Why Threat Intelligence Feels Like A Game Of Connect Four

In real life, solving the cybersecurity puzzle has many challenges. But shared wisdom and community defense models are making it easier to connect the dots.

You know Connect Four -- that plastic game with the vertical grid where you drop checker pieces until you get four in a row? With two good players it's deceptively simple. You have to keep your eye on all possible permutations while plotting several moves ahead.

That game reminds me of the challenges that today's threat intelligence professionals face. Except it's a three-dimensional version of that game, connecting many disparate pieces while keeping an eye on adversaries making several moves ahead. And in real life, the stakes are much higher.

As a lifelong security practitioner, I have worked everywhere from highly classified environments to critical infrastructure entities. Even in the most sophisticated, well-defended environments such as financial services, there are still many information silos. It's hard to find the threat needles in the data haystack. It's not just disparate security technologies. I am also talking about organizational, process, and data silos.

In the financial sector, three key domains come to mind: 1) information security 2) physical security and personnel and 3) anti-fraud and money laundering. Typically these are managed and executed separately.

If we could truly connect the dots between even two of these domains, we would make significant strides in better understanding the threat landscape, reducing the risk of blended threats, improving incident response, and reducing theft and losses.

Everyone is impacted
All these functional areas impact one another. Physical security impacts confidentiality and data integrity. A data security lapse can impact physical security. And when there is an enterprise security incident, many teams are impacted: the fraud team, the desktop team, the network team, the website team, the cloud security team, the physical security team, the email team, and the list goes on.

Business email compromise (BEC) is a great example of a trending blended threat where nearly all functional areas are impacted. As analysts dig into the indicators of a BEC, they need to ask: "What social engineering techniques were used; Which personnel were targeted or impersonated; What email header and payload information is available; What payment or procurement processes were perverted; What business partners or accounts were compromised; How were funds stolen or data exfiltrated?" Each new question may cross organizational, political, and technical precincts.

There are many other examples of natural silos in big organizations. What happens when new infrastructure is rolled out or when a new office is commissioned? Is the information security team part of the plan? Are vulnerabilities addressed? Is the site monitored? Is system usage authenticated and verified?

Disconnects can also happen for network security. Disparate groups monitor network performance and uptime and DDoS attacks, but may not be monitoring for a user accessing an unusual volume of customer records or systems accessed at the wrong time. Maybe ports 80 and 443 are monitored, but the firewall rules for other ports are not up to date. Maybe a system has been offline for an unusual amount of time and no one notices.

We tend to think that the more people engaged in information security, the more tools, the more budget, the more process, the better. But complexity can be detrimental to security. For example, a user opens her email and gets an alert that an infected file was found and cleaned. If the desktop team is notified, it means that everything is ok, right? But what if only part of the infection was identified and malware is still persistent, waiting to access sensitive systems? The AV team sees one puzzle piece. The network team sees one puzzle piece. But the fraud team didn’t see any of this. Where's the correlation? Where's the connection?

Not just a data or policy issue
Different teams, competing priorities, varied approaches, various critical watch lists... Many organizations are making good strides in aligning and clarifying corporate priorities to recognize that physical and cyber teams need to work together. Some companies have set up internal fusion centers. Public and private sector relationships are in place. Information sharing organizations like ISACs and ISAOs are helping facilitate the flow of real-time threat information. Standards like STIX and TAXII are helping to normalize threat data and make it more actionable. Shared wisdom and community defense models are quickly becoming the new norm.

In that spirit, I want to share four tips to help organizations get and stay connected.

  1. Understand the business: What is the business context you work in as a security team and what are its priorities? What is the worst that can happen and how do you spot it before it happens?
  2. Know thyself: No one else can know what you do, how you do it, what systems you have, or what they are supposed to do. No one else can spot what isn't supposed to be there the way you can. Like bank tellers trained on real currency so they know a fake when they see it, organizations that "know themselves" have reduced the attack surface.
  3. Look for ways to connect: Seek out ways to share information internally and externally. Sponsor regular cybersecurity simulations that involve multiple functional areas. Advocate for updates to crisis playbooks. Communicate the security roadmap broadly and especially at the executive level.
  4. Stick to the plan: Too often, security is compromised to meet the competitive and agility demands of the business, or even simply to react to the present threat landscape. Money is spent without the full context of how security fits into a strategic business plan. And, when a new threat comes along, organizations are tempted to divert from the plan and buy an expensive new tool or appliance that may not be the best fit. Don't react and don't over-react. Have a solid plan and map actions and investments to that plan.