Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/30/2016
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How To Use Threat Intelligence Intelligently

Sometimes it's about a beer, but it's mainly about being prepared before opening the threat intel floodgates.

Sometimes the best threat intelligence strategy is to not bother adopting it at all.

“You probably should not be using threat intelligence unless you can act on it,” Jason Trost, vice president of threat research at threat intel firm Anomali, said this week. “If you can’t act on it, it’s probably not worth consuming that data.”

Trost, who was a panelist on the Collecting and Using Threat Intelligence Data panel in this week’s Dark Reading Virtual Event, was making a point about one of the biggest problems with the way organizations approach threat intelligence: they often sign up for feeds and services without the resources or mechanisms in place to actually use the resulting information they receive.

Think of adding threat intelligence to the security operation as a commitment: “You need to take it on as a project and it’s a commitment to looking at what you [really] need. You can’t just go buy it. You have to look at the data and what you have internally and how you apply it,” says David Dufour, senior security architect at Webroot. “If you don’t have the available resources to work with it, then you’re wasting your money.”

That money is then better off spent on incident response, he says.

It’s about smart threat intelligence strategy, security experts say.

Take It Slow, Have a Beer
Intel-sharing’s humble roots began with security pros and executives from different companies in the same industry or region getting together over a beer or dinner, face-to-face, to swap their attack or threat war stories. Mark Clancy, CEO of Soltra, a joint venture between DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC), joked during the virtual event session chat that “beer = first-generation cyber threat intel sharing platform.”

It’s true. The early days of intel-sharing were mainly face-to-face, phone calls, or emails. And that’s still the mode of operation for many organizations.

How organizations collect and use threat intel depends on who they are, says Wendy Nather, research director of The Retail Cyber Intelligence Sharing Center (R-CISC), an intel-sharing group made up of retailers, restaurants, grocers, hotel chains and retail suppliers. Nather, who was also a panelist on the threat intel panel at this week’s virtual event, says sharing often starts with a social meetup after-hours in a more unofficial capacity.

“It starts as gossip, you know somebody at another organization and you get together for a beer and talk about what you’ve seen,” she said. “The challenge is getting all sharing more formalized, open, and more organized. We try to support whatever we can from the Soltra structured data feed through the unstructured discussions.”

Company A’s security manager tells Company B’s over a couple of IPAs that he saw a specific IP address serving up a specific amount of traffic, and the attacker shifted gears to “low and slow” once he realized he’d been spotted. That’s a useful bit of intel for Company B, but then there’s the process of taking action: “It’s hard to put that into structured data, but it’s extremely valuable when you can tell that story and other people in other organizations can add to that story,” Nather explained.

When adopting threat intel feeds and ingesting that information, take it slowly at first. Anomali’s Trost says he often sees organizations taking in too much data and getting overwhelmed. They’re typically under pressure from management that “we need to get into threat intelligence,” so they go all in and end up drowning in false positives and events they can’t respond to, he said. “That’s the biggest mistake we see.”

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

A better approach is to start slowly with an intel feed or two, assess how the organization is able to respond to the threats, and then gradually ramp up. “You may have to pivot to different [intel] providers, or processes, to make sure you’re doing it in increments, but moving forward and increasing your capability” to use and take action on the threats, said Adam Meyer, chief security strategist at SurfWatch Labs and a panelist at the virtual event.

Needs v Wants
Webroot’s Dufour says before taking in threat intelligence, there’s a soul-searching stage of analyzing what you want to get from the feeds as well as what you need to protect. And sometimes, you get what you pay for.

“There’s bad threat intelligence out there. It could cost you more to get good threat intelligence, but you may not [then] need to hire three extra people” to triage and apply it, he says.

Beware of dated intel data, or the data going stale before you can actually convert it into a defensive action that thwarts a would-be attack. “What exactly is the data you’re getting and what’s the timeframe reference” it’s related to, Soltra’s Clancy said.

Some indicators of compromise (IOCs) are that way: they have a shelf life, as attackers shift their command-and-control servers, IP addresses, and malware variants to evade detection.

The Holy Grail for threat intelligence, like anything in security, is automation, of course, but not all organizations are equipped to go there just yet. “Try to remove humans from every possible place it makes sense” in threat intel, Anomali’s Trost advised.

SurfWatch Labs’ Meyer says to know why you’re collecting certain threat intel data and for what purpose. “You need clarity and context, situational awareness around threats. You need a methodology structure around collection – some instances at the machine level, correlating against tools specializing in that area, the actor’s motivations in your industry … compare that information to your own processes. Are you well-defined in those processes or not?”

It’s not just about sharing technical indictors of a threat actor, but also the techniques they use to flip the equation and put a little economic squeeze on them, according to Meyer. “Maybe [the attacker] now has to write 50 to 70 pieces of malware instead of one” to attack a vertical industry, for example, he said.

He breaks threat intel “consumers” of information into three groups. “Defense is the low layer, practical, on-the-wire information to defend the organization with context, situational awareness and correlation. Then there’s the operational level: the campaigns and actor motivations … are they targeting their industry or not? This is pure intel disciplines,” he said. At the top is the strategic layer, the people in the organization who are evaluating the overall security strategy and evaluating its effectiveness.

Bottom line: threat intelligence is not the endgame. “Threat intelligence empowers decision-making. It’s not the end goal in itself,” says Adam Vincent, CEO of ThreatConnect. “Similar to business intelligence, threat intelligence has the power to support all different kinds of [things] and people and make faster and more accurate decisions across the security organization.”

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mike Anders
50%
50%
Mike Anders,
User Rank: Apprentice
8/30/2016 | 3:58:14 PM
Consumption
I would have to disagree, somewhat. If you cannot "consume" the data then why are you subscribed to a half dozen threat intelligence feeds? That I can agree with.

Remember when your Mother told you to chew your food carefully and not just gulp it down? Works with data as well. It is not how much you "consume" but rather how you go about chewing through the data to produce information. that when analyzed results in actionable intelligence products.

You need a metehodology when it comes to assessing your data. NGA, DoD, DIA, CIA and just about all the other three-letter agencies in the IC, working the cyber problem, are already relying on Acitivity-Based Intelligence (ABI) methods and tradecraft, enabled by Object Based Production (OBP) techniques.

No, they are not just "buzzwords"and yes they are getting good results. If you have not heard of ABI or OBP, then you probably really are just gulping down your food! I mean your data, and choking on it! Not a criticism, just an observation! :->)
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19551
PUBLISHED: 2019-12-06
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not b...
CVE-2019-19552
PUBLISHED: 2019-12-06
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user...
CVE-2019-19620
PUBLISHED: 2019-12-06
In SecureWorks Red Cloak Windows Agent before 2.0.7.9, a local user can bypass the generation of telemetry alerts by removing NT AUTHORITY\SYSTEM permissions from a malicious file.
CVE-2019-19625
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (which provides the tools that generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2) leaks node information due to a leaky default configuration as indicated in the policy/defaults/dds/governance.xml document.
CVE-2019-19627
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (after CVE-2019-19625 is mitigated) leaks ROS 2 node-related information regardless of the rtps_protection_kind configuration. (SROS2 provides the tools to generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2.)