Think Like Your Adversaries to Stay Ahead of Cyber Threats

Posted: 12th July 2016
Think Like Your Adversaries to Stay Ahead of Cyber Threats

Editor’s Note

The following interview is with Stephen Coty and is from our Threat Intelligence Thought Leadership Series. Stephen is the chief security evangelist at Alert Logic.

1. What drives interest in threat intelligence in your community? What hole in your world does it fill?

Threat intelligence analysts and their research is the backbone of creating threat content that is deployed to all security technologies. In a good security strategy there is protection provided for all layers of the stack through technology, people, and process. Let’s discuss the process.

So a threat intelligence analyst is researching on the dark web and finds a new variant of malicious code (malware) that he has not previously seen. He will then purchase or freely download the code for analysis. He runs the malware through a testing environment (sandbox) that executes the code on various platforms and operating systems. He then will do a manual code review to validate the automated findings and discover things that the sandbox might have missed.

Once the review is completed he can now find the indicators of compromise and develop content for the appropriate security technology that would provide detection until a patch is released.

2. What does actionable threat intelligence look like to you?

Actionable threat intelligence is the deliverable that comes from research like the process above. The intelligence collected above could be used not only for content but to also provide data in detail to manufacturers about the vulnerability exploited, companies that need to implement security controls, or to proactively warn a company about a pending attack.

A lot of data is available on the dark web and it becomes a challenge for analysts to determine what is relevant. While digging you do find information about pending attacks as hacking groups tend to make announcements to get enough followers to accomplish their agendas.

This is where threat intelligence can really provide actionable data that can help an entity be proactive about implementing the right security for pending attacks.

3. What can an aspiring threat intelligence analyst learn from your career path that will inspire them?

There is always something new every day.

The trick is to think like your adversaries so that you can keep up with the ever-changing threat landscape; understanding information technologies (IT) processes, incident response, reverse engineering code, writing of exploits based on found vulnerabilities, and having a credible persona to freely move around the underground without suspicion.

My job is to protect my clients. I am not law enforcement so going into the underground with that understanding will help get farther into the inner circles.

If you flip on people in this community you will be blacklisted and then have to start from scratch and build a new accepted persona — which can take years.

4. What are your long-term goals with threat intelligence and how will you measure progress?

Threat intelligence needs to have its hands untied. There is so much more we could do if we had the ability to reverse hack an attacker or track stolen data across the dark web to a buyer who may be a competitor. This would truly give the industry the ability to get ahead of our attackers.

5. What do CISOs and BOD need to understand about threat intelligence?

They need to look at threat intelligence not just as a budget item but as a proactive security posture that requires investment into the people, process, and technology. If your name is not being reported in the news for a breach then your team is doing its job. Sometimes people only recognize the team’s functions when a breach actually happens; they forget the past five years of no significant security incidents.

Stephen Coty

Stephen Coty is the chief security evangelist at Alert Logic in Houston, Texas and a member of ISSA, Infragard, and the HTCIA. Before coming to Alert Logic, he was the manager of cyber security for Rackspace Hosting. Prior to Rackspace, he worked at several companies including Wells Fargo Bank, Applied Materials, Stanford Medical Center, and The Netigy Corporation. He has been in the information technology field since 1992 with a focus on security as of 1999 where he started as a penetration tester and auditor. Research has been his primary focus since 2007.