Information vs. Cyber Threat Intelligence
January 12, 2017
Cyber threat intelligence should always enable decision making and action, but what good is a cyber threat intelligence program if you take no action or it simply makes you do more work? One Optiv client said it best when he stated, “Actionability shouldn’t mean I have to do more work.” Sadly, in our current Information Age, we are drowning in data. Many mistakenly call more information intelligence, when it in fact hinders intelligence in a world increasingly saturated with information. What then are the semantic differences between information and intelligence, and how does that impact your priorities in managed security?
Information is simply data points about something or someone. If we apply this to the cyber threat realm, information about malware often include a filename, file size, cryptographic hash values and perhaps anti-virus detection signatures related to that malware (to name a few). We can leverage such information as an indicator of compromise (IOC), and once a threat is qualified, use it in security controls such as anti-virus and intrusion detection prevention solutions.
A traditional definition of intelligence is the ability to acquire or apply knowledge and skills. Do you see the focus upon action? Pillars of actionability, therefore, are knowledge (a.k.a. information) and skills. A cyber threat intelligence program is an ecosystem supportive of the decision making process derived from the collection, analysis, dissemination and integration of threats and vulnerabilities to an organization and its people and assets.
Drowning in Information
Many feel like they are drowning in the Information Age.
Since the 1990s I established a global malware archive that later grew monumentally in 2005 and later to a million or more per month because of the multi-minor-variant-wave and automation by Russian eCrime actors. We have to fight for a signal-to-noise ratio in our own lives and our networks every day. More information is not necessarily better. More often than not more information confuses, diffuses or adds to complexity of truth in a world where anyone can publish or say anything and have it be regarded as valued and trusted.
I’m often asked by others how to get started in the world of cyber threat intelligence, with specific questions about IOCs. Common IOCs include cryptographic hash values for malware; domains, IPs and URLs associated with phishing; command and control (C&C) nodes and more. The problem with this type of question is that it doesn’t honor the process and maturity of a true intelligence model. Rather, it focuses upon collection of global threat data which is popular within the industry today. IOCs and similar data are an important component of collections but mean nothing unless it’s applied properly throughout the entire intelligence process.
Figure 1: Intelligence Cycle
Scale is a key issue when we consider global intelligence collections such as IOCs. The volume is through the roof, just for the raw data alone. If you decide then to store additional information such as binaries themselves or full packet capture, it becomes cost prohibitive. This is why many organizations implement policies to meet compliance and store data for shorter periods of time, such as three months or a year, depending upon a variety of factors. Attempting to collect global IOCs and intelligence leads is a formidable task which is costly and likely aims towards mitigation on a small scale, not allowing the consumer to advance their program or see a return on the investment. It’s akin to searching for a needle in a stack of needles or a hash in a massive list of IOCs that might impact your network.
Complexity of data types and formats also plays a key role. It seems like everyone has a different way of approaching things, naming meta-data related to threats and so on. Without any formalized international standards for things such as naming and indexing malware data, we have a massive mound of data types and formats that we must address on an individual level when looking at global threat intel. Again, this is a cost-prohibitive venture for most companies forcing them to decide on priorities and what should and should not be part of an intelligence program.
Enrichment is a key component of processing intelligence within the greater intelligence process. This is commonly performed along the lines of threat reconnaissance, where a specific threat is researched for an actionable response. For example, malware discovered on an endpoint may be enriched to identify command and control servers, filenames, mutex values, related variants, cryptographic hash values, adversarial context, and tools, tactics and procedures (TTPs). There is a wealth of information, yet just a single piece of code forcing the enrichment process to be prioritized. This often results in looking for specific pieces of information such as C&Cs; not looking to collect or enrich towards other data that may be available or stored. As a result, important innovative details or family/campaign data may remain undiscovered or undocumented when it otherwise would be included within the intelligence data set.
Relevancy is a key need with so much information coming at us from every angle. Some sources are highly trusted, while others are not. Some data is often missing. In the world of intelligence, you only know what you know, and what you don’t know can hurt you. You can have millions of IOCs and still nothing to protect against a new threat launched against your network. Getting to a stage where both reactive and proactive intelligence actions are taken to harden against an attack and minimize impact and loss during an incident is very challenging. It requires a mature organization with a moderate-to-mature intelligence program aligned with a security program which few have attempted to date.
Challenge of Actionability within CTI
How then, can one take action after working the process of intel? That is the desired outcome, after all! Many talk about this, but more often than not, its words not action that tell the story (pun intended). Making this practical, a few sanitized wins over the years help to illustrate the point of intel towards actionability:
- A government organization is targeted with espionage attacks every two days, normally successful, using zero-day vectors and new payloads. A special team of experts and consultants were brought in to research and respond to the ongoing threat. After several months of understanding TTPs and also the target defense TTPs, new solutions and procedures were put in place to effectively block 100 percent of new unknown attacks going forth. Action Result: Mitigated ongoing zero-day attacks.
- An organization was attacked with a sophisticated backdoor and removed it. They then performed threat and attribution reconnaissance against that threat to identify additional IOCs and adversary information. This information was used to discover a computer communicating with an old C&C from 18 months prior in the same campaign. This led to the discovery of an unknown backdoor shell related to the same campaign previously unreported by any source to date. Action Result: The threat of the unknown was addressed increasing confidence in mitigation and defense.
If you don’t have an end goal, an actionable outcome in mind with your intel process, it will fail. In an ideal world it needs to map back to technical controls and governance within the organization.
How Do I Create an Actionable Cyber Threat Intelligence Program?
Many are busy creating security teams now, with just a few starting to develop intelligence shops. There are workshops designed to help you identify crown jewels and create a roadmap for integrating intelligence, as well as workshops focused on cyber threat intelligence maturity. The result is a highly customized and personalized approach with seasoned experts helping you gain laser vision on what works for intelligence programs. It is a complex puzzle of readiness, having the right people to help consume and digest it and manage it and so forth. In many cases we see experienced resources, of which there are far too few in the industry, positioned in intelligence roles, while lower skilled jobs are farmed out to managed security to maximize ROI. Using both a strategic and tactical approach is necessary to be successful with the innovation of an intel program.