October 30, 2013
The hype surrounding threat intelligence has continued to build since I wrote the blog "My Threat Intel Can Beat Up Your Threat Intel” in mid-2012. S&R pros are responding to both the hope and promise of threat intelligence. According to our Forrsights survey data, 75% of security decision-makers report that establishing or improving threat intelligence capabilities is a top priority for their organization.
One of the most significant challenges in leveraging threat intelligence is operationalizing it. Today, there are two broad categories of organizations that leverage threat intelligence. I’ll use an analogy to describe them. The US television show “Sons of Anarchy” follows the lives of an outlaw motorcycle club. The Sons of Anarchy refer to themselves as “1%ers”: They have the power, resources, and means to accomplish anything they desire. This is in contrast with the 99% who are merely motorcycle enthusiasts without these capabilities. Some of these early adopters include financial services, technology, and manufacturing companies.
The 99%ers, on the other hand, are challenged by a lack of staff, skill sets, and budget. Many of the 99%ers don’t even have an incident response capability. The exact percentages obviously differ in reality, but we certainly have a “haves” versus “have-nots” situation, and the way these two groups operate is vastly different. It is important to not make the assumption that the 1%ers have solved the threat intelligence problem. Operationalizing intelligence is a problem for both 1%ers and 99%ers alike, but the 1%ers have more resources at their disposal to address the challenges. For threat intelligence to be effective, S&R pros must be able to:
- Glean real intelligence from a multitude of feeds and reams of data. If everything is threat intelligence, then nothing is threat intelligence. We have no shortage of intelligence sources. The inundation of threat intelligence can overwhelm an analyst like a “Zerg Rush.” Another threat intelligence analogy that I like to make is that it is similar to an untuned IDS, just worse.
- Deal with variances in data quality and relevancy. All intelligence sources aren't created equal. They also don't universally apply to all organizations. One firm’s gold might be another firm’s pyrite: absolutely worthless. Intelligence on targeted attacks against a defense contractor will provide less value to a retailer. For intelligence to be useful, it must be relevant to your organization.
- Validate third-party intelligence. When organizations receive intelligence from external parties, the context that was used to derive this intelligence does not always accompany it. Since the intelligence consumer doesn’t understand the sources and methods used in developing that intelligence, he or she can either accept the intelligence as accurate or spend time validating it. Most firms don’t have the resources to validate intelligence.
- Translate intelligence into action. Once an analyst has gone through the intelligence cycle (See Five Steps To Build An Effective Threat Intelligence Capability for more information on the intelligence cycle) and has qualified intelligence, the analyst must import it into the firm’s detective and preventive security controls. This process is kludgy (at best), and today's technology solutions don’t enable this process; they inhibit it. Companies shouldn't have to be software development shops or system integrators to orchestrate their defense. The following graphic illustrates a simplified version how organizations attempt to operationalize intelligence:
- Intelligence comes to the analyst from a variety of sources in a variety of formats (PDF, TXT, CSV, JSON, XML.) This intelligence typically includes threat indicators. A few examples of simple threat indicators are: IP, FQDN, hashes, SSL certs, filenames, mutexes and registry keys. These are obviously quite simple; in reality threat indicators can be quite complex. The more complex they are, the more challenging to act upon.
- The analyst must then triage the intelligence, validate it, build context. This is the heart of the analysis phase of the intelligence cycle.
- Next the analyst must transform high fidelity intelligence into a format that detective and preventive security controls can consume. This is no easy task for most organizations, and even the 1%ers who aren't overwhelmed by this should welcome automation that reduces their operational friction.
- Build your circles of trust; trust is the epicenter.
- Leverage an intelligence analysis platform.
- Actively engage in intelligence sharing.
- Prioritize solutions that integrate intelligence.
I wrap up the research discussing how you must fuse internally derived intelligence with relevant external intelligence to truly understand the risks to your organization. One is greatly diminished without the other. I also reiterate that we don't perform intelligence for the sake of intelligence; it must support the achievement of business outcomes. Your defensive posture should be adjusted based on this business context. I hope you enjoy the research and I welcome any feedback. Stay tuned for more research on the intelligence space.