Threat Intelligence: Not a Wild Goose Chase

Posted: 11th May 2017
Threat Intelligence: Not a Wild Goose Chase

Key Takeaways

  • Without context, threat intelligence can easily become an unmanageable stream of alerts. Understanding a threat actor’s motivation, for instance, can dramatically improve your ability to respond to threats.
  • There are three types of threat intelligence: strategic, operational, and tactical. To truly maximize your security profile, you need a threat intelligence capability that delivers all three.
  • Intelligence data overload can be combatted with two key ingredients: context and automation. Without these, your human analysts will spend most of their time discarding false positives.
  • The dark web can be a source of valuable intelligence, but it can also be dangerous for the uninitiated. A powerful threat intelligence capability can enable organizations to gather intelligence from the dark web without putting themselves at risk.

To the uninitiated, threat intelligence can be overwhelming.

Should you be focusing on threat actor tactics, techniques, and procedures (TTPs)? Study the latest breaches in your industry? Are indicators of compromise (IOCs) important, or should you be analyzing threat actor chatter?

All the while new threats arise constantly, and threat data is available from all manner of open source and premium sources. How are you supposed to tell the difference between valuable threat intelligence and a total waste of time?

Recently, we invited Rob Gresham, Security Operations Practice Lead at Foundstone and former Cyber Branch Chief for the South Carolina Army National Guard, to host one of our webinars. Foundstone is a product agnostic team of security consulting experts within McAfee, and during the webinar Rob explained how he uses Recorded Future and other tools to provide his customers with contextualized, actionable threat intelligence for enhanced security operations.

The Context of Motivation

“If you don’t want to be hunting for geese in the middle of NYC, you really need some context around where you’re going to find them.” If you have any experience with threat intelligence, you’ve no doubt struggled with some (or all) of the questions listed at the start of this article. For precisely that reason, Rob kicked off the webinar by calling out the antidote to information overload right off the bat: context.

Without context, a threat intelligence capability quickly becomes an unmanageable stream of alerts that can never be properly managed or triaged. But with context, threat intelligence can become a hugely valuable asset.

To that end, Rob explained that he doesn’t like to focus too much on tracking individual threat actors or groups.

“We track them, but we don’t talk to our customers about APT1, APT2, country X, or country Y,” he explained. “What we really talk about is motivation. We feel that if we can determine the motivation of an attack, we can mitigate that threat relatively easily.”

In effect, understanding the most likely motivation between different types of attack provides the context needed to effectively deal with those threats.

Hacktivists, for instance, like to use distributed denial of service (DDoS) attacks to damage their targets, and speak openly about their attacks through social media channels. As a result, as these attacks occur, you’ll know that the intention is simply to cause as much damage as possible, rather than to steal sensitive information or gain access to your networks.

Similarly, while they may use a range of attack vectors to reach their objective, cyber criminals are invariably after one thing: money. Irrespective of their preferred attack vector, they will typically need to compromise a user account or terminal, and send communications back to a command and control (C2) server for further instruction.

Ultimately, whether their business model is data theft, extortion, or something else entirely, their attacks tend to follow a specific pattern because their motive demands it.

Of course, Recorded Future uses far more than known motivations to contextualize incoming threats, but this simple example demonstrates how much additional value can be added to a threat simply by adding a small amount of context.

To further demonstrate how he improves his customers’ security profile, Rob went on to explain how breaking threat intelligence down into three discrete categories can add further context to incoming threats.

3 Categories of Threat Intelligence

In broad terms, there are three types of threat intelligence: strategic, operational, and tactical. Below are examples of each.

Strategic Intelligence

  • Board Level Awareness
  • Security Vision Policy and Planning
  • Threat Statistics and Reporting

Operational Intelligence

  • Decision Making Awareness
  • Proactive Threat Assessments and Analysis
  • Partner Integration

Tactical Intelligence

  • Threat Library Sharing and Automation
  • Global Threat Intelligence
  • Threat Intelligence Exchange and Data Exchange Layer

To illustrate the differences, Rob mentioned the widely read Mandiant report, “APT1: Exposing One of China’s Cyber Espionage Units“:

“A lot of people remember the Mandiant APT1 report, which had a lot of great information in it. It contained a lot of tactical information, some operational information, but very little strategic information,” He explained. “It was overall a great report, and everybody puts their basis around those kinds of reports nowadays, and now they’ve become mostly the norm.”

And of course, there’s nothing wrong with tactical intelligence. It’s an essential part of any threat intelligence facility and is invaluable in the pursuit of constantly tightening firewall rules, spam filters, and other technical controls.

But a powerful threat intelligence facility should play a far greater role than this. It should provide operational intelligence that can be used by senior officers to inform vital proactive (and sometimes reactive) decision making. It should provide strategic intelligence in the form of threat statistics and reporting that can be used to enhance board-level awareness, and drives organization-wide policy and planning or even procurement strategies.

And, as Rob noted during the webinar, this is precisely what Recorded Future does for his customers:

“Recorded Future brings together disparate intelligence sources so you can gather and assess what’s currently going on. It allows you to create strategic intelligence, which improves board-level awareness, provides a security vision, and drives policy and planning.”

“Then it also moves you into operational intelligence; it gives you decision-making awareness. It enables SOC [security operation center] managers, or risk managers, to be proactive by aligning threat assessment and analysis, and partner integration capability so they can make those timely proactive, or sometimes reactive, decisions.”

Avoiding Intelligence Data Overload

Of course, while understanding your audience and your attackers’ motivations is vital, it still doesn’t address one of the major issues with a lot of threat intelligence capabilities. Information data overload is a massive problem for many organizations, and contributes heavily to the idea that gathering threat intelligence really is a wild goose chase.

This is where machine learning comes in.

For most security analysts, discarding false positives is a highly time consuming and frustrating process, which eats into the time they have available to work on proactively enhancing their organization’s security profile. If many false positives can be identified through a machine-learning algorithm, however, this process becomes far less arduous.

“When it comes to machine learning, it’s about selecting a false positive threshold that cuts away the majority of the load on human analysts, but doesn’t discard valuable intelligence,” cautioned Rob. “Then we take what’s left after the false positives have been discarded by our algorithm, and we understand our threats a little bit better. Now we can tune our tools, dashboards, reporting, and terminology to reflect what we’ve learned.”

And as Rob noted during the webinar, this is precisely where Recorded Future excels. By automatically contextualizing each individual alert, and removing those deemed to be false positives, Recorded Future arms analysts with the intelligence they need to fully understand their organization’s incoming threats, post forensics, network traffic analysis, and much more.

Once intelligence overwhelm has been overcome, one area that consistently pays dividends for threat analysts is the study of threat actor TTPs, particularly when combined with an understanding of threat statistics. In fact, not only can this type of analysis help you to tighten your technical controls, it can also profoundly improve your organization’s ability to allocate resources to the right areas.

“When you analyze all the breaches that have occurred, and look at how they happened, you find some very interesting trends,” Rob stated. “Particularly, whether it’s malicious remote traffic, or malicious website content, or malware, or locally authenticated users, and emails with malicious content, you start to realize a huge proportion of risk comes from some kind of phishing event.”

“But at the same time, you’re being accosted by sales engineers to go and buy an endpoint detection response capability,” he continued. “Is that the right product for the right problem at the right point in time? From a strategic standpoint, maybe, but also maybe not. I’m not saying you don’t need the tool, but I am saying you should have the intelligence to know where your resources should be allocated.”

In reality, many organizations believe they need specific products simply because those are the products receiving a lot of hype at the time. However, with a powerful, contextualized threat intelligence facility, decision makers can gain a deeper understanding of their organization’s specific risks and allocate resources accordingly.

Beware the Black

“If thou gaze long into an abyss, the abyss will also gaze into thee.” (Friedrich Nietzsche)

In recent months, everybody in the information security community has been talking about the dark web. But opinions differ wildly: Is it a valuable source of threat intelligence, or a dangerous waste of resources?

As Rob noted during the webinar, it can easily be either.

In a previous webinar, Andrei Barysevich, Director of Advanced Collection at Recorded Future, warned listeners on the dangers of engaging criminal actors without having the proper skills and experience. His precise words: “Listen, read, but do not engage criminal actors.” And during this webinar, Rob Gresham had a very similar sentiment:

“As you stare into the black … the black stares back at you.”

But, as both explained in their own ways, a huge amount can be achieved using dark web intelligence without ever engaging criminal actors. In this case, Rob spoke about how using technology to identify stolen assets and compromised account credentials can highlight otherwise unnoticed breaches, and speed up incident response.

To illustrate his point, Rob used a series of screen captures from Recorded Future to display mentions of organizations’ compromised credentials on the dark web and popular paste sites. Rob also showed an image to represent threat actors attempting to sell credit card information belonging to a specific financial organization.

“This is just advertising, but if they’re advertising it, how old is the data? Is the data new? Where did they get the data from? Are they just trading in old data?” Rob continued. “In one case, I was supplying a customer with intelligence for a year, and as time went on we saw 10 to 20 posts advertising their data each month. Suddenly, in August, we saw 140 posts, a really dedicated marketing campaign, and we knew something was up. Suddenly, this person has stepped up their selling ability. Either people are suddenly buying old material, or they’ve just got some new, fresh blood, and they want to sell it.”

By searching for “booms” in dark web or paste site mentions using Recorded Future, you can keep track of what’s currently being sold, and quickly identify instances where a breach may have occurred but went unnoticed.

Goose Chase or Golden Goose?

It’s easy to see why some people consider threat intelligence to be a wild goose chase. Done poorly, this is precisely what it can become.

The threat intelligence market has become saturated with simple threat feeds, with many organizations initially believing that simply having more information will improve their security. Unfortunately, as these organizations quickly discover, the quantity of information these feeds deliver is quite simply unmanageable.

But with the key ingredients, context and automation, everything changes.

Instead of stumbling around in the dark, you can easily identify and act upon the most important threats first, tightening relevant security controls and focusing more energy on high-yield activities such as internal hunting.

To see how Recorded Future can dramatically enhance the benefits your organization sees from threat intelligence, get in touch to arrange a free demonstration.

If you’d like to hear more from Rob (and he had much more to say) you can watch the full webinar for free by visiting our webinars page.