Getting In Front: Thinking Differently about Threat Intelligence
Many information security professionals will remember when we relied primarily on a defensive posture to protect our organizations from cyber threats. We spoke about the layers of defense and took comfort if we could architect in three or four layers to keep the bad guys out. However, the criminals found the soft underbelly of defenses and began attacking us—using innocent technology users through social engineering, phishing and other methods to get through. This meant security professionals had to start looking at security from a different perspective.
Ideas began flowing about new ways to get ahead of criminals, including ethical hacking—assessing our environment from the criminals’ standpoint. By looking at our network and systems from an outside view, we could determine the vulnerabilities criminals could find and fix them. This is a great concept, but we began to find there was an ever-increasing string of vulnerabilities and, in some cases, it was difficult or impossible to patch without rewriting an application. So, we put application firewalls in place to help mitigate or hide vulnerabilities. It seems the in-depth security defense philosophy has become more of a “whack-a-mole” concept. Therefore, we have to find a way to not just react to a threat but to get out in front it.
One of the most promising ways to get in front is to implement a threat intelligence program that includes predictive analysis and dark web inspection. What do we mean by intelligence? Einstein said, “The true sign of intelligence isn’t knowledge, but imagination.” He wasn’t specifically talking about intelligence in the same sense, but there is a principle here. To be useful, intelligence isn’t just knowledge. Dictionary definitions say: “the ability to acquire and apply knowledge and skills” or “the collection of information of military or political value.” Threat intelligence then isn’t just knowledge or information. What is the difference?
Intelligence begins with information, but the information in itself isn’t intelligence. Threat intelligence must be specific and actionable. A simplistic example may be: “The gray-haired hacking group is using IP 192.168.1.1 to exploit remote code execution vulnerability MS15-034, Block the IP and apply the MS patch.” Intelligence gives you the information you can use to protect yourself. Further, intelligence implies some analytics by you or your source. Therefore, to gain value, the information must be analyzed to judge its credibility and if it is applicable to what you are trying to protect.
Whether you are manual or more automated, it is important that you build a protocol to judge credibility and applicability as rapidly as possible and then act on the intel
There are two general types of intelligence: strategic and tactical. Strategic intelligence has more to do with groups’ or individuals’ names, motives, methods, affiliations and the general threat environment. Strategic intelligence is useful in setting up or modifying your threat intelligence programs it applies to your company, industry or sector. It identifies the threats that you should prepare for before an attack and lets you know the motives behind groups that are targeting you or your industry. For instance, some companies are more prone to hacktivist threat, some to criminal threat and for others their main concern is nation-state or espionage threat. How you set up your program to respond can depend on this intelligence.
Tactical intelligence is primarily gained in the fight and is less about who and why than about what they are doing. There will be time to figure that out in the after-action report. During the fight, you care little about the attacker’s philosophy and more about what they are doing and how to stop it. A DDoS attack is probably the case where specific IP addresses, geography and type of DDoS are most important to enable blocking, filtering, closing off entire geographies and shedding the attack. Tactical intelligence is immediate, practically useful information to permit specific actions.
Source of Intelligence
There are two major, helpful classes of intelligence in a threat intelligence program: systems (or machines) and human (or HUMIT). Systems intelligence is electronically gathered and systemically processed. The goal is to be able to put it through an analytics engine so action can be taken within your environment automatically based on the confidence factor.
The other category is human intelligence, information gained through human sources, including formal information-sharing associations, personal networks, advisors, and members of intelligence or law enforcement agencies. This can be one of the best sources of information, but the limitation is generally that it has to be manually handled and doesn’t lend itself to automation.
Both sources of information can be gathered internally or externally. The demarcation I find most useful is this: External is anything beyond your edge router and internal is from the edge router inward. When building a threat intelligence program, people often forget the value of internal sources. These can be the systems running inside for which you are gathering logging data. This can also be HUMIT from users. A security professional should have a great relationship with their call center teammates and train them on what to look for. If there are spikes in calls about network latency, that could be an attack indicator. It would be great to have monitoring for that latency early, but it could be low enough that people would notice it without triggering alarms.
Turning Internal Information into Intelligence
You can have a threat intelligence program where all information is analyzed by a security analyst who judges the source’s credibility and the applicability of information related to your environment and then applies it. In smaller organizations, this may be possible, practical and cheaper than building or buying an analytics engine. However, the vast majority of organizations get so much information that even a large team could not do the job very well. Therefore, the best practice is an automated method. Some security information and event management (SIEM) systems can be used; however, they are usually limited to internal logging over-consumption of external source.
SIEMs that are deployed well and are receiving information from devices representing all layers are usually very good sources to feed into an analytics engine. But other sources should include external providers, as well. There are several very good providers that can feed information in an automated fashion to combine with internal information and provide rapid, actionable intelligence. Ideally, you will have scoring built within the platform that gives you a confidence factor based on source, applicability, logic, etc. Then, you can program the system to take automated action based on the credibility. A very simplistic example would be a particular URL from a valid credible source that would automatically feed your IPS and proxy to block traffic from that address.
Perhaps the most important thing for any threat intelligence program is to get started. You may not have everything right, but it is an iterative process. You can gain value from an elementary program while you are building to greater maturity. Whether you are manual or more automated, it is important that you build a protocol to judge credibility and applicability as rapidly as possible and then act on the intel. There is nothing worse than discovering after an incident that you had all the right intel to stop it but didn’t use it.