Sharpening Your Threat Intelligence Sources for Relevancy and Action
Editor’s Note: The following blog post is a summary of a SANS webinar sponsored by Recorded Future, featuring Dave Shackleford, SANS analyst, instructor, and course author.
- Security organizations are getting true value out of threat intelligence data from investigative analyses and sharpening their sources.
- Before implementing threat intelligence sources in your security program, it’s critical to first understand exactly what your organization needs.
- Data diversity, data quality, and data analysis are three key components of relevant and actionable threat intelligence sources.
A lot of organizations today have started to embrace the idea of threat intelligence, gradually making the move to accommodate it into their security programs and operations. When implemented correctly, threat intelligence gives organizations the advantage of improving their risk management, automating processes, and utilizing valuable threat data proactively to prevent and respond to threats.
But unfortunately, working with threat intelligence data presents a challenge. It’s difficult to differentiate between useful sources and sources that aren’t relevant to your organization. Analysts don’t want to look at threat data all day trying to figure it out — what they do want is a concise assessment of how that data is actually being applied in their environment.
Dave Shackleford, SANS analyst, instructor, and course author thinks a bit differently about how threat intelligence can be applied effectively. In a recent webinar, he explained why threat intelligence is so valuable, and what you might want to take into account when differentiating threat intelligence data coming from a variety of sources.
There are a lot of threat intelligence sources, and Shackleford believes everybody can make their security program better by integrating them into their processes. But first, it’s critical to investigate what exactly your organization needs. According to Shackleford, “Intelligence-driven investigations are based on the preservation of the relationships between the components of individual attacks, so that they can be clustered as a campaign.”
Easier said than done, right? How can you take data in and effectively make use of it within your organization? It’s sometimes unclear how to get started and make sure that information is shared with the right people.
These days, attackers are hanging out for longer, and they're much stealthier. Minutes count, seconds count, and the sooner you can find warning signs in your organization, the better off you’re going to be. This concept plugs into the traditional types of security functions, and according to Shackleford, four investigative components that are important to consider are:
- Malware analysis
- Network analysis
- Underground analysis
- Big data analysis
For example, network analysis deals with network intrusion prevention, data loss prevention, and looking at network traffic patterns to help you see from more of an analytics perspective. Taking all this data and figuring out what to do with it allows for better attribution, and trying to find who it is that's targeting you, or who it is that's attacking you, takes things to a completely different level. While it’s a hard discipline altogether, Shackleford finds that security organizations are getting true value out of threat intelligence data by using these investigative components.
Sharpening Your Sources
So, what makes good threat intelligence? When there are a lot of different threat intelligence sources to choose from, how do you differentiate to find the source that not only stands out, but can also tell you whether or not one threat intelligence source is better than another? Shackleford explains the three key ingredients needed for organizations to obtain useful and relevant threat intelligence sources.
1. Data Diversity
The first target to hit is utilizing different kinds of data. Data diversity is huge, and if your organization is talking to threat intelligence providers, one of the things that Shackleford encourages drilling into is asking where exactly the data is coming from.
Understandably, threat intelligence providers may have some secret sources, but that's not an acceptable final answer. It’s necessary to have an idea of data types they are actually pulling in. This is critical because if you are, for example, a representative in a particular geographic area, or if you’re being plagued by a particular type of adversary that's specific to your vertical, you want to make sure you're getting the right kinds of data to help your exact situation.
Nobody wants generic data that may only be somewhat useful to anybody — you instead want sources that are more specific. It’s critical to understand how broad your exposure is to the community, the types of data that you're able to pull, what the IOC artifacts look like, and where it's coming in.
2. Data Analysis
According to Shackleford, the second piece you'll want to find out is, what kind of analysis does the provider perform? When they get a hold of data, is the provider just slinging it across to you without doing any further investigation, or are they actually pulling it in and performing some kind of deep-dive assessment to ensure that it's more accurate, or that it's been vetted to some degree by a threat analyst?
What you really want, Shackleford says, is somebody that knows exactly what they’re looking at to review the threat intelligence data first, and then hand it off without you having to ask if there’s any additional context they can provide around the information.
If there’s no explanation for why you should be looking into a particular area, it makes you less inclined to leap into action and go scouring your entire environment. You want to make sure you have some understanding of the severity, or the potential severity, of the issue at hand — perhaps an adversary that you know is specifically targeting your industry or is targeting your organization already.
In addition to being aware of the severity of the threat, having a degree of correlation is useful. Has this threat been seen before in conjunction with other attacks, or has it been seen in conjunction with other IP ranges or domains? Any context you have to make better sense of what the intelligence is really intended for as well as a sense of urgency or prioritization is huge, because you don't want to get a massive stream of data without any real level setting.
3. Data Quality
The final piece that Shackleford emphasizes is pushing for better data quality — no false positives. This is a tough piece of the puzzle, and organizations chase their tails struggling to achieve it because they don't have intelligence that has boundaries, in terms of date ranges.
If somebody saw a threat six months ago that was part of a targeted and focused campaign, it’s probably interesting information — but if it’s dead now, it’s not relevant anymore. The attackers have moved on, and they're likely not using that same file name, the same hash, nor are they using the same IP address or domain. Knowing this, you definitely want to know when an indicator expires.
What you want to make sure you're getting out of threat intelligence data is some sense of how long it's good for. You want to know that a certain type of intelligence is going to be useful to you over the course of the next seven days, at which point, it will be replaced with newer updates. Of course, it’s helpful if someone wants to inform the community of problems, but if all it does is cause you to spin your wheels for endless hours trying to see if it’s relevant to your own environment, then it’s not useful to you.
According to Shackleford, no threat intelligence data is better than bad threat intelligence data. That’s because threat intelligence data not only takes time to digest, but also takes time to follow up on. If you have bad data coming your way that hasn't come from enough sources, hasn't been vetted appropriately or analyzed, and certainly, doesn't have some measure of assurance that it's got a time boundary associated with it, you're very likely to waste a staggering amount of time — which you don’t have.
If you’d like to know more about how solid threat intelligence sources can benefit your everyday security functions, you can listen to the entire webinar. Alternatively, contact us if you’d like a demonstration of how Recorded Future can be used to identify and prioritize threats, helping you strengthen your threat intelligence capability.