Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:05 PM

Cyber Intelligence Suffers From 'Snobby' Isolationism, Focus on Rare Threats

Cyber-threat intelligence groups need to more often investigate their organization's specific threats and better integrate with other business groups, experts say.

Cyber-threat intelligence (CTI) teams face a host of challenges — a shortage of skilled workers and a lack of resources, for example — but two of the most serious hurdles are, in many ways, self-inflicted: A "snobby" culture that isolates groups and often focuses on the latest interesting threats rather than the actual dangers facing the business, cybersecurity experts told attendees at two industry conferences last week.

Focusing on zero-day exploits and nation-state adversaries is naturally alluring for CTI teams, but the more common threats facing their organizations are cybercriminal phishing attacks and workers' reuse of passwords, Xena Olsen, a cyber-threat analyst for Marymount University, said during a presentation on creating adversary detection pipelines at the virtual Black Hat Asia conference. To provide actionable intelligence for blue and red teams, CTI analysts should focus on the most common threats first, she said.

Related Content:

Research Casts Doubt on Value of Threat Intel Feeds

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

"Instead of looking what is actually going on in their network and threat landscape, some CTI analysts solely focus on public threat actor reporting and going for the sexy APTs, advanced persistent threats," Olsen said, adding, "One of the main goals of adversary detection pipelines is to get really good at understanding simple attacks specific to your org[anization]'s infrastructure, controls, and detection."

In addition, because CTI teams often collect some of the most knowledgeable security analysts into a group, they often isolate themselves from other departments in an organization. Instead, they need to become more accessible to the organization, otherwise the perception is that they are being "snobby," Jamie Collier, CTI consultant at FireEye Mandiant, said in a presentation at the annual Virus Bulletin conference.

"It is really important that we get beyond that culture," he said. "When it comes to someone who is ignorant about cybersecurity, and they read an article that stokes fears, there is nothing funny about that situation, and so we need to make sure we are helping these people."

Almost half of all companies with a security-response capability have a dedicated CTI team, but the most popular forms of information consumed by the groups were open source CTI feeds, commercial feeds, and information from industry sharing groups, according to the "2020 SANS Cyber Threat Intelligence Survey." Threat information based on internal log data from firewalls and endpoint systems ranked No. 5. Other internal sources of threat information ranked even lower.

The two cybersecurity experts presented their own critiques of CTI at the conference. Marymount University's Olsen recommended an approach to threat intelligence that focuses on what is happening inside a company — gathering data on threats seen in email and enriching that with other internal event information — before attempting to use external threat information.

FireEye's Collier focused on a "backcasting" scenario, where he assumed that the CTI industry failed in a decade and attempted to explain why. The top reasons: focusing on novel threats rather than the ones with the most impact, the isolationism of threat intelligence groups, and the overall skills shortage in the industry.

"They typically operate as almost a standalone function," he said, speaking in the past tense, as his scenario deconstructed what happened to CTI from a future date. "We would have these very well written threat intelligence reports that would be produced on a variety of topics, but the audience of these reports was never clearly formulated. It was almost intelligence for the sake of intelligence."

The allure of novel threats — both because they piqued the interest of researchers and made good marketing — poses another problem for CTI firms, he said. One reason is that threat intelligence has often become more a marketing exercise than a capability to provide actionable information to the business. Threat intelligence teams tend to focus on the novel and interesting threats — often looking to get media coverage — rather than the actual common threats for which companies have to be ready, Collier said.

"Between phishing, on one hand, and AI-enabled offense on the other, there is all these different attack vectors, but they pose really different threats," he said. "AI-enabled threats may be interesting, but it is phishing that presents the real concern for the majority of organizations."

Adversary detection pipelines are an approach for CTI teams to analyze the operational data coming from their own company to narrow down their focus to actual threats. Email and log files can give information on real threat that can then be enriched with information from other systems, and then open source threat intelligence can be used to gather more data on adversaries, Marymount University's Olsen said.

The whole point it to "provide a prioritized workflow based on the attacks directed at the organization, through analysis performed by the CTI analyst," Olsen said. "It is the focused creation of intelligence based upon specific requirements for the sole purpose of enriching other teams and improving the security posture of the organization."

Collier advised threat intelligence teams to take a good look at how they approach their analyses.

"CTI is quite a young industry, so we need to guard against complacency," he said. "We need to be really reflective as an industry."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.
PUBLISHED: 2021-01-15
An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The...
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious...
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user...