Why You Should Launch a Threat Intelligence 'Hunt Team'
By Gary Warner on May 3, 2016
The following interview is with Gary Warner and is from our Threat Intelligence Thought Leadership Series. Gary is currently chief threat scientist at PhishMe.
1. What drives interest in threat intelligence in your community? What hole in your world does it fill?
For me, threat intelligence encompasses the pieces of data that help us move from “isolated facts” to an understanding of the tactics, techniques, and procedures (TTPs) favored by a particular threat actor. Some call those isolated facts “atomic indicators” — the smallest components, such as a domain name, an IP address, the hash of a malware sample, an email address, or in some cases a unique email header line, that can help us detect a cyber attack.
But it is the CONTEXT and the RELATIONSHIP BETWEEN these atomic indicators that start painting a picture about the five Ws — WHO is attacking, WHY they are attacking, WHAT they are looking for, WHERE they are based, and HOW they execute their plans. The keys to moving from atomic indicators to TTPs is context and history. If we see this same attacker again, with slightly different atomic indicators, will we recognize that it is the same actor?
2. What does actionable threat intelligence look like to you?
Threat intelligence needs to operate on two levels, and meet needs for two different audiences. At the security operations center (SOC) level, the atomic indicator is often exactly what they need — a quick “bad/good” judgement for a given piece of network traffic or email. But at a more strategic level, we have a goal of identifying the criminal actor and depriving them of their opportunity to attack us again.
To get to that level, it is often the case that a single organization does not have the necessary data to provide the larger context. This is where “cross-brand intelligence” comes in. What does YOUR company know about this attacker that might benefit MY company? And where do we share that type of information in a way that enhances our mutual understanding of the threat without compromising the security of either organization?
3. What can an aspiring threat intelligence analyst learn from your own career path that will inspire them?
Two tips here. First, pick an area and become the master of that area. I started as a “sniffer jockey” — I did network troubleshooting at the packet level and spent all my waking moments learning more about the protocols until I had something to contribute. But more importantly, always be building your network!
Find the people who need the things you know and find ways to share with them, but also find the people who know the things you don’t know, and find ways to learn from them.
Always teaching. Always learning. Always networking.
4. What are your long-term goals with threat intelligence and how will you measure progress?
My long-term goal is still to make a significant impact on how we react to cyber crime. It is clear that we are losing. We need to continue to improve the automatic linking of our atomic indicators so that in every jurisdiction and in every type of crime, be it malware, phishing, spam, hacking, or deep intrusion, we can rapidly identify the members of the criminal organization and put appropriate counter-measures in place to disrupt the organization. This will take a fundamental change in how law enforcement works with industry, and how nations work with one another from a law enforcement perspective.
While we are making progress, there are still many hundreds of thousands of people who have cyber crime as their primary occupation.
If we are successful, it will begin to impact the career choices of the mostly young Eastern Europeans, West Africans, and North Africans who dominate the cyber crime environment today. However, this will not be won solely with technology. We’re going to need to take our intelligence and use it as part of the narrative for policy decisions that help to create opportunity and prosperity in those places that are currently breeding grounds for crime.
5. What do CISOs and BOD need to understand about threat intelligence?
Chief information security officers (CISOs) tell us that their primary tools for breach detection are network analytics and malware analysis. Yet most breached organizations still learn about their breaches from a third-party reporter, such as law enforcement or Brian Krebs. The Verizon Data Breach Investigations Report still tells us that ALMOST NOBODY learns of breaches from the tools that CISOs list as their primary tools. We have to fix that disparity.
Teach your employees what cyber risk looks like and deploy them as sentinels throughout your organization. Build mechanisms for them to share suspicious activity. Start with the assumption “I have been breached” and assign a team with the appropriate skills to hunt your organization’s networks and systems until they can prove conclusively that you have not.
Most organizations have not fully actualized their employees, and have no such “hunt team,” nor do they have access to the types of threat intelligence CONTEXT that helps them move from “atomic indicators” to “TTPs.”