How Insikt Group’s Operational Outcomes Team Drives Action to Reduce Risk
April 16, 2020 • Lindsay Kaye
I’m Lindsay Kaye, the director of operational outcomes for Insikt Group®. Insikt Group as a whole produces analyst-generated insights to generate validated intelligence sources within the Recorded Future® Platform. Insikt Group also performs novel security intelligence research in a variety of different areas, including nation-state threat actor groups, threat actors operating in the criminal underground, and all manner of technical topics.
Simply put, the operational outcomes team creates insights that drive action that can be taken to reduce the risk associated with an identified threat. Our team also specializes in technical research, supporting our own focus area and other specialized teams within Insikt Group.
Why do we call ourselves “operational outcomes” and not some variation of “the technical analysis team?” As mentioned in a previous blog post authored by the vice president of Insikt Group, our research and analysis should provide our clients with “analyst-generated assessments, insights, and recommended remediative actions for informed decision-making and risk reduction.”
Our team produces hunting packages and endpoint detections that can be used to detect and mitigate threats in our client’s environments. Providing these and other mitigations to our clients helps contextualize the threat and provides them with a way forward to understanding, detecting, and potentially combating the threat in their own environments, even if they do not have their own advanced technical threat intelligence team on hand.
I believe such intelligence is critical for clients. After all, simply making someone aware of a threat with vague allusions to its impact on their business or systems without insight into what to do about it is not intelligence — it is just information.
The operational outcomes team provides prescriptive outcomes for our clients using:
- Insikt Group Validated TTPs: As a supplement to the TTP (tools, tactics and procedures) instance notes, we provide deep dives on the most relevant and impactful ones we have surfaced. As part of these deep dives, we aim to provide a more extensive technical description of the TTP, potential impact we could see if it is used operationally, and detections to observe these tools’ use in the wild, such as YARA rules, Snort rules, or hashes.
- Hunting Packages: Our team provides hunting packages on a variety of malware families and updates them as new, high-impact threats emerge. These hunting packages include YARA rules, Snort rules, and hashes, as well as other IoCs from the malware. They may also include longer-form reporting to contextualize the threat and help practitioners understand the level of risk to a particular type of organization and any available mitigations.
- Research: In addition to contextualizing the threat and giving an in-depth description of the technology involved, the long-form research produced by Insikt Group incorporates hunting packages, mitigations, and industry-applicable insight where possible. The team selects research topics based on what threats our customers are most likely to face, such as ransomware, current world events, or new TTPs used by prolific actor groups, to name a few examples.
- Proactive Detection of Malicious Infrastructure and Files: We actively research and discover malicious infrastructure and malware. Our process includes the creation of detections that can be used to help track both, allowing us to identify each, at times, before they have even been activated for use by attackers. The results of this work are visible in our platform through risk rules, long-form reporting on campaigns or malware, and other means.
The operational outcomes team exclusively provides security guidance based on technical analysis performed by Insikt Group. In doing so, we hope to continue to build our reputation among clients as a source of high-quality, technical reporting that they find value in — not only from an informational perspective, but also in the ability to inform security practices in clients’ own environments and actively hinder or stop attacks.
To learn more about how Insikt Group produces leading threat research, read this blog post.