Make threat intelligence meaningful: A 4-point plan

Threat intelligence is a hot topic, but it requires a ton of work to be operational and effective. Here's how to steer clear of the traps

Make threat intelligence meaningful: A 4-point plan
Thinkstock

With data breaches grabbing headlines nearly every week, threat intelligence is shaping up as the next big thing in information security. That, of course, means there’s more hype and confusion to sift through.

Promises of silver bullets run rampant in information security. Buy an appliance to keep the bad guys out of the network. Deploy this platform and kiss zero-day attacks good-bye. Invest in this other service for a single pane of glass that tells you exactly what's going on in your network.

Now, throw threat intelligence into the mix: subscribe to these feeds and detect breaches before anything bad can happen! While the idea that threat intelligence can help improve enterprise security is a sound one, precious little attention is paid to how these systems can succeed.

Everyone wants a piece of this red-hot market, but too many vendors are spinning their latest offerings as some form of threat intelligence, and enterprises aren’t quite sure what they are getting. With CSO Online’s Steve Ragan, we break down the confusion and snake oil surrounding the current marketplace and offer concrete tips on how to make threat intelligence work.

The foundation of threat intelligence

Your first tip: If something looks like or used to be called a security information and event management (SIEM), it’s still a SIEM. That isn’t threat intelligence. A SIEM, however, can plug into a threat intelligence platform.

A functional threat intelligence system operates like a football team where the quarterback takes all the information -- from the referees, the scoreboard, the coaches, the teammates, and the opposing team’s defensive line -- and decides which play to run. A threat intelligence platform plugs various types of data sources, including third parties such as VirusTotal, external intelligence feeds, and events data from endpoints, applications, and SIEM in the network, into a centralized intelligence platform. The security analyst uses the analytics tools provided by the software to make magic: All sorts of information flow in, and intelligence comes out. Understanding how that magic works is the tricky part.

Tactical vs. strategic

Definitions matter, so let’s get the first one out of the way: Threat intelligence helps IT and security staff make security decisions. The decision may be as straightforward as a retailer that wants to ensure the point-of-sale malware hitting other retailers has not infected its terminals, or as difficult as an organization worried about spear phishing attacks against senior executives that could result in intellectual property theft.

“Everything is now [trying to] be threat intelligence. But if it doesn’t help you make a decision about your security, it isn’t threat intelligence,” says Adam Vincent, CEO of ThreatConnect, a threat intelligence provider.

Threat intelligence can be applied tactically or strategically. The most common use case is tactical intelligence, where the security analyst takes the knowledge gleaned from the available information to generate rules that can be applied to firewalls, SIEMs, or other security products.

For example, the security analyst learns through the threat intelligence portal that a particular PoS malware family always connects to the same command-and-control server. The analyst can get the IP address from the portal and proactively configure the firewall to block all connections to that IP address. The analyst can generate Snort rules that detect the malicious file and deploy them to determine when the infection occurs. The analyst can also hunt through available logs and network data to determine whether a payment terminal has already been infected with the file or has communicated with the IP address.

Strategic intelligence is harder to achieve, and existing solutions aren’t as good as delivering on this front as they are with the tactical side. Strategic intelligence lets security analysts assess the organization’s security profile and decide how to mitigate the risk. It’s similar to how enterprises use business intelligence. In both cases, analyzing different sets of data and putting them in context with each other will help the enterprise make the decision.

Likewise, the organization may learn from a report (provided as part of an intelligence feed or derived from the threat intelligence platform) that an attack group has been targeting similar-sized organizations within the same industry. This attack group always goes after a specific application, transfers data to a FTP server, and creates a user account on the compromised server with the same name. Since the organization runs one of the applications under attack, the security team can strengthen controls to shut down FTP by closing port 21 and deploy new defenses around the application to make it harder for that attack group to succeed.

For the most part, when organizations start out with threat intelligence, they are thinking tactically. “For strategic intelligence, there is room for improvement,” says Rick Holland, vice president of strategy at Digital Shadows and a former Forrester Research analyst.

Information does not equal intelligence

There is a tendency to conflate information with intelligence, but they are entirely different. Information is data alone, and there’s a ton of it. While some data can be useful on its own, most simply contribute to the overload. Defenders have too much data and no idea what to do with it.

Intelligence has context, which helps defenders figure out how that data can be used to solve a problem or answer a question. Context can take many forms, including the nature of the attack activity, the freshness of the information, what industry verticals the data comes from, and the types and sizes of businesses that have been hit by those attacks. Context turns information into intelligence.

Threat intelligence data feeds may contain indicators such as domain names, IP addresses, registry keys, filenames, and hashes of files. On their own, they don’t mean anything. But if a feed flags files with a particular hash as malicious and able to communicate with a remote IP address, the security analyst needs to know.

“What everyone really needs is not more data, but more intelligence,” Vincent says.

1. Know what to buy

But the sheer number of threat intelligence providers and possible data feeds can be overwhelming for defenders trying to decide which ones to buy. There are feeds from private intelligence providers, public-private partnerships, industry groups, and even open source. There are aggregators, those providers that combine feeds from multiple sources, remove duplicates, and add insights to create their own threat intel flavor. It’s not always clear at the outset what kind of intelligence is provided or even if there is overlap across feeds.

“It’s like the GMO problem, the ingredients aren’t clearly labeled,” says Chase Cunningham, director of threat intelligence at Armor, a secure cloud computing provider.

The other challenge is figuring out what to buy. Some providers sell intelligence feeds, which refers to information collected and analyzed by the provider’s own analysts to add appropriate levels of context. This isn’t a data feed to bad IP addresses or blacklisted domain names, but rather a list containing actionable intelligence. Digital Shadows is an example of a company that sells intelligence feeds. Other providers sell both the feed and analytics software for security analysts to connect all data sources and uncover relationships and patterns within the data. ThreatConnect sells the software along with its own intelligence feed.

If the enterprise buys only the intelligence feed, then it needs to have something into which to plug the data. That could be the company’s existing SIEM, or it could be a threat intelligence platform from another provider.

2. Evaluate the feed

This is a case where more is not necessarily better. Buying -- or subscribing to -- too many intelligence feeds only contributes to information overload. If the security analyst can’t work with the provided indicators, then it becomes part of the noise. The analyst has to spend a lot of time trying to correlate different pieces of information with the indicators. If the feed doesn’t provide the right level of detail or relevant insights, that’s time and energy wasted.

When deciding which feeds to buy, consider context such as industry sector and size of business. Premium feeds make sense for focused areas such as critical infrastructure, but if the defender is not operating in such an environment, the feeds won’t be useful.

“Don’t buy APT-related commercial feeds,” says Stan Black of Citrix. Most IT teams have other threats to worry about before they need to think about beating back APT groups.

Security teams need to have a specific question or problem they are trying to solve and map the intelligence to those objectives. If the security team’s top concern is spear phishing attacks against senior executives, they won’t benefit from intelligence describing which group uses which malware family, for example. The security team may decide to scrutinize incoming mail for spear phishing campaigns, monitor executives’ laptops for unexpected behavior patterns, or track the network for unusual activity. Each approach would require a different type of intelligence.

If the biggest concern is about attackers stealing account credentials and intellectual property, “I need feeds which I can do something about, such as what IP address to block on my firewall,” says Black.

Open source intelligence -- frequently derided by commercial providers -- can be useful to get a general sense of existing threats. Security teams need to assess whether the open source feeds provide insights specific to the industry or organization type before deciding whether to buy.

The same goes for industry-specific feeds. A financial services organization needs to focus on the threats targeting the financial sector and not worry about the health care sector, for example. While as a general rule it’s a nice idea to be aware of attacks impacting other industries since groups have been known to switch targets, very few security teams have the time and money to worry about what’s happening outside their realm.

“Would I worry about Zika if I am not flying to South America right now?” Cunningham asks. There are enough fires to put out and risks to address without looking at other industries.

Don’t blindly buy feeds and later try to figure out what to do with them. Instead, first establish security goals, then look for intelligence to apply. Otherwise, the feeds themselves become overwhelming and analysts struggle to prioritize the threats. For example, an organization may receive data feeds listing known bad IP addresses and malicious domain names. But if the feeds provide IP addresses of command-and-control servers, security teams trying to get ahead of phishing campaigns won’t benefit as much from the list.

“It’s like being told, ‘Driving on highways is dangerous.’ OK, but how does that help me?” Black asks. “There is a cornucopia of threats I don’t care about.”

3. Know what you have

Amid the hoopla surrounding threat intelligence and how it can help organizations detect breaches, a simple fact is often overlooked: All the threat intelligence programs in the world won’t be of any use if the security teams don't have a clear idea of the problems that need fixing. The security team must have a thorough understanding of the environment and its intricacies, along with where the data is stored. To do intelligence right, security professionals have to know what kind of information they have and what their capabilities are before they can figure out what to buy.

The first place to start is with the logs. There is a wealth of data available, since there are logs for networks, applications, and endpoints. IT teams can even discover logs they didn’t know about or logs that failed to generate because of a configuration issue. Figure out what kind of sensors are present and what kind of information is collected. Identify all the running processes and the kinds of data associated with each. Be familiar with what the firewall is blocking and letting through. Bring in information from incident response systems, vulnerability and risk management tools, and network defense solutions.

“Have you actually mined your own data and figured out what you have?” Cunningham asks.

Before committing human resources and limited budget dollars trying to ingest outside threat data, look at how the internal data sources are aggregated and continuously analyzed. Centralize the information -- whether in a threat intelligence platform or a SIEM -- and make sure someone is studying it. Add in third-party information, such as domain names data from OpenDNS and Domain Tools, and malware hashes from VirusTotal and VM Ray. By centralizing, the analyst can normalize, categorize, and analyze the information.

Because every organization is different -- even if they are in the same industry sector or are direct competitors -- intelligence derived from internal sources can be extremely valuable because it reflects the organization’s reality. Analysts can take into account the enterprise’s own requirements and risk appetite when analyzing internal data sources.

1 2 Page 1
Page 1 of 2