Threat Intelligence: Making the Best Decisions While Mitigating Threats

June 21, 2016 • Rob Kraus

Editor’s Note

The following interview is with Rob Kraus and is from our Threat Intelligence Thought Leadership Series. Rob is director of security research and strategy at Solutionary.

1. What drives interest in threat intelligence in your community? What hole in your world does it fill?

When working to protect our clients, threat intelligence is a part of almost every function we perform. Unstructured data and information has some value, but we can realize true appreciation for the value of that detail when we are able to gather seemingly unrelated, independent, and unorganized information and apply proper analysis ideologies, resulting in true pieces of high-value intelligence.

In the network security, monitoring, device management, and consulting space, the drive for threat intelligence is directly related to many of the concerns our clients have. We think the ability to provide context to threats via intelligence analysis is vital to ensure our clients can make the best decisions while mitigating threats. This is important, because what businesses really need to understand is the threats to their business, much more so than vulnerabilities, malware, and attackers.

Overall, the “hole” intelligence fills is that ability to identify potential future threats, determine likelihood of an attack manifesting, and determining potential attack targets, tools, and techniques which may leveraged by an attacker. All of this information helps business leaders determine the potential damage those threats can do to their business, and what actions are appropriate for a reasonable and effective response to the threats.

2. What does actionable threat intelligence look like to you?

As previously discussed, actionable intelligence is core to our focus for protecting our clients. This typically involves ensuring our clients are not just informed, but armed with knowledge (or intelligence) that can be of value while addressing the real threats with which businesses should be concerned.

For example, over the last few years there has been no shortage of business email compromise, extortion, and distributed denial-of-service (DDoS) attacks against the financial industry. There’s value in visibility to technical indicators and observations, but there’s so much more that can be of value to the organization. Let’s say in the case of DDoS attacks, the typical questions a consulting firm aims to answer are (in no exhaustive manner):

  • What are the sources of the attack (IP addresses and countries)?
  • What type of attack is being performed (volumetric, application, or network based, etc.)?
  • When did we see it start?
  • How long do we think it will last?
  • The list goes on …

These are certainly good questions you would expect to come up on any incident response call. However, these are just the start, and as you can see mostly indicator-based types of questions.

Are these questions helpful?

Of course! But what about the ability to gather information and intelligence to enable better business decisions? We certainly do not have enough to make a good judgement call on the most appropriate action for the business.

When taking the intelligence approach to this same situation we learn a lot more about the threat or attack. By applying intelligence analysis to this situation we can gain a lot more value from the technical details but also paint a clearer picture on what an effective and appropriate response may look like for the specific business. For instance, one common practice trained intelligence analysts refer to is evaluating influencers based on “PESTLE” analysis. How does the situation potentially affect my organization as it relates to Political, Economic, Social, Technology, Legal, and Environmental impacts?

Additionally, significant value can be added to incident response by having the ability to determine attribution information related to the situation.

  • Who is attacking me? A group or individual?
  • What has this individual or group of attackers done in the past?
  • What types of tools and tactics have they used during attacks in the past?
  • What is or has been their motivation in past attacks?
  • And so on …

Collecting the technical indicators, the attribution details, and applying PESTLE-type analysis to these situations is key to determining if your business can make an appropriate choice for mitigating impact of the attack, given the company’s goals, current condition, and business operations. The key is, all these pieces must be in place to do so. Applying the available information and intelligence to this entire set of conditions is what actionable intelligence looks like to me, nothing less.

3. What can an aspiring threat intelligence analyst learn from your own career path that will inspire them?

Intelligence analysis to me is a discipline that is not mastered overnight, and just when you think you’ve got it mastered, you learn something new. Intelligence is a field for those who have an inquisitive mind and are not afraid to ask themselves “What if …” hundreds of times a day. Never give up on the pursuit of creating actionable intelligence, because the intelligence you provide people and organizations is appreciated more then you may realize or get credit for.

Understanding core disciplines, the intelligence lifecycle, and processing intelligence is just as important as the ability to actually use intelligence. Always keep in your mind that intelligence produced but not used is wasted. Always make sure that you have processes and procedures in place to leverage the intelligence produced. Intelligence is of greater value if you can apply that intelligence to a situation, or put in context, and truly understand what it means.

4. What are your long-term goals with threat intelligence and how will you measure progress?

Long-term goals for intelligence for me include continuing to develop and refine the skills I have today, but to also look on the horizon for new and interesting ways to apply intelligence. Sometimes is hard to measure progress with intelligence, simply because it can be applied to and have different values for different purposes.

Continuing to develop and enrich information is a long-term goal. Looking at new ways to apply it to other aspects of business is important as well (think business intelligence for competitive advantage).

5. What do CISOs and BOD need to understand about threat intelligence?

Threat intelligence is not something that an organization can magically produce overnight.

A key part of being successful and leveraging intelligence to its maximum potential is to define your program and invest in it appropriately. There is a fine line between success and failure and most of the time the failure occurs because of poor intelligence program planning.

Organizations cannot spend millions of dollars on threat intelligence feeds, but do not have the qualified people and infrastructure to support the analysis of the information and expect awesome results.

The point here that organizations need to understand is that intelligence is the product of a highly developed and well thought out intelligence program with appropriate investments in multiple areas.

Some of these areas include information sources, trained intelligence analysts, threat and information aggregation platforms, and process and procedure development for starters. And, in that perfect world we strive for, enough business context to help put that intelligence in proper perspective.

In parting, remember intelligence is key to the battle and has some short-term benefits, but the real value is in the longer-term vision and program.

Rob Kraus

Rob is the director of research for the Solutionary Security Engineering Research Team (SERT). He specializes in vulnerability research, threat intelligence, incident response, application security assessments and attack mitigation tactics. Rob was previously a manager within Solutionary’s security consulting services group. He performed offensive-based security assessments consisting of penetration testing, social engineering, wireless and VoIP penetration testing, and web application penetration tests.