The Threat Intelligence Value Proposition
June 10, 2019 • Zane Pokorny
Joining us today is John TerBush, senior threat intelligence researcher at Recorded Future. John is an instructor with the SANS Institute, currently teaching a course on open source intelligence that he helped develop. Before joining Recorded Future, he was a senior cyber threat intelligence analyst and subject matter expert with consulting firm Booz Allen Hamilton’s Cyber4Sight, and before that he worked for Symantec as a security operations center analyst. Earlier in his career, he worked as a researcher and private investigator.
Our conversation explores the value proposition of threat intelligence, and how organizations can dial in how they use it to manage risk, keep their business leaders informed, and get the best bang for their cybersecurity buck.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 111 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Joining us today is John TerBush, senior threat intelligence researcher at Recorded Future. John is an instructor with the SANS Institute, currently teaching a course on open source intelligence that he helped develop. Previous to joining Recorded Future he was a senior threat intelligence analyst and subject matter expert with Booz Allen, and before that he worked for Symantec as a security operations center analyst. Earlier in his career he worked as a researcher and private investigator.
Our conversation explores the value proposition of threat intelligence and how organizations can dial in how they use it to manage risk, keep their business leaders informed, and get the best bang for their cybersecurity buck. Stay with us.
I started out long ago doing legal research for different attorneys, doing research for authors at libraries and archives, things like that, transitioned from that into working as a private investigator for quite some time, about 15 years, and then around seven or eight years ago decided I wanted to make a move into the digital world, so to speak. Not that I wasn’t doing things in that vein as a private investigator, but I made the move to more of an information security focus and ended up doing briefly, for about six months, some vulnerability assessment work for a small local company, and then working for Symantec in their security operations center. It was a managed service, so we had a lot of clients.
Working in a SOC like that was a really great place to get a grip on a lot of technologies, different clients and what issues they have, and just develop professionally information security. I found a liking and a knack for doing threat research and tracking different entities and campaigns and sharing that information and developing better detections while I was there at the SOC, and that led to transitioning into more of the threat intelligence space, which leads me to where I am now.
Before we dig into some of the work you’re doing here, I want to swing back, and I can’t help myself by digging into some of your work as a private investigator. I know, certainly, probably most of us have a bit of a film noir idea of what a PI actually does. I suspect it’s not quite that, but what was that work like?
It was interesting, it definitely was interesting. You’re always doing something new, there’s always a new case, always going somewhere different, and that keeps you on your toes and keeps things interesting. I was out of the office a lot doing mobile surveillance, but I also still was doing court record pulls and research, locating people, doing interviews, a little undercover work here and there, so some interesting stuff.
It’s definitely not like you see on TV and the movies necessarily, but it can be rather entertaining at times as well.
Yeah, and I think that goes right into this notion of open source intelligence, which in the digital realm, in the cyber realm, is certainly a hot topic these days. And you’re an instructor at the SANS Institute. You teach a course on open source intelligence.
Yes, I teach the security 487 open source intelligence course. That just was developed within the last couple of years by a friend of mine, Micah Hoffman, and it’s a pretty cool course.
A lot of it is things that I was doing in one way or another as a private investigator and certainly a lot of it that I’m doing now, conducting threat research.
How much of that crosses over? Those skills that you learned in your previous career, how does that transfer over to what you’re doing now?
There is a bit of carry over, actually, maybe more than you might expect. When you’re conducting investigations, you’re following the same process. You’re gathering information, you have to analyze it, you have to work out for yourself or with your team, will this lead to finding out what I want or finding more useful information for my client, or not? Where are those rabbit holes that you want to avoid because they’re wasting time for you, and keeping things focused. So a lot of the process is similar, actually.
You mentioned earlier that you seem to have a knack for this kind of work when you were working in the SOC. What do you attribute that to? What are the things that someone who fits right in, who finds this sort of stuff easy, what are some of the attributes that you had that made you successful?
Well I think part of it is just an interest in finding out new things, trying to learn things that other people haven’t figured out before, an investigative mindset, something I have and I think others that are successful in this space have.
Not everyone is really interested in doing this, but those that have an interest in it and a passion for it will find ways to succeed, I’m sure.
I want to dig in and talk some about threat intelligence and the work you’re doing with Recorded Future. First of all, what does your day-to-day like? What sort of work are you doing there?
Well, I have my hands in a number of different things. I work with some of our other teams on specific … You know, our Insikt research team, and we’re focused on geopolitical analysis as well as technical tracking of actors. We develop different hunting packages for our clients that they can use to find bad things in their networks, also some more technical tracking of C2 networks and that sort of thing. On the technical side is where I tend to end up.
I also help, like I said, other teams with either OSINT-type investigative stuff to more technical things that they need assistance with, and generally just doing whatever we can to help our clients out, help the company out and find out new things and make the threat landscape
visibility that they need and that they’re paying us for available to them in a useful way.
One of the things that fascinates me is that mix of the technical and human skills, and we talk about all the technical tools, but over and over again people I talk to, they speak about having a notion about something, something just doesn’t feel right, or their intuition tells them to head off in a certain direction to explore a certain thing. What is your take on that intersection between the technical and the human side of things?
Obviously that’s very important. I know I have friends that are very technical that don’t really want to go to meetings and do these other things, and they’ve carved out a niche for themselves. But I think if you can bridge that gap between being able to do the technical work and get it in the right hands, explain it to the clients where the end user is so that they can really use it is pretty crucial.
We have a lot of people that aren’t very technical in this space that they need some help, and obviously if you have technical skills and you’re able to relate the information in a way that they can use it, that they can take action on it, that they learn something and can get better at their jobs, whatever, that’s really helpful.
I want to dig in and talk about some of the value of threat intelligence, how people measure that return on investment. When you’re out and about explaining the work that you do, how do you describe that value proposition to people?
Well, there’s a lot of different ways that you can use it. For example, at that high level, that C-suite level, you can just provide them some information on what generally the threat landscape … I talked about how I had done some vulnerability assessment work long ago and there’s a lot of things you need, moving parts there with, okay, there are all these vulnerabilities, I need to patch all these things. But what is more important, for example. What are the key risks? You’ve got to do that threat analysis. Without the information, the input, that gets pretty difficult.
There’s a lot of different solutions for this, but having a good source of threat intelligence, finding out what is out there, what is actually being utilized against corporations, government entities, et cetera, by attackers, that can help focus your efforts. You only have so much time to get so much work done. If you can focus on the more important pieces, then that makes your security posture that much better.
But what about folks who say, well, listen, I’ve got a bunch of open source feeds that I’m monitoring, we have information coming in through our SOC or other things. Why should we engage with an outside company to provide us with threat intelligence?
I’d say a big part of that is that even if you belong to an ISAC and are sharing some information with others, you’re still perhaps not getting the big picture. Certainly if you are just focused on internal collection of threat data, you’re not seeing what’s happening with this other company that may be related to you, what’s happening across the planet in Singapore or South America, whatever.
If you aren’t looking at some of this information, then you can find yourself in a bit of a tunnel security-wise and maybe not see the forest for the trees, and that can lead to some bad outcomes.
What about things like artificial intelligence and machine learning? How does that play into it, that ability to process all that incoming stuff at scale?
Well that’s huge. Obviously, having worked in a SOC, you see these situations where you just get swamped with alerts, so it absolutely is crucial to have some sort of automation, some way to use AI, and limited definition there, to correlate all this information and help you to work out what is really important.
Okay, we got this phish, it seems to be something that was blocked and taken care of, we can quickly adjust their settings so if we see something more like this in the future we can block that globally.
So we can do these sorts of things with automation as well to make our actions count for more than if we do everything manually, for example.
What are your recommendations for that organization who’s shopping around, who’s trying to decide how they want to dial in threat intelligence in their own protection of their systems? Where do they begin? What tips do you have for them?
Well, obviously you want to go with someone that actually has a pretty broad scope of information. It helps if you have some understanding of where your gaps are that you need to fill, there may be some other company or offering that better suits your needs as far as your gaps.
Some people need help with that. They haven’t even gotten to the point where they have any sort of an intelligence team, they haven’t worked out their intelligence requirement, and you might need a company that can help you with that, for example. You might need some help working out some playbooks for your SOAR, things like that.
So, I would say just talk to different people, even folks that you know are in the space that are using different sources or going with different offerings, and maybe find out, hey, these guys do a good job, these guys don’t, and then do those trials. Get some different platforms, check them out, test them out. Pretty much everybody is going to give you some trial so you can see will this work for me or not?
What do you suppose the future holds for threat intelligence? I think most people would be in agreement that if anything, the velocity of the threats coming in is increasing, but what do you see on the horizon?
Well, it’s a cyber world, it’s a digital world now, so pretty much anyone who’s anyone is out there, they have websites, they have ways to market their product, deliver their product through the internet or otherwise, and those threats are going to remain.
Criminal actors who used to be robbing people in a back alley, now they can just do it over the wire. You have nation states that are similarly moving into, and have moved long ago, they were early adopters, I think, into this space where they can acquire enormous amounts of intelligence just by hacking into somebody’s network and accessing their email server, for example.
That’s not going away anytime soon, so there are more people entering the space as well, as far as attackers, so you need to keep that data source that can keep you abreast of all this activity there. And I think we are seeing, like with Recorded Future and some of the other providers in the space, that there may be a bit more consolidation going forward like we saw with, say, AV companies or firewall companies, so they are going to shake out some larger players in the space and that may make it a little less confusing.
But, moving forward, you absolutely are going to have a need for threat intelligence, and in some form or another Recorded Future is trying to make it available to pretty much anyone. We don’t want to be exclusive to, okay, who are the really advanced clients? These banks or insurance companies or government agencies, they’re not the only ones that need it, so I think we’re seeing more of a democratization of threat intelligence.
Our thanks to Recorded Future’s John TerBush for joining us.
If you’d like to dig in to the value proposition of threat intelligence, there’s a blog post over on the Recorded Future website. It’s titled “The Value of Threat Intelligence for all Security Functions.” Check it out.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.