Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/30/2016
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How To Use Threat Intelligence Intelligently

Sometimes it's about a beer, but it's mainly about being prepared before opening the threat intel floodgates.

Sometimes the best threat intelligence strategy is to not bother adopting it at all.

“You probably should not be using threat intelligence unless you can act on it,” Jason Trost, vice president of threat research at threat intel firm Anomali, said this week. “If you can’t act on it, it’s probably not worth consuming that data.”

Trost, who was a panelist on the Collecting and Using Threat Intelligence Data panel in this week’s Dark Reading Virtual Event, was making a point about one of the biggest problems with the way organizations approach threat intelligence: they often sign up for feeds and services without the resources or mechanisms in place to actually use the resulting information they receive.

Think of adding threat intelligence to the security operation as a commitment: “You need to take it on as a project and it’s a commitment to looking at what you [really] need. You can’t just go buy it. You have to look at the data and what you have internally and how you apply it,” says David Dufour, senior security architect at Webroot. “If you don’t have the available resources to work with it, then you’re wasting your money.”

That money is then better off spent on incident response, he says.

It’s about smart threat intelligence strategy, security experts say.

Take It Slow, Have a Beer
Intel-sharing’s humble roots began with security pros and executives from different companies in the same industry or region getting together over a beer or dinner, face-to-face, to swap their attack or threat war stories. Mark Clancy, CEO of Soltra, a joint venture between DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC), joked during the virtual event session chat that “beer = first-generation cyber threat intel sharing platform.”

It’s true. The early days of intel-sharing were mainly face-to-face, phone calls, or emails. And that’s still the mode of operation for many organizations.

How organizations collect and use threat intel depends on who they are, says Wendy Nather, research director of The Retail Cyber Intelligence Sharing Center (R-CISC), an intel-sharing group made up of retailers, restaurants, grocers, hotel chains and retail suppliers. Nather, who was also a panelist on the threat intel panel at this week’s virtual event, says sharing often starts with a social meetup after-hours in a more unofficial capacity.

“It starts as gossip, you know somebody at another organization and you get together for a beer and talk about what you’ve seen,” she said. “The challenge is getting all sharing more formalized, open, and more organized. We try to support whatever we can from the Soltra structured data feed through the unstructured discussions.”

Company A’s security manager tells Company B’s over a couple of IPAs that he saw a specific IP address serving up a specific amount of traffic, and the attacker shifted gears to “low and slow” once he realized he’d been spotted. That’s a useful bit of intel for Company B, but then there’s the process of taking action: “It’s hard to put that into structured data, but it’s extremely valuable when you can tell that story and other people in other organizations can add to that story,” Nather explained.

When adopting threat intel feeds and ingesting that information, take it slowly at first. Anomali’s Trost says he often sees organizations taking in too much data and getting overwhelmed. They’re typically under pressure from management that “we need to get into threat intelligence,” so they go all in and end up drowning in false positives and events they can’t respond to, he said. “That’s the biggest mistake we see.”

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

A better approach is to start slowly with an intel feed or two, assess how the organization is able to respond to the threats, and then gradually ramp up. “You may have to pivot to different [intel] providers, or processes, to make sure you’re doing it in increments, but moving forward and increasing your capability” to use and take action on the threats, said Adam Meyer, chief security strategist at SurfWatch Labs and a panelist at the virtual event.

Needs v Wants
Webroot’s Dufour says before taking in threat intelligence, there’s a soul-searching stage of analyzing what you want to get from the feeds as well as what you need to protect. And sometimes, you get what you pay for.

“There’s bad threat intelligence out there. It could cost you more to get good threat intelligence, but you may not [then] need to hire three extra people” to triage and apply it, he says.

Beware of dated intel data, or the data going stale before you can actually convert it into a defensive action that thwarts a would-be attack. “What exactly is the data you’re getting and what’s the timeframe reference” it’s related to, Soltra’s Clancy said.

Some indicators of compromise (IOCs) are that way: they have a shelf life, as attackers shift their command-and-control servers, IP addresses, and malware variants to evade detection.

The Holy Grail for threat intelligence, like anything in security, is automation, of course, but not all organizations are equipped to go there just yet. “Try to remove humans from every possible place it makes sense” in threat intel, Anomali’s Trost advised.

SurfWatch Labs’ Meyer says to know why you’re collecting certain threat intel data and for what purpose. “You need clarity and context, situational awareness around threats. You need a methodology structure around collection – some instances at the machine level, correlating against tools specializing in that area, the actor’s motivations in your industry … compare that information to your own processes. Are you well-defined in those processes or not?”

It’s not just about sharing technical indictors of a threat actor, but also the techniques they use to flip the equation and put a little economic squeeze on them, according to Meyer. “Maybe [the attacker] now has to write 50 to 70 pieces of malware instead of one” to attack a vertical industry, for example, he said.

He breaks threat intel “consumers” of information into three groups. “Defense is the low layer, practical, on-the-wire information to defend the organization with context, situational awareness and correlation. Then there’s the operational level: the campaigns and actor motivations … are they targeting their industry or not? This is pure intel disciplines,” he said. At the top is the strategic layer, the people in the organization who are evaluating the overall security strategy and evaluating its effectiveness.

Bottom line: threat intelligence is not the endgame. “Threat intelligence empowers decision-making. It’s not the end goal in itself,” says Adam Vincent, CEO of ThreatConnect. “Similar to business intelligence, threat intelligence has the power to support all different kinds of [things] and people and make faster and more accurate decisions across the security organization.”

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mike Anders
50%
50%
Mike Anders,
User Rank: Apprentice
8/30/2016 | 3:58:14 PM
Consumption
I would have to disagree, somewhat. If you cannot "consume" the data then why are you subscribed to a half dozen threat intelligence feeds? That I can agree with.

Remember when your Mother told you to chew your food carefully and not just gulp it down? Works with data as well. It is not how much you "consume" but rather how you go about chewing through the data to produce information. that when analyzed results in actionable intelligence products.

You need a metehodology when it comes to assessing your data. NGA, DoD, DIA, CIA and just about all the other three-letter agencies in the IC, working the cyber problem, are already relying on Acitivity-Based Intelligence (ABI) methods and tradecraft, enabled by Object Based Production (OBP) techniques.

No, they are not just "buzzwords"and yes they are getting good results. If you have not heard of ABI or OBP, then you probably really are just gulping down your food! I mean your data, and choking on it! Not a criticism, just an observation! :->)
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
CVE-2019-10102
PUBLISHED: 2019-07-23
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
CVE-2019-10102
PUBLISHED: 2019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
CVE-2018-18670
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.