Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/13/2017
10:30 AM
Robert M. Lee
Robert M. Lee
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Getting the Most Out of Cyber Threat Intelligence

How security practitioners can apply structured analysis and move from putting out fires to fighting the arsonists.

Today’s security environment is complex, ever changing, and sometimes even political. Many organizations struggle to keep current about the cyber threats they face. This is due to a number of issues, ranging from the failure to adapt security recommendations to the specific needs of an organization, to an over focus on malware instead of the human adversary.

Adding to the struggle is the fact that every organization is different. For example, inside an industry vertical, you may find political or regional differences beyond just technical ones. There may be differences in how one division within an organization approaches security in comparison to other divisions within the company. These division-based differences can be the result of varying organizational missions or business units. Each disparity impacts the organization’s overarching threat model, and its understanding of its threat landscape.

Over the years defenders have taken a tool-centric approach. But technology alone won't stop a well-focused and funded human adversary. While technology is great at synthesizing data, limiting the attack space, and making human analysts more efficient, at the end of the day, it is a human adversary vs. human defender contest - and it must be treated as such.

Even organizations that appreciate the value of threat intelligence can be misled in their application of it. For example, insight into threats can be limited by a vendor-centric approach to how threat intelligence is consumed. And while processing reports created by external parties and leveraging threat data are a valuable way to gather information on adversaries, capabilities and infrastructure, the information gathered should complement a larger internal effort by the security team, not replace it. Put another way, when security practitioners use information obtained through technology and threat intelligence feeds incorrectly, the result is reactive, Whack-a-Mole security, not a deeper understanding of adversary tradecraft.

The Power of Analysis
To truly be successful in threat intelligence organizations must empower and train their human defenders in analytical approaches so they become good analysts. This means understanding complex scenarios and thinking about them more critically. Simply put, good analysts should look at the world a little differently.

Join Dark Reading LIVE for two days of practical cyber defense discussions from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

While there is significant value in learning how to use a tool in certain environments (and some great vendor-neutral courses to show you how), the real value is in structured analysis training. Becoming a good analyst requires much more than knowing which tool to use and when. When faced with complex scenarios, it is vital that the security community thinks critically and evaluate various options. This requires practitioners to develop skills that expand into complicated topics such as adversary intrusion, campaign analysis, adversary tradecraft, and moving from relying on indicators to leveraging behavioral analytics. 

Security practitioners must also tie together individual intrusions and look at them as long-term campaigns being run against organizations, as opposed to one-off attacks. There are a lot of security efforts where every intrusion is treated as a separate entity, when realistically we might be dealing with an entire campaign from an adversary.

This is not a new concept in of itself. Richard Betjlich was advocating for this approach in the early 2000’s. Today, amazing strides in defense are being made in organizations that are attempting to tie intrusions together successfully in order to reduce risk. Sharing knowledge and analysis of an adversary campaign between tactical and strategic level players is essential to getting – and staying – ahead of adversaries.

While technical training and labs are important, to truly understand the human threat requires that practitioners hone their analysis skills and change their perspective. By that I mean, responders and security operations teams must develop intelligent analysis skills across data sets in a way that gives them a deeper understanding of security from tactical, operational, and strategic approaches. Analysis-based cyber threat intelligence will allow security practitioners to move from putting out fires to fighting the arsonists.  

The ideal training should also help develop an operational view into how a threat program can mature. From a strategic level, it should arm practitioners with insight into adversaries at a level that C-suite and boards of directors can appreciate and leverage to protect the overall organization.

Bottom line: When organizations understand their own environments, can confidently and accurately identify what constitutes a threat to them, and can think critically about the information they receive, only then will threat intelligence becomes an extremely useful addition to security. 

If you wish to learn more, please check out the SANS FOR578: Cyber Threat Intelligence course or research these concepts online.

Related Content:

 

Robert M. Lee is the CEO and Founder of the industrial (ICS/IIoT) cyber security company Dragos, Inc. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cybersecurity of critical infrastructure. For his research ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12216
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a heap-based buffer overflow in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12217
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c.
CVE-2019-12218
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12219
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c.
CVE-2019-12220
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c.