their data. He is extremely passionate about providing organizations with all the analytics necessary to fully assess their workforce and identify insider threats.
"Today, many IT security teams forget to think about the insider threat, however..."
People within an organization can do significant damage – whether maliciously or unintentionally. Threat intelligence can come from monitoring user behavior within the company and identifying employee actions that can expose systems, applications, or data. With employee monitoring software, security teams can understand what company data protection protocols aren't being followed and help educate their organizations to prevent security mishaps.
David Green is the chief security officer of Veriato, a leader in user activity monitoring and user behavior analytics. Joining the company in 2002, Green is responsible for business continuity planning, loss prevention, digital security, physical security and incident response. Prior to joining Veriato, David served as CIO for XL Vision.
"The most important source of insider threat intelligence – and one likely not being leveraged properly in corporate America (or anywhere) – is..."
The HR department. While HR might be concerned about violating employee privacy, they can inform infosec if an employee might be an increased security risk because of a negative work event such as a bad review, termination, demotion, etc. They can’t legally disclose the specific information about the event (which studies show precede more than 90 percent of insider threat cases) but they can say something like, “Consider Tim Brown an 8 (instead of a 4) on our 10-point risk factor chart until we tell you otherwise.” Then a simple revert to 4 is all that is required. Then infosec would monitor this employee more closely, which would provide even greater insider threat intelligence.
How to get HR involved? Invite them to be part of a security task force comprised of representatives from HR, infosec and legal. That task force should help establish a 10-point risk rating system, which gives each position a ranking and determines what level of privilege and access each position requires (the greater the privilege and access to data, the greater the risk and higher the ranking). The higher the ranking, the more this position should be monitored for possible insider threats. Then create the interdepartmental communication procedures that HR (and all departments) would use to provide needed threat intelligence based on the risk factor chart.
With HR involved, infosec gets much-needed intelligence so they are prepared to enhance employee monitoring when HR sees it might be needed and potentially eliminate costly attacks.
Chad Sizemore is the Managing Partner of ICS Medtech based in Birmingham AL, a Breach Management and HIPAA Compliance company. They offer Breach Management systems to companies of all sizes and occupations to monitor their networks for cybersecurity breaches and risks. They also work with medical practices and hospitals to gain and maintain HIPAA/HITECH Compliance.
"No matter how large or small your organization, the first step in gaining threat intelligence should be to..."
Perform a risk assessment. A risk assessment performed correctly will dig deep into the network and expose any areas for potential threats. These could include a variety of findings, such as out of date software, improper access, and open connections that could provide unwanted access to the network. Ideally the risk assessment should be performed by a third party source. Why is this important? Several reasons:
1. If you are large enough to have dedicated network/security team, this is a sanity check; a means to analyze processes and procedures as well as ensure proper controls are in place to minimize risk.
2. If you are using an outsourced provider for your network solutions, this provides proof that your network is secure and up to date as well as giving you peace of mind that you are getting what you paid for.
3. A third party vendor should be expected to perform these assessments in an unbiased means. The end result should be to find any option to make the network more secure and keep all data safe.
As a provider of these types of services, it is very frustrating to audit companies who utilize third-party network vendors and pay thousands of dollars a month for managed services, but learn through our audits that they have open vulnerabilities, like software being out of date or simple-yet-unsecure network protocols being open to the outside world. Examples we have seen in the field range from a malware outbreak occurring and the network team stopping the antivirus software from completing scans because it was late at night and they wanted to go home to a network provider using a terminal server so they can access the client's network via RDP.
Along with the risk assessment you should perform periodic penetration testing, have a means to log all assets on your network, and log all events so that in the event of a breach you have a means to discover and remediate the issues. Contingency and DR plans must also be in place to react appropriately and immediately. Just like a natural disaster, a security breach can pose just as much danger, so you must have the proper teams and procedures in place to handle all incidents.
There are also numerous groups of security professionals that meet and share via social media. I suggest you find a group and join and share useful knowledge. If possible, I would recommend implementing a SIEM solution. There are numerous options on the market at a variety of price points. The faster you see a potential breach, the faster you can stop an outbreak. And at the end of the day the most important goal is to keep everyone's data safe and secure.
Ondrej Krehel, CISSP, CEH, CEI, EnCE, is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He's the former Chief Information Security Officer of Identity Theft 911, the nation's premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters, from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal, and The New York Times, among many others.
"The most important sources of threat intelligence today are..."
Open source in terms of potential and reach. While paid threat intelligence is a great source of highly accurate and specific threats that an organization may face, they are not effective for the cost for smaller organizations. Open source intelligence, like OTX (Open Threat eXchange), can provide a large amount of peer reviewed information that will be helpful to many organizations. There are the occasional false positives, but even then, smaller organizations will not be too overwhelmed. They can be great sources of helpful information that provide alerts to stop many problems. Another source is Anomali's STAXX OVA, which can be deployed in an organization and ties in many threat intelligence sources into a single platform. It is highly condensed and can provide context, even with free samples of the premium threat sources.
Jason Remillard, CISSP, MBA is the Founder and CEO of ClassiDocs.com – a Data Classification and remediation platform. He is also the former CISO/VP of Global Security Architecture and Engineering at Deutsche Bank. He has been in the security business for over 25 years.
"Threat intel is an area that has experienced explosive growth over the past few years – with every vendor purporting to have THE intel feed. In reality, you will see..."
Much overlap between the feeds as many of them source from the same areas and augment with their own intel. Crowdstrike does it differently than Cisco, which is quite different from the STIX framework. One way around this is to consider where your threats are coming from. If you are primarily a B2C oriented shop, Microsoft’s feed might be a good bet since it incorporates all attacks on the Xbox and Live networks. If you are a financial instituation, STIX is your go-to. My recommendation is to start with a few feeds, watch for false positives and augment as you go. Many of the feeds are free or included in some purchases, so the direct outlay should be reasonable. The true cost is in response to false alerts and missed issues. I also see no problem in asking vendors for sample feeds (pick a few weeks past – thus basically worthless to them now) and running some ‘difs’ on them to get a feeling of the similarities of the feeds and where and how they differ. This will give you the best fit for your business.
Domingo Guerra, Appthority co-founder and president, specializes in identifying mobile app risks and behavior trends, and advising the enterprise of the business risk associated with data breaches, losses and leakage in today's dynamic workforce. Domingo has been a key speaker at AirWatch Connect and MobileIron's Mobile First, and has appeared as a security expert on CBS, CNBC, NBC, and Fox News.
"The most important source of threat intelligence for security teams today is..."
Mobile devices are quickly emerging as the biggest threat for corporate security teams, as they are increasingly used for critical line of business work. Whether BYOD or corporate owned, devices are riddled with 3rd-party mobile apps which have the potential to steal or leak sensitive and private company information. Risky app behaviors, hidden actions and malware can breach company security systems and steal assets from employee mobile devices at any time. For these reasons, having up to date, actionable intelligence on mobile risk in the enterprise environment is extremely important.
As such, more companies are employing mobile threat solutions to proactively and reactively monitor the mobile devices in their network and provide real-time threat intelligence. These solutions are vital to visibility into mobile blind spots, effective threat remediation, and empowering employees to help secure the enterprise at the new perimeter.
Matt Malone is the Co-Founder and CTO of Assero Security and has over 15 years of proven experience within the information security realm. Mr. Malone consults with the FBI and NYPD Cyber Crimes Division on security threats and attacks, assisting with investigation, documentation and pursuit of offenders. Additionally, Mr. Malone is a sought-after speaker and writer who has published and been featured in national publications such as Wired and CIO Magazine, as well as appeared in several newscasts.
"The most important and most overlooked source of threat intelligence is..."
The employees of the company you are hired to protect. We often sit on a hilltop looking down at the employee, when really if we open up lines of communication we will often see they have a lot to offer us in knowledge of irregular activities, vulnerabilities, social engineering attacks, and phishing attacks. Security awareness and open lines of communication can be a powerful source of information from a free and ever evolving source. As security professionals, we are taught to build walls as protection, but make sure you don't isolate yourself from the people you are trying to protect.
Michael Edelberg is Co-founder & CDO of Viable Operations; Michael is a digital disrupter, influencer & innovator. He remains active in the intelligence community with additional focus areas of compliance and policy. The ability to adapt to current trends and to anticipate future needs of different businesses are a continuing valuable asset to the Viable Operations team and its clients.
"Our sources vary depending on the client and perceived threat vector..."
Obviously, in our business we receive intel from a variety of sources: Government, NGOs, 3rd-party intel (think beltway consulting groups) and trusted individuals. Recently we received reports from our US Government sources of the immediate threat to critical infrastructure, specifically the electric grid. While the average mom and pop shop can be down for a bit, what if your client is a hospital or financial institution? Are the backup generators working, and for how long?
Much like in our cybersecurity approach, it isn't a one size fits all. We look at the client and the appropriate entities for our due diligence assessment. Our teams at Viable Operations spread through different continents and speak quite a few different languages. We use this as an asset to gauge the threats in different ways that people would approach it. The nuance of a regional interpretation can make a huge difference in your threat response.
Likewise, the approach to our clients with say a POS system. Is it the client, a nefarious customer or another intrusion that is causing many of these breaches? We'll take a holistic approach to finding the threat vectors and get intelligence on what's out there from the appropriate sources.
There's no doubt some of the biggest entities, be it government or Fortune 500 cyber firms, are useful. But everyone in infosec also keeps an eye on individuals like Schneier and Krebs. We never forget the first word of the acronym IT is Information.
Jason Sinchak is the founder of an information security consulting firm, Emerging Defense, and co-founder of a mobile security startup, Sentegrity. Sentegrity is aimed at eliminating the use of passwords for mobile applications.
"My entire professional life has been spent getting paid to hack into corporations and assisting them in recovering from real data breaches. Many companies think that they can simply..."
Buy what they need. This is completely wrong. Anything you are buying is already in the hands of the bad guys (they too can buy it); it can help you determine (after the fact) that you have been compromised but it won't protect or prevent anything new.
The best threat intelligence comes from your own internal penetration testing (red team) trying to hack your own network. This team simulates how a real attacker would go about attacking your organization. These are the guys who know your network best and know all the vulnerabilities that exist better than anyone. This information needs to be feed back to network defenders and employed as real custom, proprietary, threat intelligence. The attacks and techniques that the internal penetrating testing team (red team) employ can be used to model real attackers and catch activity that is unauthorized.