Threat Intelligence: When Straw Houses Don’t Suffice Against Big Wolves

Posted: 7th June 2016
Threat Intelligence: When Straw Houses Don’t Suffice Against Big Wolves

Editor’s Note

The following interview is with Chris Stouff and is from our Threat Intelligence Thought Leadership Series. Chris is manager of security incident response and forensics at Armor.

1. What drives interest in threat intelligence in your community? What hole in your world does it fill?

I see two different interests in threat intelligence. The first and easiest to find is the sex appeal interest. Everyone is doing threat intelligence, and it’s not important to discuss how well you do, or to learn how to improve. Just do it, and do it more than everyone else.

On the flipside, those that I think get it, have the interest in taking unformed abstract data points, and correlating that to an event. Digital hunting is their interest, as long as it is unpredictable. If threat intelligence was to push logs into the black box, then read the output for a cold numeric response; threat intelligence would then become predictable and would lose the talent it draws.

At that point, the math takes over, and guess what? They, the bad guys, have and use the same math.

In my world it is either the hook to get talent engaged, or it is the hunt that keeps them there.

2. What does actionable threat intelligence look like to you?

Different every time. Though it shares the common attributes about being timely, accurate, consumable, and relative. I also differentiate actionable threat intelligence from good threat intelligence. You see, I learned a lesson from our chief security officer, when he kept asking the question, “So what?”. If your threat intelligence hasn’t been through several revisions of “So what?”, well you just won’t respond appropriately — though you may have acted.

3. What can an aspiring threat intelligence analyst learn from your own career path that will inspire them?

There’s not a perfect path to anything. At our level it is no longer a science, but an art. You can have all the certifications and degrees you want, and they’ll open some doors, but to be inspired you have to have passion. Believe in your mission — and the leaders that you follow. Oh, and a healthy dose of Occam’s Razor. Most likely the malicious actors aren’t nation state actors, and if you haven’t found their persistence, they probably never got it.

4. What are your long-term goals with threat intelligence and how will you measure progress?

Lag to lead. Simply put, threat intel is either applied to global threats, or it is applied after an incident has occurred. Why is that acceptable? We will measure progress by increasing mitigation numbers tied to threat intel-generated protections.

5. What do CISOs and BOD need to understand about threat intelligence?

You’re probably doing it wrong, but how do you know? Armor can measure its overall security effectiveness, as well as its dwell time. We can improve our defenses, and our responses, because that’s what we do. We constantly feed a process to improve our performance. Your team is preparing for a fight that few, if any of them, have ever had to fight before. Straw or wooden houses won’t suffice against the big wolves.

Chris Stouff

With more than 15 years of security and IT expertise, Chris Stouff is one of Armor’s elite go-to sources for expertise in incident response, event forensics, and advanced threat actor behavior and intelligence. As an NSA veteran, Stouff supported U.S. military efforts by collecting and analyzing foreign intelligence and, in the private sector, he oversaw the implementation, optimization, and management of multi-state server environments, including private cloud infrastructures. Stouff has a Bachelor of Science in Information Systems from the University of Texas-Arlington.