Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:05 PM

Cyber Intelligence Suffers From 'Snobby' Isolationism, Focus on Rare Threats

Cyber-threat intelligence groups need to more often investigate their organization's specific threats and better integrate with other business groups, experts say.

Cyber-threat intelligence (CTI) teams face a host of challenges — a shortage of skilled workers and a lack of resources, for example — but two of the most serious hurdles are, in many ways, self-inflicted: A "snobby" culture that isolates groups and often focuses on the latest interesting threats rather than the actual dangers facing the business, cybersecurity experts told attendees at two industry conferences last week.

Focusing on zero-day exploits and nation-state adversaries is naturally alluring for CTI teams, but the more common threats facing their organizations are cybercriminal phishing attacks and workers' reuse of passwords, Xena Olsen, a cyber-threat analyst for Marymount University, said during a presentation on creating adversary detection pipelines at the virtual Black Hat Asia conference. To provide actionable intelligence for blue and red teams, CTI analysts should focus on the most common threats first, she said.

Related Content:

Research Casts Doubt on Value of Threat Intel Feeds

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

"Instead of looking what is actually going on in their network and threat landscape, some CTI analysts solely focus on public threat actor reporting and going for the sexy APTs, advanced persistent threats," Olsen said, adding, "One of the main goals of adversary detection pipelines is to get really good at understanding simple attacks specific to your org[anization]'s infrastructure, controls, and detection."

In addition, because CTI teams often collect some of the most knowledgeable security analysts into a group, they often isolate themselves from other departments in an organization. Instead, they need to become more accessible to the organization, otherwise the perception is that they are being "snobby," Jamie Collier, CTI consultant at FireEye Mandiant, said in a presentation at the annual Virus Bulletin conference.

"It is really important that we get beyond that culture," he said. "When it comes to someone who is ignorant about cybersecurity, and they read an article that stokes fears, there is nothing funny about that situation, and so we need to make sure we are helping these people."

Almost half of all companies with a security-response capability have a dedicated CTI team, but the most popular forms of information consumed by the groups were open source CTI feeds, commercial feeds, and information from industry sharing groups, according to the "2020 SANS Cyber Threat Intelligence Survey." Threat information based on internal log data from firewalls and endpoint systems ranked No. 5. Other internal sources of threat information ranked even lower.

The two cybersecurity experts presented their own critiques of CTI at the conference. Marymount University's Olsen recommended an approach to threat intelligence that focuses on what is happening inside a company — gathering data on threats seen in email and enriching that with other internal event information — before attempting to use external threat information.

FireEye's Collier focused on a "backcasting" scenario, where he assumed that the CTI industry failed in a decade and attempted to explain why. The top reasons: focusing on novel threats rather than the ones with the most impact, the isolationism of threat intelligence groups, and the overall skills shortage in the industry.

"They typically operate as almost a standalone function," he said, speaking in the past tense, as his scenario deconstructed what happened to CTI from a future date. "We would have these very well written threat intelligence reports that would be produced on a variety of topics, but the audience of these reports was never clearly formulated. It was almost intelligence for the sake of intelligence."

The allure of novel threats — both because they piqued the interest of researchers and made good marketing — poses another problem for CTI firms, he said. One reason is that threat intelligence has often become more a marketing exercise than a capability to provide actionable information to the business. Threat intelligence teams tend to focus on the novel and interesting threats — often looking to get media coverage — rather than the actual common threats for which companies have to be ready, Collier said.

"Between phishing, on one hand, and AI-enabled offense on the other, there is all these different attack vectors, but they pose really different threats," he said. "AI-enabled threats may be interesting, but it is phishing that presents the real concern for the majority of organizations."

Adversary detection pipelines are an approach for CTI teams to analyze the operational data coming from their own company to narrow down their focus to actual threats. Email and log files can give information on real threat that can then be enriched with information from other systems, and then open source threat intelligence can be used to gather more data on adversaries, Marymount University's Olsen said.

The whole point it to "provide a prioritized workflow based on the attacks directed at the organization, through analysis performed by the CTI analyst," Olsen said. "It is the focused creation of intelligence based upon specific requirements for the sole purpose of enriching other teams and improving the security posture of the organization."

Collier advised threat intelligence teams to take a good look at how they approach their analyses.

"CTI is quite a young industry, so we need to guard against complacency," he said. "We need to be really reflective as an industry."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it’s l...
PUBLISHED: 2021-05-10
Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-online creates insecure temporary folders with File.createTempFile during the code generation proces...
PUBLISHED: 2021-05-10
In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
PUBLISHED: 2021-05-10
An exploitable SQL injection vulnerability exists in ‘quickFile.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
PUBLISHED: 2021-05-10
A number of exploitable SQL injection vulnerabilities exists in ‘patientslist.do’ page of OpenClinic GA 5.173.3 application. The findPersonID parameter in ‘‘patientslist.do’ page is vulnerable to authentic...