Best Practices in Threat Intelligence
By Amanda McKeon on June 26, 2017
It’s fair to say that the term “threat intelligence” has achieved buzzword status in the cyber security world. Confusion over the term’s meaning, not to mention the tidal wave of related products, services, and solutions overwhelming the industry, makes it hard to know where to start when threat intelligence becomes a priority in your organization.
To help cut through some of that noise, Recorded Future published a white paper, “Best Practices for Applying Threat Intelligence.” The paper is online, but in this episode, we talk with the report’s author, Chris Pace, Technology Advocate at Recorded Future. He’ll lead us through the white paper’s key takeaways and offer his own insights.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, I’m Dave Bittner from the CyberWire. Thanks for joining us for episode 12 of the Recorded Future podcast.
It’s fair to say that threat intelligence has achieved buzzword status in the cybersecurity world, and that often leads to confusion, as providers and customers alike try to make sense of the excitement surrounding a hot technology or service.
To help cut through some of that noise, Recorded Future published a white paper, “Best Practices for Applying Threat Intelligence.” It’s on their website, but we’ve got the report’s author, Chris Pace, with us today to guide us through the white paper’s key takeaways. Stay with us.
I think like many technologies or emerging ideas, the ideas themselves or even the capabilities that a thing might have seem great. But actually, the most important thing is, how applicable is it? Can I use it?
Chris Pace is a technology advocate at Recorded Future.
And to give an example … you know, you think about something like Google Glass. I mean, great idea, loads of capability, but actually, where it ended up falling down was there wasn’t really an application for it. People didn’t know how this thing was going to work in the real world.
And we’ve ended up in a place … threat intelligence isn’t quite as bad as that, but we are definitely in a place where threat intelligence is a much wanted, used buzzword. But we haven’t yet gotten to the point where people really understand, okay, now I know how to apply that intelligence to help secure my organization. And that’s really what we wanted to help people do.
So let’s go through some of the key points in the white paper. What do people need to know, again, just sort of from a high level?
I think one of the things that we were really keen to do from the outset was ensure that people could understand what threat intelligence is, but really importantly, what it isn’t. And again, this is what happens when, you know, the lifetime of a buzzword. There’s a moment where, really people are just using that buzzword to define almost everything. That’s why we were really keen to lay out very clearly, what is the important distinction between data, versus information, versus intelligence, then helping to understand which of the types of intelligence that are available might be most practically useful to you. So that was really where we wanted to begin.
Then, the next phases were about understanding different sources of intelligence and how they’re not the same, then really getting into understanding where the benefit of intelligence is for your own particular need, for your particular business case. And this, again, is another area where we see people flounder sometimes. They think or they know that they need to do threat intelligence, but they then get caught up in, what’s the box that I need to tick? Or what’s the lowest bar for entry? Rather than stepping back and understanding where it can be a real benefit to their business and applying it there. That’s the kind of information that we wanted to get across in this new white paper.
Well, let’s dig into that, then. What is threat intelligence and what is it not?
Threat intelligence certainly isn’t threat data. That’s a common misconception, and that’s probably because there’s just so much data available. Tons and tons and tons of it. But actually, that data is largely useless if there isn’t a way to transform it into something actionable.
Actually, in order for that data to then become information, we have to be able to collect those data points and make some kind of decision about them. Then for that information to become intelligence, we have to be able to have an outcome from that information. So actually, in terms of the volume of intelligence that’s available, let’s say the volume of intelligence around a new threat or a new vulnerability or a new exploit, actually the volume of intelligence might be quite small in comparison to the volume of data. But actually, the intelligence is much more focused, is much more usable. So although there are less outputs, if you like, there’s less intelligence product. What there actually is, is potentially more useful insight.
And so when something like threat intelligence does reach what we call, you know, buzzword status, how do you cut through that? How do you avoid all of the hype that comes with that?
Well, of course, it all boils down to application. The questions that you need to be asking are, “What are the security challenges that I face? Where do I see my risk surface … exists?” And once I have a strong understanding of that … that’s informed by all kinds of things. It’s informed by historical information, it’s informed by, potentially, breaches or response to incidence, it’s informed by the kind of industry that you maybe operate in. So once you understand all of those things, and you’re able to have a better understanding of your threat surface, at that point, then, you can begin to look at where you might be able to layer intelligence to help that process.
One of the reasons that we’re not necessarily seeing that happen in the universe of threat intelligence as a buzzword, is because very often, the easiest method for entry is seen as being threat feeds or technical data. I think that’s something to do with the nature of the market, if you like. The people who are looking for this intelligence maybe come from that more technical background. We see people accessing threat feeds, which is essentially an awful lot of data. And actually, they don’t have a way of turning that into intelligence, so it becomes almost counter-intuitive. It’s better not to start with the technology. It’s better to start with how are you looking to use something like intelligence to the advantage of your business from a security standpoint?
Yeah, looking through the report there’s a section all about the various sources of threat data and why they aren’t intelligence.
Yeah, and that’s really important, as well, because often we’re seeing every source of threat data imaginable, whether it’s from highly narrative sources, like social media or blog posts or news sites, right to technical, or potentially even information that exists on the dark web. We’re seeing all of this raw — what we would call threat source data — we’re seeing that categorized as intelligence.
And actually, until there is a process applied to that data, and that process needs to be refining it, identifying relationships between those data points, and ultimately outputting intelligence, they just exist as data. And that’s really the question that you need to be asking when you’re thinking about how to begin to use intelligence. It’s actually what I’m proposing: to access the news, either for analysis or for ingesting into my existing technologies, is that information, all that data — is it just data or is it actually intelligence? And that’s really a key question.
The important thing also to point out, though, is there is an awful lot of usable data available in, you know, places like social media, forums, definitely the dark web. We’ve seen an increase in people looking to uncover information from the dark web. All of that data is potentially useful. But in order for it to be applicable, it needs context. And in order for there to be context, it needs some kind of analysis applied to it.
Well, let’s slide into that. The white paper describes what is a threat intelligence balancing act between time and context. Take us through that.
Like everything in security, there’s always a balance. You know, we’ve heard the balance between simplicity and security before, the balance between time and security, and in this case, actually in terms of intelligence, time is in there because we want to get access to timely and relevant information and intelligence, but also, context is there because without context that intelligence won’t have relevance.
So if I go back to the threat feeds example, threat feeds are very rapid. They provide you with information quickly, but that information lacks context. It’s very binary. You know, is it a thing? You know, an IP address, a domain, whatever? Is it a thing, and is it bad or good? Those are essentially the only decisions that you can make when you’re accessing information from a threat feed.
And then right at the other end of the scale, highly contextualized analysis-led reports that are delivered by a provider. They provide great context. They might provide you with all of the indicators for a particular threat. Let’s say they’re examining a vulnerability or an exploit, they’ll give you all of the information that you need, the places where it’s originated, the technology that’s being targeted, but very often, that takes a long time to produce. And again, this is where we see that technology is really the key way of changing how we approach collection and analysis of intelligence. By applying technology to this massive data, we can get to context much, much quicker.
Yeah. The report also mentions the problem of alert fatigue.
So, one of the reasons people are so focused on alert fatigue and are particularly interested in how intelligence might be able to combat that, is because it’s actually ended up as a result of the collection of more data. So originally, when we began to look at SIEM systems, things that were collecting and aggregating log data, we thought this was a great way to identify anomalous behaviors across our network or find unusual-looking activity or potentially suspicious or malicious activity across networks, identify them, and close them down.
Of course, naturally then what happened is we’ve seen an explosion in available data. That means we’re seeing a lot more alerts. But the problem is that most organizations don’t have more people to deal with them. Those security operations staff are dealing with masses of alerts every day. The survey that we quote in the white paper says that something like 40% of analysts don’t have the intelligence they need to investigate those alerts, and more than a third are now ignoring those alerts just because of the number of false positives.
So, by taking external intelligence and applying it to that internal log data, you can begin to drive down the decision time. If I’m looking at an alert and I’m looking at it currently without any external intelligence, so all I’m able to do is perhaps do some Googling around, maybe correlate against a threat feed to see whether it’s bad or good, I’m either at a point where I don’t have the information that I need, or I’m at a point where it’s now going to take me more time. Worst case scenario, I’ve already got, you know, a list of other alerts, and so potentially I’m going to pass this one over because I don’t think it’s important. So by providing intelligence with context, we can allow people to make really rapid decisions in the side security operations so that they can be much more efficient at doing their work. And that’s a place where, you know, threat intelligence really plays into increasing efficiency and not just security for organizations.
The white paper lists several best practices for utilizing threat intelligence. Can you take us through some of those?
Yeah. So again, this goes back to the idea that, in a way, the worst place you can start with looking to implement threat intelligence is by beginning with the technology or the service or the company or whatever it is. That’s not a good place to begin, by trying to understand how you’re going to use intelligence.
Actually, the best way to begin to define your strategy is to understand your greatest risk, know which areas of your information security strategy you’ve already invested in. So, that example I gave about security operations and alert fatigue, if you know you’ve made an investment in security operations or in incident response or whatever it is, look to find ways to augment intelligence with that investment. And also, importantly, identify the human resources, as well as the capacity or the budget, all of those things. Look at which of those things you have available in order to balance how you might implement intelligence.
And as an example here, imagine if you had a situation where you think your threat surface is leading you towards making an investment in a full-on analysis of intelligence or uncovering emerging threats or threat hunting or whatever you think, that kind of high-grade effort. The reality is, that if you don’t have the human resources or the budget capacity to be able to absorb that, it’s kind of a waste of your time investigating it. So you’re going to need to balance those three areas: risk, existing investment, and capacity. Then look at the places where intelligence can work inside your organization.
For someone who is investigating threat intelligence, you know, just dipping their toes in the water and trying to figure out how it’s going to be a part of their processes, of their cybersecurity, what do they need to know? How do you begin?
Yeah. I mean that, of course, with everything, where you start is very often the hardest part. It’s like looking at a blank piece of paper. So what we’ve tried to do is we’ve built out a pathway, if you like, a very simple pathway, but it gives people a good indication of where they may want to make investment. And we also give some examples in there, as well.
But just to talk a little more about that, these three phases, if you like. The first of those is around monitoring. The reason that it’s at the beginning is that it potentially doesn’t require you to invest in people, you know, to be continually doing analysis of intelligence. It’s something you can configure. You can monitor for mentions of your brand, perhaps mentions of technologies that you’re using, perhaps new exploits or vulnerabilities that are specific to your technologies, maybe for threats that are targeting your particular industry. In this case, it’s a reactive thing. I think it’s important to say that, you know, reactive in this case, we shouldn’t see that as a negative thing. If you’re doing no threat intelligence to doing reactive threat intelligence, that’s a good beginning. So, alerting and monitoring is a great starting point.
Then, to think about integrating intelligence with existing technology. We already talked a little bit about this when we mentioned alert fatigue, so being able to automatically correlate intelligence into your existing security technologies. It’s a great place to begin if you’ve already made significant investments in those technologies, and you want to maximize the benefit, add to them.
And then really the final phase, or the final stage, of implementing threat intelligence is full-on threat analysis: uncovering and investigating new threats, and what we would call producing intelligence. That will require investment not just in technologies, but potentially also in the right people or the right service providers. But those are really the kind of three phases of applying threat intelligence.
Our thanks to Chris Pace for joining us.
You can download the free white paper, “Best Practices for Threat Intelligence” from the Recorded Future website. And while you’re there, don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
You can also find more intelligence analysis at recordedfuture.com/blog.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Editor Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.