Why Threat Intelligence Feels Like A Game Of Connect Four

In real life, solving the cybersecurity puzzle has many challenges. But shared wisdom and community defense models are making it easier to connect the dots.

Kristi Horton, Lead Intelligence Officer, Financial Services Information Sharing and Analysis Center (FS-ISAC)

November 10, 2015

5 Min Read

You know Connect Four -- that plastic game with the vertical grid where you drop checker pieces until you get four in a row? With two good players it's deceptively simple. You have to keep your eye on all possible permutations while plotting several moves ahead.

That game reminds me of the challenges that today's threat intelligence professionals face. Except it's a three-dimensional version of that game, connecting many disparate pieces while keeping an eye on adversaries making several moves ahead. And in real life, the stakes are much higher.

As a lifelong security practitioner, I have worked everywhere from highly classified environments to critical infrastructure entities. Even in the most sophisticated, well-defended environments such as financial services, there are still many information silos. It's hard to find the threat needles in the data haystack. It's not just disparate security technologies. I am also talking about organizational, process, and data silos.

In the financial sector, three key domains come to mind: 1) information security 2) physical security and personnel and 3) anti-fraud and money laundering. Typically these are managed and executed separately.

If we could truly connect the dots between even two of these domains, we would make significant strides in better understanding the threat landscape, reducing the risk of blended threats, improving incident response, and reducing theft and losses.

Everyone is impacted
All these functional areas impact one another. Physical security impacts confidentiality and data integrity. A data security lapse can impact physical security. And when there is an enterprise security incident, many teams are impacted: the fraud team, the desktop team, the network team, the website team, the cloud security team, the physical security team, the email team, and the list goes on.

Business email compromise (BEC) is a great example of a trending blended threat where nearly all functional areas are impacted. As analysts dig into the indicators of a BEC, they need to ask: "What social engineering techniques were used; Which personnel were targeted or impersonated; What email header and payload information is available; What payment or procurement processes were perverted; What business partners or accounts were compromised; How were funds stolen or data exfiltrated?" Each new question may cross organizational, political, and technical precincts.

There are many other examples of natural silos in big organizations. What happens when new infrastructure is rolled out or when a new office is commissioned? Is the information security team part of the plan? Are vulnerabilities addressed? Is the site monitored? Is system usage authenticated and verified?

Disconnects can also happen for network security. Disparate groups monitor network performance and uptime and DDoS attacks, but may not be monitoring for a user accessing an unusual volume of customer records or systems accessed at the wrong time. Maybe ports 80 and 443 are monitored, but the firewall rules for other ports are not up to date. Maybe a system has been offline for an unusual amount of time and no one notices.

We tend to think that the more people engaged in information security, the more tools, the more budget, the more process, the better. But complexity can be detrimental to security. For example, a user opens her email and gets an alert that an infected file was found and cleaned. If the desktop team is notified, it means that everything is ok, right? But what if only part of the infection was identified and malware is still persistent, waiting to access sensitive systems? The AV team sees one puzzle piece. The network team sees one puzzle piece. But the fraud team didn’t see any of this. Where's the correlation? Where's the connection?

Not just a data or policy issue
Different teams, competing priorities, varied approaches, various critical watch lists... Many organizations are making good strides in aligning and clarifying corporate priorities to recognize that physical and cyber teams need to work together. Some companies have set up internal fusion centers. Public and private sector relationships are in place. Information sharing organizations like ISACs and ISAOs are helping facilitate the flow of real-time threat information. Standards like STIX and TAXII are helping to normalize threat data and make it more actionable. Shared wisdom and community defense models are quickly becoming the new norm.

In that spirit, I want to share four tips to help organizations get and stay connected.

  1. Understand the business: What is the business context you work in as a security team and what are its priorities? What is the worst that can happen and how do you spot it before it happens?

  2. Know thyself: No one else can know what you do, how you do it, what systems you have, or what they are supposed to do. No one else can spot what isn't supposed to be there the way you can. Like bank tellers trained on real currency so they know a fake when they see it, organizations that "know themselves" have reduced the attack surface.

  3. Look for ways to connect: Seek out ways to share information internally and externally. Sponsor regular cybersecurity simulations that involve multiple functional areas. Advocate for updates to crisis playbooks. Communicate the security roadmap broadly and especially at the executive level.

  4. Stick to the plan: Too often, security is compromised to meet the competitive and agility demands of the business, or even simply to react to the present threat landscape. Money is spent without the full context of how security fits into a strategic business plan. And, when a new threat comes along, organizations are tempted to divert from the plan and buy an expensive new tool or appliance that may not be the best fit. Don't react and don't over-react. Have a solid plan and map actions and investments to that plan.

About the Author(s)

Kristi Horton

Lead Intelligence Officer, Financial Services Information Sharing and Analysis Center (FS-ISAC)

Kristi Horton is the lead intelligence officer of the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC is a non-profit corporation formed in 1999 and is funded by its 6,500 member organizations. The FS-ISAC's mission is to help assure the resilience and continuity of the global financial services infrastructure and individual firms against acts that could significantly impact the sector's ability to provide services critical to the orderly function of the global economy. The FS-ISAC shares threat and vulnerability information, conducts coordinated contingency planning exercises, manages rapid response communications for both cyber and physical events, conducts education and training programs, and fosters collaborations with other key sectors and governments. FS-ISAC is also one of the creators of Soltra Edge, the free threat sharing platform for critical sector entities.

Prior to joining the FS-ISAC in March 2015, Kristi led the cyber threat intelligence program at Capitol One from 2013-2015, served as an adjunct instructor at George Mason University's Digital Forensics Masters Program in 2013, served as the lead information security analyst at Science Applications International Corporation in 2009-13, served as a forensic computer analysis at Paradigm Solutions in 2007-09, and served in the high technology investigation unit of the US Department of Justice in 2004-07. Kristi has a M.S. in Accounting and Information Systems and a B.S. in Accounting and Information Systems from Virginia Polytechnic Institute and State University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights