Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/7/2020
04:05 PM
50%
50%

Cyber Intelligence Suffers From 'Snobby' Isolationism, Focus on Rare Threats

Cyber-threat intelligence groups need to more often investigate their organization's specific threats and better integrate with other business groups, experts say.

Cyber-threat intelligence (CTI) teams face a host of challenges — a shortage of skilled workers and a lack of resources, for example — but two of the most serious hurdles are, in many ways, self-inflicted: A "snobby" culture that isolates groups and often focuses on the latest interesting threats rather than the actual dangers facing the business, cybersecurity experts told attendees at two industry conferences last week.

Focusing on zero-day exploits and nation-state adversaries is naturally alluring for CTI teams, but the more common threats facing their organizations are cybercriminal phishing attacks and workers' reuse of passwords, Xena Olsen, a cyber-threat analyst for Marymount University, said during a presentation on creating adversary detection pipelines at the virtual Black Hat Asia conference. To provide actionable intelligence for blue and red teams, CTI analysts should focus on the most common threats first, she said.

Related Content:

Research Casts Doubt on Value of Threat Intel Feeds

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

"Instead of looking what is actually going on in their network and threat landscape, some CTI analysts solely focus on public threat actor reporting and going for the sexy APTs, advanced persistent threats," Olsen said, adding, "One of the main goals of adversary detection pipelines is to get really good at understanding simple attacks specific to your org[anization]'s infrastructure, controls, and detection."

In addition, because CTI teams often collect some of the most knowledgeable security analysts into a group, they often isolate themselves from other departments in an organization. Instead, they need to become more accessible to the organization, otherwise the perception is that they are being "snobby," Jamie Collier, CTI consultant at FireEye Mandiant, said in a presentation at the annual Virus Bulletin conference.

"It is really important that we get beyond that culture," he said. "When it comes to someone who is ignorant about cybersecurity, and they read an article that stokes fears, there is nothing funny about that situation, and so we need to make sure we are helping these people."

Almost half of all companies with a security-response capability have a dedicated CTI team, but the most popular forms of information consumed by the groups were open source CTI feeds, commercial feeds, and information from industry sharing groups, according to the "2020 SANS Cyber Threat Intelligence Survey." Threat information based on internal log data from firewalls and endpoint systems ranked No. 5. Other internal sources of threat information ranked even lower.

The two cybersecurity experts presented their own critiques of CTI at the conference. Marymount University's Olsen recommended an approach to threat intelligence that focuses on what is happening inside a company — gathering data on threats seen in email and enriching that with other internal event information — before attempting to use external threat information.

FireEye's Collier focused on a "backcasting" scenario, where he assumed that the CTI industry failed in a decade and attempted to explain why. The top reasons: focusing on novel threats rather than the ones with the most impact, the isolationism of threat intelligence groups, and the overall skills shortage in the industry.

"They typically operate as almost a standalone function," he said, speaking in the past tense, as his scenario deconstructed what happened to CTI from a future date. "We would have these very well written threat intelligence reports that would be produced on a variety of topics, but the audience of these reports was never clearly formulated. It was almost intelligence for the sake of intelligence."

The allure of novel threats — both because they piqued the interest of researchers and made good marketing — poses another problem for CTI firms, he said. One reason is that threat intelligence has often become more a marketing exercise than a capability to provide actionable information to the business. Threat intelligence teams tend to focus on the novel and interesting threats — often looking to get media coverage — rather than the actual common threats for which companies have to be ready, Collier said.

"Between phishing, on one hand, and AI-enabled offense on the other, there is all these different attack vectors, but they pose really different threats," he said. "AI-enabled threats may be interesting, but it is phishing that presents the real concern for the majority of organizations."

Adversary detection pipelines are an approach for CTI teams to analyze the operational data coming from their own company to narrow down their focus to actual threats. Email and log files can give information on real threat that can then be enriched with information from other systems, and then open source threat intelligence can be used to gather more data on adversaries, Marymount University's Olsen said.

The whole point it to "provide a prioritized workflow based on the attacks directed at the organization, through analysis performed by the CTI analyst," Olsen said. "It is the focused creation of intelligence based upon specific requirements for the sole purpose of enriching other teams and improving the security posture of the organization."

Collier advised threat intelligence teams to take a good look at how they approach their analyses.

"CTI is quite a young industry, so we need to guard against complacency," he said. "We need to be really reflective as an industry."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28971
PUBLISHED: 2020-12-01
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths.
CVE-2020-28993
PUBLISHED: 2020-12-01
A Directory Traversal vulnerability exists in ATX miniCMTS200a Broadband Gateway through 2.0 and Pico CMTS through 2.0. Successful exploitation of this vulnerability would allow an unauthenticated attacker to retrieve administrator credentials by sending a malicious POST request.
CVE-2020-6880
PUBLISHED: 2020-12-01
A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management rights. This affects: ZXV10 W908 all versions before MIPS_A_10...
CVE-2020-28940
PUBLISHED: 2020-12-01
On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device.
CVE-2020-28970
PUBLISHED: 2020-12-01
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated adm...