Sharing Indicators Is Easy, Sharing Intelligence Is Not
By Christopher Mascaro on May 31, 2016
The following interview is with Christopher Mascaro and is from our Threat Intelligence Thought Leadership Series. Christopher is currently head of threat intelligence and analytics at First Data.
1. What drives interest in threat intelligence in your community?
I think that the interest in threat intelligence comes from the fact that the financial and payments industry had the first companies with a defined need for threat intelligence. The DDoS (distributed denial-of-service) attacks a few years ago on American banks coupled with cybercrime threats that the industry has had to deal with for many years has created a need for threat intelligence to develop in the private sector.
2. What hole in your world does it fill?
Threat intelligence fills a number of gaps. It allows stakeholders to receive analysis that they would not receive through other venues. One of the benefits of having a developed threat intelligence team is that the team understands the company and has the time to specialize in providing analysis and collection around the threats that the corporate stakeholders care about most.
3. What does actionable threat intelligence look like to you?
Actionable intelligence can take on many types and is driven by the stakeholder. Actionable intelligence to a security operations analyst may be focused on indicators, whereas actionable intelligence to an executive may be an assessment of certain activities in a region of the world. The “action” part of actionable is driven by the stakeholder.
I think one of the challenges with threat intelligence is understanding the audience and stakeholder. One of the forgotten and overlooked aspects of the intelligence cycle is requirements gathering. If you do not know what your stakeholders want and need to do their jobs, then you are not doing your job.
Initial requirements gathering is important, but maintaining the connection to the stakeholder and revising requirements is integral to a productive analyst-stakeholder relationship. My team does frequent revisions to our requirements based on the evolving landscape and through frequent touchpoints with our consumers.
We conducted a stakeholder survey of all the report’s recipients and received an almost 40% response rate, which is much higher than typical survey response rates. These responses allowed us to tailor our processes and better serve our stakeholders.
4. What can an aspiring threat intelligence analyst learn from your own career path that will inspire them?
I think the most important part of being an analyst is being curious. A day’s news may be boring, but the industry is fascinating, and it is important to try to get something out of every project or report.
I have had a lot of roles across my time in the government, academe, and the private sector and the boring roles tend to be where you learn the most if you have the curiosity to make the best of it. When I interview individuals to join our team, I always look for indications of curiosity, and I ask them about previous roles to get a sense of what they made of them.
5. What are your long-term goals with threat intelligence?
Our goal is better intelligence sharing through process improvements and better tools.
One of the biggest problems with the threat intelligence industry is that “threat intelligence” is a buzzword that is often misapplied to threat data and threat information. The phrase “threat intelligence feed” should not exist unless the feed contains analytical reports. In order for something to be threat intelligence, it needs to be processed in some form by a human analyst. A list of IPs, hashes, or other data is not intelligence. Sharing indicators is easy; sharing intelligence is not.
I would like to develop how certain pieces of data, information, and knowledge fit together in the cybersecurity domain. There is a definite lack of tools that can help threat intelligence professionals, and I think this is driven by the misunderstanding of what intelligence actually is and how to share it. There has been significant progress in the previous years, but so much of the space is still focused on data management as opposed to intelligence management.
This is not an easy problem to solve, but I think there are a lot of efforts that are unfocused and detract from the real problem. There are only so many listservs an analyst can effectively process, and so much of the “sharing” still occurs in this type of format.
The emergence of standards such as STIX/TAXII is great, but adoption is still lacking, and one of the reasons is that these standards provide too much complexity. Sharing should be easy, and today it is not.
6. How will you measure progress?
I think the measurement of progress in this space is going to be difficult. When I am able to effectively share intelligence with stakeholders and other institutions, then I think the problem will be solved, but I do not seeing it happening in the near term. Maybe we can measure progress by consolidating one listserv at a time since many of them provide the same data and information to the same subscribers.
7. What do CISOs and BODs need to understand about threat intelligence?
The most important thing that senior leadership needs to understand is that threat intelligence is a tool and cannot answer every question. Perfect intelligence does not exist, and intelligence can be wrong. This is something that policy makers in the government still experience frequently. The private sector is no different.