Sometimes the best threat intelligence strategy is to not bother adopting it at all.
“You probably should not be using threat intelligence unless you can act on it,” Jason Trost, vice president of threat research at threat intel firm Anomali, said this week. “If you can’t act on it, it’s probably not worth consuming that data.”
Trost, who was a panelist on the Collecting and Using Threat Intelligence Data panel in this week’s Dark Reading Virtual Event, was making a point about one of the biggest problems with the way organizations approach threat intelligence: they often sign up for feeds and services without the resources or mechanisms in place to actually use the resulting information they receive.
Think of adding threat intelligence to the security operation as a commitment: “You need to take it on as a project and it’s a commitment to looking at what you [really] need. You can’t just go buy it. You have to look at the data and what you have internally and how you apply it,” says David Dufour, senior security architect at Webroot. “If you don’t have the available resources to work with it, then you’re wasting your money.”
That money is then better off spent on incident response, he says.
It’s about smart threat intelligence strategy, security experts say.
Take It Slow, Have a Beer
Intel-sharing’s humble roots began with security pros and executives from different companies in the same industry or region getting together over a beer or dinner, face-to-face, to swap their attack or threat war stories. Mark Clancy, CEO of Soltra, a joint venture between DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC), joked during the virtual event session chat that “beer = first-generation cyber threat intel sharing platform.”
It’s true. The early days of intel-sharing were mainly face-to-face, phone calls, or emails. And that’s still the mode of operation for many organizations.
How organizations collect and use threat intel depends on who they are, says Wendy Nather, research director of The Retail Cyber Intelligence Sharing Center (R-CISC), an intel-sharing group made up of retailers, restaurants, grocers, hotel chains and retail suppliers. Nather, who was also a panelist on the threat intel panel at this week’s virtual event, says sharing often starts with a social meetup after-hours in a more unofficial capacity.
“It starts as gossip, you know somebody at another organization and you get together for a beer and talk about what you’ve seen,” she said. “The challenge is getting all sharing more formalized, open, and more organized. We try to support whatever we can from the Soltra structured data feed through the unstructured discussions.”
Company A’s security manager tells Company B’s over a couple of IPAs that he saw a specific IP address serving up a specific amount of traffic, and the attacker shifted gears to “low and slow” once he realized he’d been spotted. That’s a useful bit of intel for Company B, but then there’s the process of taking action: “It’s hard to put that into structured data, but it’s extremely valuable when you can tell that story and other people in other organizations can add to that story,” Nather explained.
When adopting threat intel feeds and ingesting that information, take it slowly at first. Anomali’s Trost says he often sees organizations taking in too much data and getting overwhelmed. They’re typically under pressure from management that “we need to get into threat intelligence,” so they go all in and end up drowning in false positives and events they can’t respond to, he said. “That’s the biggest mistake we see.”
A better approach is to start slowly with an intel feed or two, assess how the organization is able to respond to the threats, and then gradually ramp up. “You may have to pivot to different [intel] providers, or processes, to make sure you’re doing it in increments, but moving forward and increasing your capability” to use and take action on the threats, said Adam Meyer, chief security strategist at SurfWatch Labs and a panelist at the virtual event.
Needs v Wants
Webroot’s Dufour says before taking in threat intelligence, there’s a soul-searching stage of analyzing what you want to get from the feeds as well as what you need to protect. And sometimes, you get what you pay for.
“There’s bad threat intelligence out there. It could cost you more to get good threat intelligence, but you may not [then] need to hire three extra people” to triage and apply it, he says.
Beware of dated intel data, or the data going stale before you can actually convert it into a defensive action that thwarts a would-be attack. “What exactly is the data you’re getting and what’s the timeframe reference” it’s related to, Soltra’s Clancy said.
Some indicators of compromise (IOCs) are that way: they have a shelf life, as attackers shift their command-and-control servers, IP addresses, and malware variants to evade detection.
The Holy Grail for threat intelligence, like anything in security, is automation, of course, but not all organizations are equipped to go there just yet. “Try to remove humans from every possible place it makes sense” in threat intel, Anomali’s Trost advised.
SurfWatch Labs’ Meyer says to know why you’re collecting certain threat intel data and for what purpose. “You need clarity and context, situational awareness around threats. You need a methodology structure around collection – some instances at the machine level, correlating against tools specializing in that area, the actor’s motivations in your industry … compare that information to your own processes. Are you well-defined in those processes or not?”
It’s not just about sharing technical indictors of a threat actor, but also the techniques they use to flip the equation and put a little economic squeeze on them, according to Meyer. “Maybe [the attacker] now has to write 50 to 70 pieces of malware instead of one” to attack a vertical industry, for example, he said.
He breaks threat intel “consumers” of information into three groups. “Defense is the low layer, practical, on-the-wire information to defend the organization with context, situational awareness and correlation. Then there’s the operational level: the campaigns and actor motivations … are they targeting their industry or not? This is pure intel disciplines,” he said. At the top is the strategic layer, the people in the organization who are evaluating the overall security strategy and evaluating its effectiveness.
Bottom line: threat intelligence is not the endgame. “Threat intelligence empowers decision-making. It’s not the end goal in itself,” says Adam Vincent, CEO of ThreatConnect. “Similar to business intelligence, threat intelligence has the power to support all different kinds of [things] and people and make faster and more accurate decisions across the security organization.”