Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/21/2013
06:38 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Dolloping Out Threat Intelligence

When too much of a good thing causes confusion and setbacks

There's a saying that too much of a good thing can be bad for you. We normally apply it to things like ice cream and chocolate, but the saying also applies to the threat intelligence world. You'd think that by doubling or even quadrupling the number of streaming intelligence feeds into your organization you'd be better off -- better informed and more secure. Unfortunately, you're likely to be wrong.

During the past couple of years, the threat intelligence service industry has really kicked into high gear. Many of the vendors in this area have been supplying their streaming intelligence services for upward of a decade to the manufacturers of popular security appliances and desktop protection suites, but it has only been more recently that enterprise businesses have found themselves in a position to consume the data directly.

The growing need for streaming security intelligence is a direct response to the rapidly evolving threat. As the threats that target an enterprise become more adaptive, more dynamic, and more evasive of legacy protection architectures, there's a driving need for real-time analytics and providing inputs into a new generation of dynamic analysis systems. To this end, the common logic is "more is better" when it comes to threat intelligence. But is it?

Last week, I came across an opinion piece at SC Magazine by Kathleen Moriarty (global lead security architect, EMC's office of the CTO), titled "Threat-intelligence sharing is dead, and here's how to resuscitate it," in which she touches on the problems of sharing intelligence data and using it effectively. While I agree with her that contemporary threat intelligence sharing has failed (and, by the way, is increasingly a target for subversion) -- in particular, that those participating in threat-intelligence programs have suffered from too much information, and that they struggle to deal with information that is neither actionable nor relevant -- I believe the requirement to rely on trusted parties is likely doomed to failure. "Trust" networks, if ad-sharing networks are any indicator, are an open invitation to new attack vectors.

The biggest problem that enterprise threat-intelligence customers are facing can be illustrated by the problem any of us would encounter is we were placed in an office surrounded by televisions each blaring away a separate TV news channel, and were expected to absorb and digest the days happenings. Too much information is overwhelming. Adding additional TVs and news broadcasts only adds to the problem.

But another analogy can be drawn from the same TV news illustration. You'd think things would become simpler if there's a late breaking story that most of the channels then start covering at the same time. The simultaneous coverage is likely an indicator that something significant is happening and should be responded to.

Two significant wrinkles with this approach spring to mind. If the majority of the TV channels are covering the same national story, then what stories are not being covered? While they're all repeating the same news -- confirming among themselves the significance of the story -- other local stories are being dropped from the day's coverage. And then, as with practically any late-breaking story of significance, the TV channels -- each searching for new "facts" and unique commentary -- often end up repeating each others' facts (sometimes providing attribution to a competitor if they can't confirm it for themselves).

In the threat-intelligence community, what you end up with is a myopic fixation on the high-profile threat of the day (e.g., the latest APT that has made it to the news) to the detriment of other analysis and, I'm sorry to say, a framework that can be easily tainted by bad or mistaken information. There's so much pressure on the various threat-intelligence providers to provide like-for-like coverage of competitor feeds that each vendor subscribes or monitors the other and will often add any missing intelligence data to their own feed, even if they can confirm it for themselves. This already happens daily among the dozens of blacklists and antivirus signature vendors.

The problems facing streaming threat intelligence feeds, their vendors, and their consumers are many and (unfortunately) endemic throughout the current intelligence-sharing model. Luckily, a new generation of machine-learning and clustering systems is making great headway in consuming the threat intelligence feeds from a bloating industry -- weeding out superfluous and inaccurate information -- and pre-emptively classifying threat categories, such as botnets and related domain abuse, but is still years away of forming the basis of prioritizing actions against the full breadth of today's threat spectrum within the enterprise.

The incestuous nature of the streaming intelligence service industry causes many problems, but also new opportunities. While those responsible for safeguarding their corporate networks are overwhelmed with inactionable information from an avalanche of intelligence data, there is ample opportunity for boutique service providers to step in and provide distilled threat intelligence advice specific to their clients' needs.

As kids, we've probably all dreamed about having a humongous bowl filled with every flavor of ice cream imaginable and consuming the whole thing until we exploded. As an adult, I've learned that the strategy of first asking the girl on the other side of the counter which flavored ice creams are the best in the store is often a more efficient and less explosive way to enjoyment.

Gunter Ollmann, CTO, IOActive Inc.

 

Gunter Ollmann serves as CTO for security and helps drive the cross-pillar strategy for the cloud and AI security groups at Microsoft. He has over three decades of information security experience in an array of cyber security consulting and research roles. Before to joining ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.