To Fight This Generation of Hackers, Companies Take A Cue From Spies (#GotBitcoin?)

After years of being caught flat-footed by hackers, companies are turning to cybersecurity defenses called threat intelligence to fend off a new generation of criminals and spies trying to steal their secrets and money.

Threat-intelligence services can include detailed reports on the makeup and motivations of illicit groups, descriptions of illegal data sold on the dark web, and information about hackers’ tools and tricks. Incubated in the military and in spy agencies, they are becoming more popular in an era when companies often find themselves pitted against nation-state hackers.

This information can serve as an early-warning system, letting companies know when hackers are plotting an attack or selling stolen data online. They also can warn companies of malicious websites and the tactics used by criminals.

That kind of information helps companies prioritize their cybersecurity responses, says Rich Baich, chief information-security officer at Wells Fargo Co. With cyberattacks showing no signs of abating, threat intelligence has become an essential component of risk-management strategy, he says.

Over the past two decades, cyberthreat intelligence and analytics has grown into a market with $2.9 billion in annual revenue, says Joel Fishbein, an equities analyst at the financial-services firm BTIG LLC. He expects the market to leap to $5.8 billion by 2021.

Different Approaches

Threat intelligence traditionally has been used by common targets of sophisticated hackers: large defense, technology and financial-services companies. In recent years, newer cybersecurity companies such as Recorded Future Inc. are pitching these services to a wider audience.

Mr. Fishbein counts about 50 companies selling threat-intel services today. They sometimes employ different strategies for gathering intel on hackers.

When FireEye Inc.’s chief executive, Kevin Mandia, was a special agent with the Air Force Office of Special Investigations in the late 1990s, he and his fellow investigators had a term for the digital fingerprints they would find while responding to hacking incidents within the U.S. military. They called them “indicators of compromise”—the internet addresses, malicious software or internet domains used by the hackers they were tracking.

A decade later, while head of the cybersecurity firm he founded, Mandiant, Mr. Mandia gathered mountains of this kind of forensic evidence about hacks and the criminals behind them. As a result, he says, his team often was able to quickly get a read on who was behind a breach.

“It felt like every breach we responded to, we were like, ‘We know these guys,’ ” Mr. Mandia says.

Mandiant was acquired by FireEye in 2014 and its investigation-driven data has helped feed the company’s threat-intelligence products.

Recorded Future got its start analyzing data from the web, as opposed to evidence from hacking attacks. “We made it our business to analyze every little trail and breadcrumb left by bad guys,” says CEO Christopher Ahlberg.

The company gathers data from a range of sources, including threat-intelligence feeds it pays for, online forums and the broader internet. The company integrates that information into existing data-analysis tools, giving its customers a way to drill down for more information.

If a computer on a corporate network tries to connect to an untrustworthy website, for example, corporate-security researchers can click on that web address and see what other malicious activity has been linked to that site in the past.

Too Much Information?

At some large companies such as Wells Fargo, threat-intelligence work falls to in-house teams that resemble lightweight versions of spy agencies. The units are often staffed with security professionals plucked from the military or law enforcement, who spend their days studying data collected from intelligence providers and their own corporate networks.

With a team of more than 3,000 security professionals, Wells Fargo is big enough to employ its own small group of threat-intelligence researchers. Smaller companies likely don’t have that luxury and so are more likely to seek outside help. But there is a danger that companies lacking expertise on threat intelligence could end up paying for information they don’t need, Mr. Baich warns.

“If it’s not the right intelligence, it can bog you down,” he says.