Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:05 PM

Cyber Intelligence Suffers From 'Snobby' Isolationism, Focus on Rare Threats

Cyber-threat intelligence groups need to more often investigate their organization's specific threats and better integrate with other business groups, experts say.

Cyber-threat intelligence (CTI) teams face a host of challenges — a shortage of skilled workers and a lack of resources, for example — but two of the most serious hurdles are, in many ways, self-inflicted: A "snobby" culture that isolates groups and often focuses on the latest interesting threats rather than the actual dangers facing the business, cybersecurity experts told attendees at two industry conferences last week.

Focusing on zero-day exploits and nation-state adversaries is naturally alluring for CTI teams, but the more common threats facing their organizations are cybercriminal phishing attacks and workers' reuse of passwords, Xena Olsen, a cyber-threat analyst for Marymount University, said during a presentation on creating adversary detection pipelines at the virtual Black Hat Asia conference. To provide actionable intelligence for blue and red teams, CTI analysts should focus on the most common threats first, she said.

Related Content:

Research Casts Doubt on Value of Threat Intel Feeds

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

"Instead of looking what is actually going on in their network and threat landscape, some CTI analysts solely focus on public threat actor reporting and going for the sexy APTs, advanced persistent threats," Olsen said, adding, "One of the main goals of adversary detection pipelines is to get really good at understanding simple attacks specific to your org[anization]'s infrastructure, controls, and detection."

In addition, because CTI teams often collect some of the most knowledgeable security analysts into a group, they often isolate themselves from other departments in an organization. Instead, they need to become more accessible to the organization, otherwise the perception is that they are being "snobby," Jamie Collier, CTI consultant at FireEye Mandiant, said in a presentation at the annual Virus Bulletin conference.

"It is really important that we get beyond that culture," he said. "When it comes to someone who is ignorant about cybersecurity, and they read an article that stokes fears, there is nothing funny about that situation, and so we need to make sure we are helping these people."

Almost half of all companies with a security-response capability have a dedicated CTI team, but the most popular forms of information consumed by the groups were open source CTI feeds, commercial feeds, and information from industry sharing groups, according to the "2020 SANS Cyber Threat Intelligence Survey." Threat information based on internal log data from firewalls and endpoint systems ranked No. 5. Other internal sources of threat information ranked even lower.

The two cybersecurity experts presented their own critiques of CTI at the conference. Marymount University's Olsen recommended an approach to threat intelligence that focuses on what is happening inside a company — gathering data on threats seen in email and enriching that with other internal event information — before attempting to use external threat information.

FireEye's Collier focused on a "backcasting" scenario, where he assumed that the CTI industry failed in a decade and attempted to explain why. The top reasons: focusing on novel threats rather than the ones with the most impact, the isolationism of threat intelligence groups, and the overall skills shortage in the industry.

"They typically operate as almost a standalone function," he said, speaking in the past tense, as his scenario deconstructed what happened to CTI from a future date. "We would have these very well written threat intelligence reports that would be produced on a variety of topics, but the audience of these reports was never clearly formulated. It was almost intelligence for the sake of intelligence."

The allure of novel threats — both because they piqued the interest of researchers and made good marketing — poses another problem for CTI firms, he said. One reason is that threat intelligence has often become more a marketing exercise than a capability to provide actionable information to the business. Threat intelligence teams tend to focus on the novel and interesting threats — often looking to get media coverage — rather than the actual common threats for which companies have to be ready, Collier said.

"Between phishing, on one hand, and AI-enabled offense on the other, there is all these different attack vectors, but they pose really different threats," he said. "AI-enabled threats may be interesting, but it is phishing that presents the real concern for the majority of organizations."

Adversary detection pipelines are an approach for CTI teams to analyze the operational data coming from their own company to narrow down their focus to actual threats. Email and log files can give information on real threat that can then be enriched with information from other systems, and then open source threat intelligence can be used to gather more data on adversaries, Marymount University's Olsen said.

The whole point it to "provide a prioritized workflow based on the attacks directed at the organization, through analysis performed by the CTI analyst," Olsen said. "It is the focused creation of intelligence based upon specific requirements for the sole purpose of enriching other teams and improving the security posture of the organization."

Collier advised threat intelligence teams to take a good look at how they approach their analyses.

"CTI is quite a young industry, so we need to guard against complacency," he said. "We need to be really reflective as an industry."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.