Driving up Cost and Complexity for Adversaries

1. What drives interest in threat intelligence in your community?

The bad guys! Adversaries will always devise new ways to attack victims to achieve their objectives, whether that objective is to obtain nation state secrets, stealing money or intellectual property, creating personal or political havoc, or committing acts of terrorism. As we continue to live on networks — or in the cyber domain — 24 hours a day, seven days a week, and store all our wealth and treasure there, we will be faced with bad guys operating in that same space.

Ransomware is just the latest example and FBI Director Comey refers to it as “a virus spreading across the U.S.” Further with the internet of things — the attack surface is exploding.

Defenders need to be able to get answers quickly to enable decisive action. Threat intelligence should result in faster and better decision making for the defense, prioritizing threats, context on attribution, and contributions to overall situational awareness of networks just to name a few.

The goal is to drive adversary cost and complexity up — if you can’t stop them, at least deter them — while driving your defending cost down by focusing your resources and making timely defense decisions.

2. What hole in your world does it fill?

The hole today is real-time situational awareness of our networks. We need to know: What do I have and what is it doing? Should I care and, if so, what should I do about it?

Threat intelligence should contribute to this story. It should provide the actionable, timely information that you don’t know, but need to know, to succeed.

3. How important is attribution for enterprises and governments? How far should it go?

Attribution for governments and enterprises is critically important to hold culprits accountable, and to better defend against attacks. Knowing “who” is behind the attack helps defenders to better prioritize the defensive effort, drive focused intelligence gathering for evidence purposes to achieve accountability, and proactively protect against this threat in the future.

Attribution is not easy, but people are behind attacks and they will leave digital signatures. Attackers are very good at reconnaissance to achieve their objectives. They understand your networks better than you do and they understand the vulnerabilities of users of those networks so that they can successfully exploit the weakest link. Defenders need to be just as good at analyzing the attackers so that attribution begins to become a reality.

Penalties to the attackers are a key part of driving their cost up, and I believe necessary to deter future attacks.

Many nation states are considering the question of “how far should it go?” We should think through the unintended consequences of any action we take. For example, how far are we willing to allow other nations to act against U.S. persons, enterprises, and government organizations to achieve attribution?

4. What do CISOs and BODs need to understand about threat intelligence?

Chief information security officers (CISOs) and board of directors (BODs) need to know the answer to the “so what?” question — why they should care.

CISOs so that they can prioritize and act; BODs so that they know what they are getting for their investment in cyber security. Threat intelligence can provide valuable contextual information that answers the “so what?” and builds a better understanding of overall network operations.

In addition, CISOs need to have better real-time situational awareness of their network environment. They are required to distinguish the signal from the noise in real time. They should assume they have a problem and constantly work to identify and address these problems. They should understand that threat intelligence can provide critical information to enhance their situational awareness.

BODs needs to know what their top cyber security risks are and whether they are being adequately addressed. It is prudent for the BOD to understand how cyber security is governed within their organization and that there is a well-thought-out incidence response in the event that something did go wrong. One way to do this is with a continuity of operations plan (COOP) that is exercised and well understood.

5. What are your long-term goals with threat intelligence and how will you measure progress?

To operationalize threat intelligence sharing between the public and private sectors to result in real-time situational awareness. What I mean by “operationalize” is machine-to-machine automated indicator sharing of actionable and timely information. Automating more of the routine and learning from the analyst is becoming a reality with artificial intelligence and machine-learning capabilities

Our critical infrastructures are at risk, and information sharing that is timely and actionable can improve our defense of these infrastructures. Threat intelligence can come from a variety of sources today, including government. We need to embrace this sharing, which requires trust between sectors.

We will measure progress first on the intelligence itself: Is it timely? Is it actionable? Next, is the interface between the sectors fully automated? If not, why not? We should start with a baseline understanding of our information today and then measure progress on a regular basis.

6. What does actionable threat intelligence look like to you?

At the risk of being repetitive, threat intelligence should enable decisions for timely action or response. Examples include intelligence that enables preemptive strikes, counter strategies, attribution, priority of threats, capabilities, intent, etc. It should answer the who, what, when, why, and how questions to drive operations for a more effective defense.

7. What can an aspiring threat intelligence analyst learn from your own career path that will inspire them?

Never, ever give up! You’re going to have failures — and those will be much more widely known than your successes. Learn from your mistakes and keep improving. Never be satisfied with the state you’re in. Keep learning and getting better.

The uniqueness to the business of cyber security is that you will always have bad guys working against you — 24 hours a day, seven days a week. They will be agile and incredibly clever — so partner to get the help you need, keep improving, and never give up.

You’re smarter than they are!