February 12, 2014
We are now less than two weeks away from our annual sojourn to the RSA security conference. RSAC is a great time for learning, meeting and making friends. (Please hold cynical remarks; RSAC is what you make of it.) As the date grows near and my excitement grows, I am preparing my mind and patience for the ubiquitous silver bullet marketing that is predestined to appear.
One of these silver bullets will be the term "actionable intelligence." You will be surrounded by actionable intelligence. You will bask in the glory of actionable intelligence. In fact, the Moscone expo floor will have so much actionable intelligence per capita you will leave the conference feeling like the threat landscape challenge has been solved. Achievement unlocked, check that off the list. Woot!
Well not so fast. I frequently talk to vendors that espouse the greatness of their actionable intelligence. Whenever I hear the term actionable intelligence I want to introduce them to Terry Tate, Office Linebacker. Terry Tate first appeared in a 2003 Reebok Super Bowl commercial.
The SANS Institute was gracious enough to invite me back to speak at their annual Cyber Threat Intelligence Summit. On Monday, I presented a “Threat Intelligence Buyer’s Guide” to the attendees, and the topic of actionable intelligence was a key component. Some of you may know that I come from both a higher education incident response and military intelligence background. Now I am far removed from each discipline, but I do draw on my experiences when I discuss threat intelligence. In, “Five Steps To Build An Effective Threat Intelligence Capability,” we referenced the Army FM2-0 document. This document contain qualities of good intelligence. Building upon that, when I think about actionable intelligence, here are the characteristics I expect to see:
- Actionable intelligence is ACCURATE. This assumes that an organization measures the efficacy of their intelligence sources. In many cases this doesn’t happen. Do you measure your intelligence sources? How often does a source get hits within your environment? What type of experience do your peer organizations have with a particular intelligence source? Are you talking to the IR/intel teams of your peers? You should compare notes with them.
- Actionable intelligence is ALIGNED WITH YOUR INTELLIGENCE REQUIREMENTS. Do you actually have intelligence requirements? Are you running in a race with no destination? What is your mission? What goals are you attempting to achieve? This is a teaser for my next post. One bullet simply won’t do this section justice. Stay tuned for more, I will go into detail on building out intelligence requirements, identifying collection gaps, and ensuring that your threat intelligence program is strategic with purpose.
- Actionable intelligence is INTEGRATED. If you don’t have a way to action intelligence then it is useless, utterly useless. Integration is the key to actionable tactical intelligence. Let’s assume that an intelligence source meets all the previously mentioned characteristics (which many sources don’t.) When someone tells you they have actionable intelligence, ask them how they integrate with your security solutions. What are their intelligence products? What formats are they delivered in? An email, a pdf, a portal? Sorry, those don’t count. Vendors need to provide structured output (JSON, XML, STIX, OpenIOC, IODEF…) so those with software development capabilities can integrate intelligence into detective and preventive security controls. APIs should be a RFP requirement. For those that aren’t a software development shop, vendors need to provide integrations that eliminate the need for customization. Make it easy for the rest of us to leverage actionable intelligence. A word of warning: many vendors will claim that they have integrations with standards and/or security controls. Have them demonstrate an operational use case of this integration. Press releases announcing integrations don’t equal true integrations.
- Actionable intelligence is PREDICTIVE. Predictive intelligence is hard; this is the art of intelligence work. You want intelligence that gives you indications and warnings that something malicious is going to occur. This isn’t always possible, but it is desired. Do you have sources that give you intelligence in advance of a campaign that enables you to proactively deploy a countermeasure? If you do, these will be some of your most valued intelligence sources.
- Actionable intelligence is RELEVANT. This one kills me. If you are a retail organization and your intelligence source is providing “actionable intelligence” on targeting against financial institutions this is going to be of little use to you. Intelligence sources should have relevancy to your organization. This could be threat intelligence for your vertical, geographies you operate in, or threat actors that target you. I have clients subscribing to intelligence feeds that have little relevancy to their operations.
- Actionable intelligence is TAILORED. An intelligence product is tailored to the consumer. In some cases this will be tactical indicator type of information. In other cases it will be strategic intelligence destined for business decision makers. I realize that there is also operational intelligence, but I group tactical and operational intelligence together. There is no need to complicate things for those that don’t come out of the Intelligence Community. A board member has no business getting tactical host artifact level intelligence. If you want to demonstrate the value of intelligence, tailor it to the intelligence consumer.
- Actionable intelligence is TIMELY. You don’t want to be in a “when seconds count, the police are only minutes away” scenario. Did you just get a tip on DDOS attack infrastructure that was active two months ago? How does this help? It doesn’t. I have had clients tell me that they received 5,000 IP addresses with no context, and they don’t know how long to monitor (or block, depending on use case) them. Is this “intel” still useful?