“Intelligence is the ability to adapt to change.” –Stephen Hawking
Search for the term “threat intelligence” and you’ll get 12.3 million hits. Not all of them are relevant to cyber, but still, a lot of these hits apply, and you can see why at the RSA conference. There are many forms of threat intelligence with services ranging from Dark Web human-driven intel to better IP blacklisting; and there are even more threat intelligence vendors. With so much press and investment in threat intelligence (TI), you might think you need some, but how do you know? Then if you believe you need some form of TI—which one do you choose?
Walking around RSA, you are confronted with a large variety of TI vendors. Their different messages and approaches to threat intelligence can be overwhelming, even for security professionals. If you want to explore TI, here is some simple guidance we’ve put together from our experience at RSA.
Start with the Right Questions
What problem am I trying to solve?
Threat Intelligence in regards to spear phishing is a different problem than say detecting the precursor to an APT (advanced persistent threat), or trying to track data on the Dark web. Is this a problem that can be addressed with automation of some form of TI or is this going to require an analyst?
Can I realistically consume TI?
In what format does my TI arrive? It could be anything from a pdf, to a phone call, to more SIEM events, to a realtime, automated DNS blacklist feed directly into the DNS servers. The more automated feeds may not require you to staff an analyst to review and recommend, but they can still generate false positives, so you need resources to manage the additional false positives.
Can I effectively evaluate a TI provider?
How will you measure the vendor’s collection and verification methods? How well can the vendor customize the data source to your business? What risks of false positives does this vendors method give rise to?
What is my action plan when there is a credible threat?
Dealing with a real incident, whether it’s a DDOS, data breach, or business email compromise takes real resources—once you have threat intelligence you are going to have more potential incidents to deal with. Whether your plan is providing internal advisory alerts or setting up countermeasures this is going to take time and resources.
Are you DIY or COTS?
(Do it Yourself or Commercial off The Shelf)
The types of collection sources and the amount and automation of post-processing from your provider results in a range of immediate usability of the threat intelligence feed. The more tailored to your business and processed the data, the more easily consumable the threat intelligence will be. However, if you are the curious type that wants to cross-correlate or run forensics yourself, you might need access to the raw data. The table below lists some common collection sources.
All of these sources require additional analysis in order to be usable by the organization. So as you compare this list with that offered by the vendor courting you, you need to understand which of these sources are relevant to the threat you are trying to manage. Next, how is this intel delivered? Reading a pdf with a list of Indicators of Compromise is harder to action than an update to a DNS or endpoint blacklist.
If you are going to set up an open-source threat intel program, here is a list of some of the available feeds. Open source feeds are developed by security community members and rely on those members to maintain their accuracy and relevance. They are often targeted to particular malware, and as the malware changes the threat feeds need to as well. (See the spyeye tracker which is now defunct). But they are useful to examine what type of information you might expect for these specific threat scenarios.
Now you have a feed, but you still need a management platform. If you don’t already have at least a SIEM, it’s probably a requirement before you start. Incident response procedures (in case you find something relevant to your company) are also a requirement. Then you need the staff, none of these feeds or tools work without an analyst.
Even if you’ve been through all of the analysis before you take the plunge check in with your IT and security staff to make sure that you aren’t going to take away from core IT/Security initiatives before you embark on a new program. Ask your team, are all your core defenses and programs up to date, effective, and staffed? This includes:
- Endpoint security
- Patch management
- Security event management
- Incident Management & Response
If you are understaffed or these programs need a tune upstart there first. You’ll mitigate more risks and use your budget wisely. You can always read about the latest threat intelligence failure in the security news.