December 11, 2018 • The Recorded Future Team
Editor’s Note: The following blog post is a summary of a presentation from RFUN 2018 featuring Amanda Fennell (CSO), Jerry Finley (director of cybersecurity and deputy CSO), and Darian Lewis (threat intelligence lead) of Relativity.
Over the past few months, we’ve written a lot about how threat intelligence can be used to enhance the security of your organization.
From vulnerability management to incident response, we’ve highlighted plenty of ways to integrate threat intelligence throughout the security function. But how do you take those ideas and make them a reality?
Last month, we held our seventh annual Recorded Future User Network (RFUN) conference in Washington, D.C. During the conference, attendees were treated to a presentation on integrating threat intelligence by senior members of the security team at Relativity — the industry-leading e-discovery software that helps corporations, governments, and law firms solve complex data problems during litigation, investigations, and compliance projects.
The speakers were Amanda Fennell (CSO), Jerry Finley (director of cybersecurity and deputy CSO), and Darian Lewis (threat intelligence lead). During the presentation, the team explained how they built up the threat intelligence capability at Relativity and embedded it throughout the security function.
To kick things off, they explained why it’s worth moving beyond reactive analytics, and how they went about selling the concept of a fully integrated threat intelligence program to their executive board.
For most organizations, reactive analytics play an important role in the security function, as they facilitate the identification and escalation of security incidents.
Typically, the process of reactive analytics looks something like this:
When Fennell, Finley, and Lewis joined Relativity in early 2018, reactive analytics were a mainstay of security operations. However, as Finley explained during the presentation, there are several issues with this approach:
Put another way, reactive analytics pose problems for organizations specifically because they are reactive. They’re based entirely on past events and are largely devoid of context that would enable security personnel to better categorize and prioritize future events.
In order to take security at Relativity to the next level, they needed to take a more proactive stance that focused on identifying and filling gaps in their specific network environment.
Of course, making dramatic changes to an established security program is no easy feat. According to Fennell, there are six steps that must be followed if you want to make radical changes:
In order to make all this happen, there’s one more essential ingredient: People.
In Fennell’s words, “Everybody focuses on techniques, tactics, and people. But do they really focus on people?”
“I think often, that word is just thrown in there, but it really should be your number one focus. People are the ones who actually get things done, so if you want to make real improvements, you need people who are really good and really passionate about what they do.”
To that end, Fennell suggested three core roles that must be filled to bring about radical service improvement:
Once you have a solid road map and the right team in place, it’s time to go to work.
At its heart, threat intelligence has three primary elements:
To lay the groundwork for these functions, the team at Relativity uses the Diamond Model to map the activity, characteristics, and relationships of adversaries operating in their space by studying past intrusion events.
By analyzing historical tactics, techniques, and procedures (TTPs) of relevant adversaries across cybercrime, espionage, and hacktivism, the team at Relativity is able to prioritize countermeasures and develop powerful threat hunting routines.
That may sound complicated, but the principle is really very simple: If you understand the who, what, and why of threat targeting, you can determine who is likely to target you and proactively develop countermeasures to combat the tools and techniques they typically use. At the same time, this groundwork can also be used to set requirements for your own security tooling.
At Relativity, the team makes heavy use of high fidelity intelligence and automation from Recorded Future to fuel this process. During the presentation, Lewis noted that without these resources, the process can become extremely arduous for threat intelligence teams.
Searching for anomalies is a core component of any proactive security program, and the process relies heavily on the availability of threat intelligence.
In its simplest form, analysts use the results of the scoping exercise described above to identify indicators of specific adversaries, tactics, or tools that are likely to be used against their organization, and then query their datasets for those indicators.
As Lewis explained, there are a number of techniques that can be used to aid this process. For example:
What’s important to understand here is that “winning” at anomaly hunting isn’t just about searching for (and finding) anomalies that confirm the presence of a specific adversary. That does happen, of course, but for the average organization, it’s far more likely that the techniques described above will uncover collateral findings of actors or operations utilizing similar tool sets or techniques.
Once again, this highlights the importance of high fidelity threat intelligence to the hunting process — the more accurate and comprehensive the intelligence that analysts have to work with, the more able to refine their hunting processes they will be.
Many organizations use CVSS scores to prioritize vulnerability remediation. But, as Finley explained during the presentation, this often isn’t the best way forward:
“Most organizations use CVSS, simply because it’s a quantitative definition of each vulnerability, but we’ve found this gets problematic at scale. What happens when you have a thousand vulnerabilities to remediate? Do CVSS scores take into account your specific network architecture? Do they account for changes in the threat landscape? Do they really tell you which vulnerabilities you should hit first?”
Simply put, in order to patch vulnerabilities based on the risk they pose to your organization, you need more than a generalized quantitative risk score.
Once again, having threat intelligence embedded in your security operations — along with strong hygiene factors such as asset management and classification — makes the process of prioritizing and patching serious vulnerabilities much smoother and more effective. Powerful threat intelligence solutions like Recorded Future integrate directly with vulnerability scanners to provide qualitative risk scoring, which enables organizations like Relativity to identify and patch the highest risk vulnerabilities for their specific environment.
Official vulnerability databases like CVE often aren’t the best early warning system for new vulnerabilities, as they typically lag behind vendor announcements and threat actor activity. To make up for this, the team at Relativity uses threat intelligence collected from the dark web to track software- and hardware-based vulnerabilities while they are still being discussed and weaponized via dark web forums.
Receiving this intelligence before an identified vulnerability is actively exploited in the wild is a huge advantage, as it enables the team to put remediation measures in place preemptively.
So far, we’ve looked at two common use cases for threat intelligence: Anomaly hunting and vulnerability management.
However, as Finley pointed out during the presentation, there really is no limit to how threat intelligence can be used to enhance the security function. “Another way that we’re utilizing threat intelligence is with our attack simulations and red team operations,” he says. “What we’re doing is studying adversaries to determine which are a high risk to our environment, and then our intelligence analysts and red team work together to mimic observed behaviors.”
“We do integrated attack simulations in alignment with what we believe to be the highest risks and then we all translate this to a common language. Our red team and threat intelligence analysts all sit in the same room and talk about what corrective actions can be taken, what detection we should deploy, and so on,” says Finley.
Ultimately, there’s almost no aspect of security that can’t be improved by having a better understanding of the threat actors, tactics, and tools that are most likely to target your organization.
Integrating threat intelligence throughout your security function won’t happen overnight. As Fennell pointed out at the outset of the presentation, you’ll need to do your homework, convince your executive board, and ultimately, deliver on your promises if you want to see serious real-world results.
The first step, however, is simple: Determine who within your organization could benefit from threat intelligence, and how it can be used to augment existing processes.
Once you have this information, you can refer back to Fennell’s roadmap for success — essentially, figure out what your organization needs, sell it up the chain, provide quick wins and longer-term operational improvements, and make sure you’re constantly tracking and refining your program.
To finish things off, the team from Relativity left us with two parting thoughts. First, from Finley:
“I’ve got to tell you, nothing will make your people happier than automating their world. It gets rid of a lot of the fatigue. It lets them set things up in a uniform way. Even following runbooks can be painful, especially at 2:00 in the morning. So, use threat intelligence, and use it to help you automate your security operations. Seriously, automation will save your life.”
And lastly, from Fennell, on the importance of having a vision and sticking to it:
“Does anyone know who General Omar Bradley is? He’s a well-known general from World War II, the Korean War, and he also ended up being one of the founding members of the President’s Intelligence Advisory Board.”
“He has this awesome quote: ‘We need to learn to set our course by the stars and not by the lights of every passing ship.’ This is really relevant to security, and especially threat intelligence. There’s a lot of shiny tools out there. There’s a lot of trends, and we have to make sure we stay on course — we call it sticking to our North Star.”
“You can put all this together — the tooling, and scoring, and math, and data, and algorithms — but just make sure you have the right North Star, the right vision, and that as a team, you’re really focusing on making it a reality.”
You can find more useful advice on improving your threat intelligence program in our “Threat Intelligence Handbook,” so be sure to download your complimentary copy today.