How Relativity Integrates Threat Intelligence Throughout the Security Function
December 11, 2018 • The Recorded Future Team
Editor’s Note: The following blog post is a summary of a presentation from RFUN 2018 featuring Amanda Fennell (CSO), Jerry Finley (director of cybersecurity and deputy CSO), and Darian Lewis (threat intelligence lead) of Relativity.
- Reactive analytics play an important role in security, but they have a number of serious drawbacks. Most significantly, they lack relevance to the current, real-world threat landscape, and (due to lack of context) can easily lead to alert fatigue.
- Making serious changes to your security program can yield beneficial results, but it doesn’t happen overnight. Most importantly, you need to have the right vision and the right team to make things happen.
- Threat intelligence can have a tremendous positive impact on security operations, particularly in areas such as anomaly hunting, vulnerability management, and red team attack simulations.
- One of the most important uses of threat intelligence is to help automate common security operations. Even following playbooks can become onerous and error-prone, so fueling automation should be a top responsibility for threat intelligence teams.
Over the past few months, we’ve written a lot about how threat intelligence can be used to enhance the security of your organization.
From vulnerability management to incident response, we’ve highlighted plenty of ways to integrate threat intelligence throughout the security function. But how do you take those ideas and make them a reality?
Last month, we held our seventh annual Recorded Future User Network (RFUN) conference in Washington, D.C. During the conference, attendees were treated to a presentation on integrating threat intelligence by senior members of the security team at Relativity — the industry-leading e-discovery software that helps corporations, governments, and law firms solve complex data problems during litigation, investigations, and compliance projects.
The speakers were Amanda Fennell (CSO), Jerry Finley (director of cybersecurity and deputy CSO), and Darian Lewis (threat intelligence lead). During the presentation, the team explained how they built up the threat intelligence capability at Relativity and embedded it throughout the security function.
To kick things off, they explained why it’s worth moving beyond reactive analytics, and how they went about selling the concept of a fully integrated threat intelligence program to their executive board.
Moving Beyond Reactive Analytics
For most organizations, reactive analytics play an important role in the security function, as they facilitate the identification and escalation of security incidents.
Typically, the process of reactive analytics looks something like this:
- Aggregate all security system logs into an SIEM
- Look for and analyze atomic indicators (pieces of data that are indicators of adversary activity on their own, such as IP addresses or hashes)
- Conduct simple correlation exercises and produce scored confidence levels for notable events
- Pass events with sufficient confidence and severity to incident response
When Fennell, Finley, and Lewis joined Relativity in early 2018, reactive analytics were a mainstay of security operations. However, as Finley explained during the presentation, there are several issues with this approach:
- Implementation of new indicators and signatures is imprecise and lacks prioritization.
- Detection is based on the historical activity of threat actors and campaigns, but the threat landscape (and even individual actors) is naturally transient and rapidly evolving.
- The high volume of alerts leads to alert fatigue and too much time spent tuning automated systems instead of focusing on improvements.
- Mean time from intrusion to containment for a targeted attack can exceed six months, allowing for extended data exfiltration and lateral movement.
- There is minimal opportunity to customize rulesets to account for custom applications and architectures.
Put another way, reactive analytics pose problems for organizations specifically because they are reactive. They’re based entirely on past events and are largely devoid of context that would enable security personnel to better categorize and prioritize future events.
In order to take security at Relativity to the next level, they needed to take a more proactive stance that focused on identifying and filling gaps in their specific network environment.
Laying the Foundations for Success
Of course, making dramatic changes to an established security program is no easy feat. According to Fennell, there are six steps that must be followed if you want to make radical changes:
- An Idea: First, you need to work with your team to come up with a vision of how things should work.
- The Spark: Next, you’ll need to convince your leadership to give you the funding and authority to make your suggested changes.
- A Foundation: Nobody will take you seriously if you don’t have data to back up your idea. Past experience will certainly help, but relevant case studies and real data points are essential.
- Quick Wins: When you start down the path of change, you must demonstrate added value as quickly as possible. At Relativity, the team was able to use integrated threat intelligence to get ahead of major news stories (for example, Spectre) and put response plans in place before senior executives had time to be concerned.
- Consistency: Quick wins are great, but ultimately, you need to be able to show needle movements on important service level agreements (SLAs) and key performance indicators (KPIs). Have a road map in place for all involved teams and set metrics that enable you to demonstrate added value.
- Deliver: You had a plan, so make it happen. If you’re successful in following your road maps and adding value, you’ll have a lot of credibility when you suggest further service improvements.
In order to make all this happen, there’s one more essential ingredient: People.
In Fennell’s words, “Everybody focuses on techniques, tactics, and people. But do they really focus on people?”
“I think often, that word is just thrown in there, but it really should be your number one focus. People are the ones who actually get things done, so if you want to make real improvements, you need people who are really good and really passionate about what they do.”
To that end, Fennell suggested three core roles that must be filled to bring about radical service improvement:
- Someone to Follow: First, you need someone who can come up with a vision for how things could be better and is able to communicate it to your leadership and C-level executives. This is the role Fennell plays at Relativity.
- An Architect: Visions are great, but ultimately, they need to be turned into a real, actionable strategy by someone with the skills and experience to know how things can be made to work in a specific environment. Finley takes this role at Relativity.
- Hidden Depths: Finally, you need someone to put their hands on a keyboard and turn that vision and strategy into a reality. At Relativity, this is Lewis.
Once you have a solid road map and the right team in place, it’s time to go to work.
Contextualizing the Threat Landscape
At its heart, threat intelligence has three primary elements:
- Incident Correlation: Threat intelligence provides the basis for correlation of security incidents, which enables analysts to prioritize incidents effectively and continually tune automation tools to minimize false positives.
- Threat Research: By conducting research, analysts can identify the best remediation techniques for common incidents, rapidly respond to the most significant threats, and conduct informed risk assessments to identify valuable service improvements.
- Reporting: Threat intelligence should never be a silo. Collected intelligence is potentially valuable to teams throughout the organization, so the production and distribution of actionable threat reports should be built into every threat intelligence team.
To lay the groundwork for these functions, the team at Relativity uses the Diamond Model to map the activity, characteristics, and relationships of adversaries operating in their space by studying past intrusion events.
By analyzing historical tactics, techniques, and procedures (TTPs) of relevant adversaries across cybercrime, espionage, and hacktivism, the team at Relativity is able to prioritize countermeasures and develop powerful threat hunting routines.
That may sound complicated, but the principle is really very simple: If you understand the who, what, and why of threat targeting, you can determine who is likely to target you and proactively develop countermeasures to combat the tools and techniques they typically use. At the same time, this groundwork can also be used to set requirements for your own security tooling.
At Relativity, the team makes heavy use of high fidelity intelligence and automation from Recorded Future to fuel this process. During the presentation, Lewis noted that without these resources, the process can become extremely arduous for threat intelligence teams.
How Threat Intelligence Fuels Anomaly Hunting
Searching for anomalies is a core component of any proactive security program, and the process relies heavily on the availability of threat intelligence.
In its simplest form, analysts use the results of the scoping exercise described above to identify indicators of specific adversaries, tactics, or tools that are likely to be used against their organization, and then query their datasets for those indicators.
As Lewis explained, there are a number of techniques that can be used to aid this process. For example:
- Clustering: Grouping data based on a shared data point to identify outlying characteristics
- Grouping: Identification of “groups” within a dataset while maintaining a consistent set of multiple characteristics
- Stack Counting: Counting occurrences of a particular variable within a dataset and researching uncommon values
- Scatter/Box Plotting: Examining the relationship and distribution between two variables to identify anomalies
- Isolation Forests: Searching for outliers in a dataset without profiling normal data points using decision trees and random split values
What’s important to understand here is that “winning” at anomaly hunting isn’t just about searching for (and finding) anomalies that confirm the presence of a specific adversary. That does happen, of course, but for the average organization, it’s far more likely that the techniques described above will uncover collateral findings of actors or operations utilizing similar tool sets or techniques.
Once again, this highlights the importance of high fidelity threat intelligence to the hunting process — the more accurate and comprehensive the intelligence that analysts have to work with, the more able to refine their hunting processes they will be.
Vulnerability and Risk Intelligence
Many organizations use CVSS scores to prioritize vulnerability remediation. But, as Finley explained during the presentation, this often isn’t the best way forward:
“Most organizations use CVSS, simply because it’s a quantitative definition of each vulnerability, but we’ve found this gets problematic at scale. What happens when you have a thousand vulnerabilities to remediate? Do CVSS scores take into account your specific network architecture? Do they account for changes in the threat landscape? Do they really tell you which vulnerabilities you should hit first?”
Simply put, in order to patch vulnerabilities based on the risk they pose to your organization, you need more than a generalized quantitative risk score.
Once again, having threat intelligence embedded in your security operations — along with strong hygiene factors such as asset management and classification — makes the process of prioritizing and patching serious vulnerabilities much smoother and more effective. Powerful threat intelligence solutions like Recorded Future integrate directly with vulnerability scanners to provide qualitative risk scoring, which enables organizations like Relativity to identify and patch the highest risk vulnerabilities for their specific environment.
Official vulnerability databases like CVE often aren’t the best early warning system for new vulnerabilities, as they typically lag behind vendor announcements and threat actor activity. To make up for this, the team at Relativity uses threat intelligence collected from the dark web to track software- and hardware-based vulnerabilities while they are still being discussed and weaponized via dark web forums.
Receiving this intelligence before an identified vulnerability is actively exploited in the wild is a huge advantage, as it enables the team to put remediation measures in place preemptively.
Going the Extra Mile: Fueling Attack Simulations and Red Team Ops
So far, we’ve looked at two common use cases for threat intelligence: Anomaly hunting and vulnerability management.
However, as Finley pointed out during the presentation, there really is no limit to how threat intelligence can be used to enhance the security function. “Another way that we’re utilizing threat intelligence is with our attack simulations and red team operations,” he says. “What we’re doing is studying adversaries to determine which are a high risk to our environment, and then our intelligence analysts and red team work together to mimic observed behaviors.”
“We do integrated attack simulations in alignment with what we believe to be the highest risks and then we all translate this to a common language. Our red team and threat intelligence analysts all sit in the same room and talk about what corrective actions can be taken, what detection we should deploy, and so on,” says Finley.
Ultimately, there’s almost no aspect of security that can’t be improved by having a better understanding of the threat actors, tactics, and tools that are most likely to target your organization.
Making Integrated Threat Intelligence a Reality
Integrating threat intelligence throughout your security function won’t happen overnight. As Fennell pointed out at the outset of the presentation, you’ll need to do your homework, convince your executive board, and ultimately, deliver on your promises if you want to see serious real-world results.
The first step, however, is simple: Determine who within your organization could benefit from threat intelligence, and how it can be used to augment existing processes.
Once you have this information, you can refer back to Fennell’s roadmap for success — essentially, figure out what your organization needs, sell it up the chain, provide quick wins and longer-term operational improvements, and make sure you’re constantly tracking and refining your program.
To finish things off, the team from Relativity left us with two parting thoughts. First, from Finley:
“I’ve got to tell you, nothing will make your people happier than automating their world. It gets rid of a lot of the fatigue. It lets them set things up in a uniform way. Even following runbooks can be painful, especially at 2:00 in the morning. So, use threat intelligence, and use it to help you automate your security operations. Seriously, automation will save your life.”
And lastly, from Fennell, on the importance of having a vision and sticking to it:
“Does anyone know who General Omar Bradley is? He’s a well-known general from World War II, the Korean War, and he also ended up being one of the founding members of the President’s Intelligence Advisory Board.”
“He has this awesome quote: ‘We need to learn to set our course by the stars and not by the lights of every passing ship.’ This is really relevant to security, and especially threat intelligence. There’s a lot of shiny tools out there. There’s a lot of trends, and we have to make sure we stay on course — we call it sticking to our North Star.”
“You can put all this together — the tooling, and scoring, and math, and data, and algorithms — but just make sure you have the right North Star, the right vision, and that as a team, you’re really focusing on making it a reality.”
You can find more useful advice on improving your threat intelligence program in our “Threat Intelligence Handbook,” so be sure to download your complimentary copy today.