The Practical in Practice — Use Cases for Threat Intelligence

November 20, 2017 • Amanda McKeon

In this episode of the Recorded Future podcast, we take a closer look at the practical application of threat intelligence. Some security teams still meet threat intelligence with a skeptical eye, wondering how adding even more information to the flow of data they’re already receiving could improve their security posture. In reality, they’re likely already using some degree of threat intelligence even if they don’t realize it. We’ll explore ways that organizations can determine how much threat intelligence is the right amount, when it’s time to engage with a third-party provider, and when it’s not. We’ll review case studies from Facebook and Akamai, and we’ll discuss the importance of context when transforming information into intelligence.

Our guide this week is Allan Liska. He’s a solutions architect at Recorded Future, and author of the newly published e-book “Threat Intelligence in Practice.”

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 32 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

In this episode of the Recorded Future podcast, we take a closer look at the practical application of threat intelligence. We’ll explore why some organizations still meet threat intelligence with a skeptical eye, how they’re likely already using some degree of threat intelligence (even if they don’t realize it), and we’ll explore ways that organizations can determine how much threat intelligence is the right amount, when it’s time to engage with a third-party provider, and when it’s not.

Our guide this week is Allan Liska. He’s a solutions architect at Recorded Future, and author of the newly published e-book “Threat Intelligence In Practice.” Stay with us.

Allan Liska:

I think where we run into a problem, as an industry, is the stuff that we think of as threat intelligence, is the stuff that makes the nightly news. You know, the “fuzzy bear,” or APT1, or the various “dragons,” and so on. Those things are sort of the “big, sexy” in threat intelligence, right? That’s the, “Oh, the Russians are coming after me, or the Chinese are coming after me,” and so on.

For a person working in a SOC, they don’t necessarily care about that. They care about, “I’ve got a hundred tickets open, with a hundred different pieces of malware, and I need to stop that. I don’t care whether it’s a bear or a dragon behind it, I just need to shut this down and stop it.”

Because of that, the misperception that threat intelligence means a foreign entity trying to attack your organization, or targeting it, specifically … A lot of security professionals kind of roll their eyes at that idea of threat intelligence. “Threat intelligence doesn’t mean anything to me. I’m way too busy to worry about identifying who’s behind an attack. I just need to stop and clean the box and move onto the next problem.”

Dave Bittner:

And so, what would you say to those folks who roll their eyes?

Allan Liska:

There’s a couple of things. One, threat intelligence isn’t just about that, right? It’s not just stuff that makes the nightly news. Behind every attack is a person or group. A piece of malware doesn’t just exist in a vacuum, magically appearing there — at least, not until AI starts automatically developing malware in the future, and we have Skynet, and the world comes apart. And so, there is value in understanding what’s behind — or who is behind — the malware and what their motivations are.

There’s a different way that you respond to commodity malware that is being sent out to millions of people at a time, versus malware that has a real, professional actor behind it. Whatever they’re looking for, whether they’re doing it at the behest of a government entity, or a cybercrime entity, or something like that, there’s a difference in how they’re going to proceed if they’re caught.

If it’s just commodity malware, they say, “Okay, we’re caught.” They don’t care. You know, they get wiped and just move onto the next victim, and so on. If there is some state actor or crime organization behind it, and your organization is being specifically targeted, it’s good to know why you were targeted, the type of activities that they’re interested in, and what their methodologies are so that you know what else to look for.

If you’ve only caught one piece of that attack, but there’s four other pieces in your network that you may be missing, and threat intelligence can help you link those together, that’s really valuable information to have. Even down to the SOC level where you can say, “Hey. Okay, we caught this. We know this is associated with this particular group. Here are some other things that we need to now look for.” Maybe we turn that over to the IR team, so we don’t just take the box that we’ve identified, wipe it, and move on. We do that, but we also look for these other indicators.

Dave Bittner:

I want to talk about applied threat intelligence, which is one of the chapters in this report. Let’s just start with some definitions. What are we talking about, when we say applied threat intelligence?

Allan Liska:

Sure. Threat intelligence, when it comes to cybersecurity … You know, obviously, intelligence has been involved in warfare and so on for literally thousands of years. When it comes to cybersecurity, threat intelligence is still in its infancy. When we used to talk about threat intelligence, at least from third parties, we used to talk about reports, or emails, or things like that. That is something that is sent to you, in your inbox, or through a PDF, or whatever, on a website. The data is useful, but it’s not as useful as it could be.

When I talk about applied threat intelligence, what I’m talking about is taking that threat intelligence, that useful information you get from third parties, as well as internally collected threat intelligence, so, information about your network, and so on. Basically, delivering that in a way that your systems can automate the in-port and processing of that data, whether that’s third-party data, or internal data, or whatever. A way to bring it into your systems. I think you and I have talked about this before.

The security industry as a whole has been really bad about this, right? We’ve spent 25 years solving our problems by adding other boxes. “Oh, you need a firewall. Now you need an IDS. Now you need a proxy. Now you need endpoint solution. Now you need another endpoint solution, et cetera.” We’ve built all these different systems that do a really bad job of talking to each other.

In my mind, in order for threat intelligence to be useful, it has to be delivered where your security people are doing their day-to-day job. When I say applied, I mean, whether it’s through STIX/TAXII, whether it’s through JSON/XML. However it’s delivered, it needs to be delivered into those systems so it can be applied against your existing network infrastructure.

Dave Bittner:

Take us through … In the report there’s this diamond model. Can you describe that for us?

Allan Liska:

Yeah. A diamond model is a way to track attacker activity over time. When we talk about a threat actor, just like your network doesn’t stay static, threat actors don’t stay static. They’re always using new infrastructure, adding new domains, adding new capabilities, adding new types of threats, or vulnerabilities that they’re exploiting, et cetera.

The diamond model is a way to, basically, create a library entry that is constantly being updated for attackers. You have an attacker. Whatever you choose to name them, you then want to tie indicators to that attacker. You want to tie methodologies to that attacker. You want to tie infrastructure to that attacker. It’s a way to bring all of these points together and be able to monitor them as they change over time. You know, especially with something like an IP address. IP addresses drop off all the time. Being able to keep current with what they’re current capabilities are in a reliable, and again, automated fashion.

Dave Bittner:

You have the four points of the diamond. You have the adversary, their capabilities, the victim, and the infrastructure.

Allan Liska:

Right.

Dave Bittner:

So then, you track those over time, as you say, as they change.

Allan Liska:

That’s correct. Yes.

Dave Bittner:

What about attribution?

Allan Liska:

To me, attribution is important, as it allows you to tie everything together and understand what their motivations are. It’s especially important when you’re talking nation-state attacks, right? We know that nation states don’t just go after other nation states. They also attack different industries and they target different companies, different organizations, et cetera.

Again, attribution is important as it allows you to say, “Okay, this is the typical guy in his mom’s basement. Not important. This is an organized cybercrime group that goes after organizations, and has in-depth capabilities and has real hackers on staff. This is a government entity. They’re looking for this type of data.”

To me, that’s when I talk about attribution. I think that’s important. You don’t necessarily need to get down to naming and knowing who all the members of the groups are, et cetera, et cetera. There are certain organizations where that’s absolutely critical to do. For most organizations, that is not … You don’t have to get to that level of depth, but you do have to understand the motivation behind the attacker.

Dave Bittner:

It strikes me that attribution is really good for context, that if you know the same person is hammering you over and over again, that’s an important bit of the story.

Allan Liska:

Absolutely. If you’re being targeted repeatedly by an organization, knowing their methods and how they’ve evolved over time allows you to be more proactive in defending against those attacks.

Dave Bittner:

I want to walk through the different types of intelligence. When we talk about strategic intelligence, tactical intelligence, and operational intelligence. Can you give us a run down on those?

Allan Liska:

Sure. Strategic intelligence, to me, is sort of the big picture. What does the landscape look like? What are new vulnerabilities being released? What new nation states are rising, and falling? What kind of attacks should I be worried about in six months, in a year, et cetera? And then, when I talk about tactical intelligence, that’s much more practical. It’s what techniques are being used today. What type of tactics are out there? Are there new exploits that are going after vulnerabilities, and what are the latest methods for delivery of these type of attacks?

And then, operational is the nuts and bolts. What IPs do I need to block? What domains should I be blacklisting? What file hashes should I be looking for? It’s sort of the, “This is what I need to block now. This is what I need to make short-term changes in my security platform, to protect against, and then this is longer term, next year, the year after, and so on.”

Dave Bittner:

Allan, the e-book has a couple of interesting case studies, which I think are worth looking at. The first one had to do with Facebook and fake accounts.

Allan Liska:

Yeah. Absolutely. I really want to thank both Facebook and Akamai for their assistance with the project. You know, they’re both really well known in the industry, and well known in ways they use threat intelligence. Their help was invaluable to providing, sort of, concrete examples of ways world-class organizations use threat intelligence, and in particular, the Facebook use case was a fascinating one because they have a real challenge on hand. As you can see, this is blown up in the news, beyond normal security and threat intel organizations, into being front-page news about the impact that these fake accounts can have on real-world events. Being able to isolate, I think Facebook has something like three billion subscribers, or an insane number like that.

Dave Bittner:

Right.

Allan Liska:

Being able to sift through three billion subscribers to find out which accounts are real, which accounts are fake, and a fake account versus a real account that just does a lot of trolling, et cetera. The team that is responsible for that has an incredible challenge on their hands, and the way that they use threat intelligence, both internal and external, to identify and remove those accounts is a really fascinating discussion.

Dave Bittner:

Well, and they have to maintain privacy, as well. What kinds of things are they doing?

Allan Liska:

They’re looking at things like where a user claims to be from, versus where they’re originating their accounts, where they’re signing up the account from. They do things like, they maintain lists of VPN addresses. Well-known VPN addresses, et cetera. Things that are metadata, that can be useful when identifying potential fake accounts, without actually looking into the private information of the account. I think that is a really fantastic way to do it, sort of, that using that transactional data as an indicator set, if you will, for identifying fake accounts versus real accounts.

Dave Bittner:

Let’s also take a look at Akamai Technologies. I think, certainly not as well known a name as Facebook, to your average user, but an important cloud provider in the industry.

Allan Liska:

Sure. Most people don’t know Akamai because they’re an infrastructure company. Just about any large website that you visit uses Akamai technology underneath. Akamai provides … At one level, they provide content delivery services. In other words, when you go to a domain name … If you go to, say, “yahoo.com,” or “cisco.com,” you’re not actually going to servers in a data center that Cisco manages and maintains. Instead, what you’re doing is, you’re being geolocated, and you’re being sent to Akamai servers in a data center near you. You get up-to-date content, but you also get content that’s delivered from the closest point to you, so that you get data served up faster than you would if everybody was going to a single server somewhere else.

This helps in a couple of different ways. It helps companies better load balance delivery systems so they can handle spikes in traffic, but it also helps fight against DoS attacks, DDoS attacks, and so on. Really funny aside here — my second job out of college was working for a company called UUNET Technologies, which was a very large ISP, one of the first commercial ISPs. We had a large hosting center. We actually had several of them setup around the country, and Akamai, we were an early provider for Akamai services in our data centers. Akamai would ship us, literally, hundreds of servers at a time, that we would rack and stack in the data center.

Akamai was just getting started. Things weren’t always as well documented as they should be. We’d get calls to fix problems that were happening with one of the servers, but since not all the servers were labeled, it wasn’t easy to find them. You know, I’ve got one hundred plus servers here. I’ve got to figure out which one is the one having the problem. What they would used to have to do is eject the CD-ROM, because back in the day, you still had CD-ROMs.

Dave Bittner:

Right.

Allan Liska:

That’s how I would know which server needed to go get a hard boot. It was the one that had the pushed out CD-ROM.

Dave Bittner:

I love it.

Allan Liska:

Yeah. I guess that was an indicator of sorts, if you will, just not what we normally think of as an indicator.

Dave Bittner:

Right. When it comes to threat intelligence, what kinds of things does Akamai need to do?

Allan Liska:

Akamai is really interesting, because they’re both a producer of threat intelligence, as well as a user of threat intelligence. Even within their organization, they have groups dedicated to collecting threat intelligence — not just third-party threat intel, but also the threat intelligence they produce — because they’re tracking, literally, millions of transactions a minute through these websites, and so on.

They do a lot of really cool things, especially around DDoS attacks, where they can pick up early-warning indicators of DDoS activity based on all the network traffic that they’re seeing. What they’re also able to do is, they’re also able to better serve their customers, not just from a DDoS perspective, but from a security perspective, by basically going through the traffic, looking at the net flow data, and finding potential malicious activity.

Again, providing early-warning signs to either their customers, or customers who are not their customers, but whose traffic happens to flow through their system saying, “Hey. We’re seeing this type of activity, which isn’t identified as malicious, but it’s anomalous, and it’s anomalous enough in a way that we think it bears further study. Here’s the information that we’re going to send you. You may want to examine this to see if there’s something unusual going on in the activity.” They do a lot of data mining of the traffic in their network. They use that to produce, again, both internal and external threat intelligence, as well as consuming third-party threat intelligence that they get from their partners.

Dave Bittner:

Yeah. We don’t have time to dig into all the details that are in the report here now. One of the things that struck me was how important Akamai takes education, the keeping their people up-to-date.

Allan Liska:

Oh yeah, absolutely. Akamai takes the mission of being a good citizen very, very importantly. You know, they do a lot of internal education, as far as letting the different groups within Akamai know what’s going on, what’s happening, publishing reports. Publishing reports for internal use only, that are important, but also publishing a lot of external reports and blog posts.

The head of the Akamai threat intelligence team is very big on making sure that his team is getting out to different conferences and sharing what they’ve learned, and sharing their best practices with the rest of the industry. I think that’s really important for organizations to do. That’s, again, that’s another form of threat intelligence that is, “Hey, we’ve learned these lessons from managing these huge networks, but there’s some stuff that can apply to other networks that may not be quite as big as ours.” There’s things that you can do. There’s best practices that you can take that will help you learn from the things that we’ve learned over time.

Dave Bittner:

How do I know when it’s time for my organization to really jump in with threat intelligence? When is it time for me to have that reality check and decide this is something I need to do internally? Is this something I need to find a third-party provider for?

Allan Liska:

Most likely, you are already using threat intelligence. You may not know it, but you’re already using threat intelligence at some level, because most security platforms now incorporate some level of threat intelligence, some sort of predictive-ness into what they’re doing and how they help protect your organization. You know, even something as simple as, if I’ve got a network with a firewall, and a proxy, and any virus, there’s some level of threat intelligence in there. And then, if you are doing good due diligence on your internal network, if you’re doing vulnerability scanning, and collecting that data, and correlating that against known vulnerabilities, you know, pulling things down from the NVD database, you’re actually already engaged in threat intelligence.

Most people don’t consider that threat intelligence, because again, it’s not the “big, sexy” stuff. That is threat intelligence. That is, “Here’s what we have in our network,” which is really important. You have to know what you have before you can decide how to defend against it. And then, if you’re reaching out and finding out what new vulnerabilities are, again, using the NVD database or something like that, you’re getting external sources to come in. That’s sort of … You’re taking that basic step.

If you’re at that level, where you have a good handle of what you have inside your network, you’re ready to take that next step and start looking at third-party threat intelligence providers. You have to do that first. If you don’t have a good handle on what’s going on inside your network, external threat intelligence isn’t going to help you, because you don’t know where you need to focus that intel. You don’t know what you are trying to protect.

Dave Bittner:

You mentioned at the beginning of our talk that threat intelligence is still, for cybersecurity, still in its infancy. What do you see on the horizon? What does the future look like for threat intelligence, in your estimation?

Allan Liska:

I think we need to move beyond the basic definition of … Most people, when you talk threat intelligence, and you talk about getting a threat intelligence provider, most people think, “Alright. That means I’m going to get a list of IPs, domains, and file hashes, or IPs and domains, or something along those lines. That’s important for right now because of where we are as an industry.”

I think we need to move beyond just indicator-based intelligence and move more from that operational level to that tactical level. I don’t know exactly how we do that yet. I think that’s going to be … I hesitate to use the word “fun,” because we’re talking about protecting organizations and keeping them safe, but that’s going to be, sort of, the next fun challenge for the intelligence industry, is how do we take those TTPs, which I think are way more useful as an indicator set, ways that malware is delivered, ways that it installs itself on victim boxes, what the traffic is, or its command-and-control communication looks like. How do we take that and automate the delivery of that into security systems? If we can move out of the operational, especially, again, given the short lifespan of IP addresses as indicators, et cetera.

If we can move to that next level, then we can help better protect organizations, because now we’re bringing methods that don’t change as quickly. If I throw away an IP address, I can have a new one in five seconds. If I use a certain type of methodology for delivering my malware, that doesn’t change as easily. And so, that’s a longer-term and more effective solution for delivering threat intelligence.

Dave Bittner:

Our thanks to Allan Liska for joining us.

You can download a copy of the free e-book, “Threat Intelligence In Practice” on the Recorded Future website. The link is go.recordedfuture.com/threat-intelligence-practice. You can find a copy of that link in the show notes for this episode as well.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.