Analytics // Threat Intelligence
5/7/2014
12:00 PM
Nick Selby
Nick Selby
Commentary
Connect Directly
Twitter
LinkedIn
Google+
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Why Threat Intelligence Is Like Teenage Sex

Everyone thinks everyone else is doing it, and most of the few people who are actually doing it aren't doing it all that well.

Whatever the official theme of the 2014 RSA Conference was, any one attendee will tell you the unofficial theme -- the message on every banner in the place, it seemed -- was “Threat Intelligence.” But threat intelligence, as it was put to me by Eric Olson of Cyveillance, is a lot like teenage sex: Everyone is talking about it, everyone thinks everyone else is doing it, and most of the few people who are actually doing it aren't doing it all that well.

There are lots of fashionable things to say about intelligence, and everyone gets all… cool when they discuss it, as if they have some dark, national secret that you don't have. Balderdash!

Let's cut through the mystery in two important ways:

  1. Threat Intelligence is not nation-state espionage. You're bringing data together, and adding value to it by delivering usable information to those who need it. Put your cloak away.
  2. You're not looking to solve Mideast peace. You're looking to empower your decision makers to make your organization more secure. Keeping it simple helps drive success.

My observation from several circuits through the RSA Conference exhibition floor is that there is a classic conflation among data, information, and intelligence. You can find many definitions of “intelligence” out there, but I'll just go out on a limb and say that, without analysis, a nugget from a “threat feed” (in which you might learn that IP address 1.2.3.4 is “known-bad”)  is not intelligence. It is a datum.

Even the database itself is not intelligence, per se. It turns out that a database is just a collection of data.  Don't get me wrong: The data within the database -- or the threat feed -- can be highly useful to the intelligence process. But (and I am not picking nits here) it comprises a data feed, not an intelligence feed (except to marketers).

Simply, albeit admittedly incompletely, put, intelligence is analyzed data that you can do something useful with.

For example, the fact that a given IP address has been observed to be associated with some given nastiness does not mean that the nastiness applies to you in the same way it applied to the earlier observer, or even that it applies to you at all. Analysis of the data in context of your mission, goals, and tactics is required before this datum rises to the level of employable intelligence.

The fact that something is in a threat database does mean, though, that someone has analyzed it and determined it is useful in the context of a threat database. But expecting that you can buy access to a feed of pre-packaged data that is sold to thousands and that it will be pre-analyzed within your use context is like buying a guitar and expecting that it's been tuned at the factory.

Rule of thumb: Intelligence is not something you can buy in a feed -- even if it comes from Mandiant.

Now that internal intelligence programs are becoming the “must have” thing in enterprise, here are two observations:

  • First, hooray! Threat intelligence has left the bleeding edge and is becoming an early mainstream capability. If you care about information security, a robust threat intelligence program is an essential enterprise capacity.
  • Second, before you meet with a single vendor selling “threat intelligence,” it's equally important that you understand what you want your threat intelligence to actually do inside your organization, and how you will leverage it to accomplish those goals.

Data synthesis (or, if you're a real dag, "dot connecting") only works when an effort to bring data together meets executive desire, cross-stovepipe authority, and application of technical and analytical resources.

Perhaps most important, a successful enterprise intelligence operation must be a defined, funded strategic undertaking of the organization. This doesn’t mean it must be expensive, merely that it must be defined and agreed upon. Set the bar low at first, then build on success.

So, the real question isn't “Which threat feed to I buy?” but rather it's “What do you want your intelligence to allow you to do?” The answer informs the data acquisition strategy. For example, are you staying ahead of fraud by keeping up to date with tactics? Tracking legislation? Trying to get a jump on malware that could hit your systems?

Any of these is a reasonable goal, but you need to decide on your goals.

  • Think strategically about what you want, then articulate the strategy clearly. And provide the resources to develop the tactical.
  • Give someone responsibility for and authority to run an intel shop. Get someone who’s done it before to be that someone. They don't have to be a retired general. They need to have experience, and be able to articulate the vision to the executives and the specifics to those in the trenches.

As Clint Bruce likes to say, the person who runs your intelligence operations should have the capacity to "Love the men, explain the mission, and don't be a detriment to the fighting."

Then leverage, leverage, leverage.

Nick Selby is co-founder and Chief Executive Officer of StreetCred Software Inc., a Texas-based company that provides law enforcement agencies with software that helps them locate and capture fugitives. Nick speaks and writes regularly on issues of information security, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
nselby
50%
50%
nselby,
User Rank: Author
5/27/2014 | 8:52:35 PM
Re: On the Money - but even MORE...
Thanks, John!  I really appreciate the comment and your thoughts. I also appreciated the link to that INSA report. To devolve into some snark, Fran Liebowitzz once wrote that, "Cheese that is required by law to append the word food to its title does not go well with red wine or fruit.[1]" Truly, words to live by. I'd add to that sentiment that, "Reports that begin by saying, "In 2012, Norton reported..." are usually to be taken with a grain of salt."

OK, snark over - I read the report and it's a very good and useful primer, and I thank you very much again for pointing us towards it.  Your point about the human element is all too important.

 

[1] http://www.qotd.org/search/single.html?qid=6711
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/27/2014 | 4:58:01 PM
Re: On the Money - but even MORE...
Thanks for that link, John. There looks like a lot of meaty information in that 16-page document.
JohnF555
50%
50%
JohnF555,
User Rank: Apprentice
5/27/2014 | 3:31:46 PM
On the Money - but even MORE...
Nick,

Your thoughts are right on the $$ and I'd take it even further...there needs to be recognition of the human element (that I saw but can't find in comments on the article) both in terms of understanding the threat actors AND ensuring that leadership of the organization has a leaders understanding of the threat e.g., how is it going to effect decision making, resource allocation and the organization's main mission/business. True analysis and context is critical for making those types of calls and are important in understanding threat below the strategic level. I'd call to your attention a paper produced by the Cyber Intelligence Task Force at the Intelligence and National Security Alliance (non-profit, non-partisan think tank) that clearly points out what you need to think of if you are going to do or buy cyber intelligence - here's the link - http://issuu.com/insalliance/docs/insa_wp_cyberintelligence_pages_hir/1?e=6126110/4715911
Treadstone71LLC
50%
50%
Treadstone71LLC,
User Rank: Apprentice
5/27/2014 | 1:51:43 PM
Textbook definition - Not what the security companies are selling
The product resulting from the collection, analysis, processing, integration,
evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations. The term is also applied to the activity which results in the product and to the organizations engaged in such
activity. (JP 1-02 & JP 2-0, Joint Intelligence)

Organizations that make up the US Intelligence Community use the term "intelligence" in three different ways: 1) Intelligence is a product that consists of information that has been refined to meet the needs of policymakers; 2) Intelligence is also a process through which that information is identified, collected, and analyzed; and 3) Intelligence refers to both the individual organizations that shape raw data into a finished intelligence product for the benefit of decision makers and the larger community of these organizations. 

-- Also, a body of evidence and the conclusions drawn there from that is acquired and furnished in response to the known or perceived requirements of consumers. It is often derived from information that is concealed or not intended to be available for use by the acquirer. (ODNI web site www.dni.gov)

Current infosec companies from ClownStrike, Symantec, McAfee, IBM, to Mandiant all sell something else. Even the large companies in the DC Metro area from the military industrial complex don't get it right. Ask what is the most sought after skill in the IC marketplace - it is for a true intel analyst. Even the training in the mil and .gov environments do not train for true analysis. They train to put data into a tool and take the finished product as intelligence. They train and compartmentalize. The train for the physical battlefield. They have not adopted nor adapted to the cyber environment sans technical data and that is still just that - data. They come from a defensive posture and claim expertise in intelligence. And companies are buying it.

It will be some time before the human equation of intelligence analysis is replaced with machine code. Eventually it will get there. But in the mean time, intelligence analysis is a much sought after, seldom understood discipline that combines art and science with human skill.  

Next year at RSA it will be a new catch phrase or term. Something else that the infosec companies will glom onto like stink on $(@* claiming they are the best at it (overnight). If it sells, it will be on their tag line. 

In the meantime, wear your condoms when it comes to Threat Intel or you will catch (at your own company's expense) a security transmitted disease. 

T71
Treadstone71LLC
50%
50%
Treadstone71LLC,
User Rank: Apprentice
5/27/2014 | 1:34:03 PM
Re: Intelligence Definition
But it takes analysis throughout (data to info to intelligence) to create that which is actionable.
ScottB597
50%
50%
ScottB597,
User Rank: Apprentice
5/16/2014 | 3:48:56 PM
Intelligence Definition
Intelligence is vetted information that one can use for analysis.  The pyramid works as so:

Data > Information > Intelligence > Analysis

The real difference between information and intelligence is the vetting process.  You need to ensure your information is good.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:35:57 PM
Re: Intel is like Cyber - Stick it on to anything and it seems new...
@clintmsand -- Your notion of an upfront onboarding service that helps organizatin define and prioritize the relative data/intellegience would seem to be a critical part of any solution. What other pieces are missing? 
clintmsand
50%
50%
clintmsand,
User Rank: Apprentice
5/10/2014 | 3:07:36 PM
Intel is like Cyber - Stick it on to anything and it seems new...
I think Intelligence is now like "cyber" has been for the past few years. People stick these words onto things to make them seem new. I also walked around the RSA show floor and noted how many vendors were marketing intelligence, only to see what they were showing and how none of it was actually an intel offering. 

I think what's missing for most vendors is the notion of an upfront onboarding service that attempts to map out what intelligence means to the customer, and configure the offering to help them meet those objectives rather than a one size fits all approach. Data is just data unless it's applied to some objective. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/9/2014 | 12:18:08 PM
Re: Love the analogy
That's pretty solid advice about proving the point with free tools and resources before opening the corporate wallet. Also makes sense in terms of moving up the learning curve..thx
nselby
50%
50%
nselby,
User Rank: Author
5/9/2014 | 12:00:34 PM
Re: Love the analagy
Thanks, Marilyn,

I always say to start small and specific, prove the concept and then build from success. Set the bar low and create a manageable project around some known business-specific point of pain. There are few out-of-the-box solutions here but they are usually identified by looking at issued that have requred intensive concentration of resources in the recent past. I am actually not against setting the bar VERY low at first to demonstrate the utiulity of a program. In that way you can set up an intelligence capability using almost no commercial paid-for resources, instead doing it with free tools, search engines, resources like OWASP, APWG, university and government resources. Proving the point without opening the wallet is a very powerful tool for the first couple of runs at setting expectations and demonostrating utility, and will go a long way towards justifying budget once your capabilities and expectations are properly aligned. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.