The Operational Case for an Intelligence-Driven Security Program (Part 1 of 2)
In my last post, I discussed the business case for threat intelligence, and why I believe threat intelligence should be a pivotal part of any modern enterprise security program. In this follow-up I will address the operational aspects of threat intelligence and why it is critical to your security program.
From an operations perspective, there are a few key points where enterprise security can benefit from threat intelligence as a platform. I want to stress that I am speaking about the ecosystem that is data, tools, processes and people.
I’ve written before that our industry needs to shift our thinking to “assume breach,” but this doesn’t invalidate the need to improve our preventative capabilities. I believe security operations needs to become more intelligent relating to the types of threats we aim to prevent. Rather than trying to prevent all threats to our systems and data, we need to be able to utilize threat intelligence to prevent generic threats, and even some of the targeted threats to our systems.
Generic threats are non-targeted, non-persistent and most often described as opportunistic or “drive-by” infections. Many of the static indicators available through threat intelligence feeds – such as IP addresses, MD5 file-hashes, low-reputation DNS, and more – can help us prevent infections before they make it into the network. When they are fed directly into our infrastructure security devices and endpoint tools, static indicators can reduce the operational tax on human responders.
Many of the targeted threats – the ones specifically aimed at a system, vulnerability, industry or company but not designed to be stealthy or reside on the infection target – can be prevented by using a combination of signatures and static indicators on the same infrastructure and endpoints. Although it is likely there will be a “patient zero,” which cannot be prevented, subsequent infections are entirely preventable with timely, accurate, and contextual threat intelligence.
The point here is that detection is greatly improved with threat intelligence data feeds, even the most basic indicator types. This approach has the potential to seriously impact the amount of time human beings are sent to remediate common malware-based infections, leaving analysts to more complex tasks and reducing overall workload.
Detection of threats to an organization is the new prevention. If we “assume breach,” the goal for the intelligence enterprise security organization becomes to detect any potential infections as quickly as possible. In the prevent step above, we are removing the common malware-based threats, and thus are left with the more complex, customized and targeted threats, at least in theory.
Detection of these threats before they achieve their objective is critical. I believe it’s important to mention (and I will expand on this in a later blog post) that infection is rarely the primary objective for malware or attacks. Attackers don’t waste time and money just to plant a flag on your system like a trip to the top of Everest. There are few instances where the goal is to simply infect; rather, there is a broader objective of stealing credentials, intellectual property, or other sensitive data. It is the objective of the security team to disrupt an attack and prevent achievement of the attacker’s goal. Detection is that mechanism.
Integrating threat intelligence through signatures, static indicators and tactical reports assists the security team in identifying anomalies, and catching and stopping attacks before they achieve their objective. Whether it is through identifying patterns of behavior, connections out to previously non-malicious IP addresses, or something else, rapid detection can mean the difference between being infected with malware, and experiencing a major breach. There is certainly nothing that says security teams cannot achieve this goal without external threat intelligence, but I believe that the chances of successfully thwarting an attacker rise exponentially with good external information. My assertion here is of course a qualitative measure, and an interesting bit of research here would be to perform a quantitative analysis to identify exactly how much better detection becomes.
In my next blog post I will discuss the final operational aspects of threat intelligence: response and recovery.