Make threat intelligence meaningful: A 4-point plan

With data breaches grabbing headlines nearly every week, threat intelligence is shaping up as the next big thing in information security. That, of course, means there’s more hype and confusion to sift through.

Promises of silver bullets run rampant in information security. Buy an appliance to keep the bad guys out of the network. Deploy this platform and kiss zero-day attacks good-bye. Invest in this other service for a single pane of glass that tells you exactly what’s going on in your network.

Now, throw threat intelligence into the mix: subscribe to these feeds and detect breaches before anything bad can happen! While the idea that threat intelligence can help improve enterprise security is a sound one, precious little attention is paid to how these systems can succeed.

Everyone wants a piece of this red-hot market, but too many vendors are spinning their latest offerings as some form of threat intelligence, and enterprises aren’t quite sure what they are getting. With CSO Online’s Steve Ragan, we break down the confusion and snake oil surrounding the current marketplace and offer concrete tips on how to make threat intelligence work.

The foundation of threat intelligence

Your first tip: If something looks like or used to be called a security information and event management (SIEM), it’s still a SIEM. That isn’t threat intelligence. A SIEM, however, can plug into a threat intelligence platform.

[ ALSO ON CSO: Six questions: A brief Q&A on threat intelligence ]

A functional threat intelligence system operates like a football team where the quarterback takes all the information — from the referees, the scoreboard, the coaches, the teammates, and the opposing team’s defensive line — and decides which play to run. A threat intelligence platform plugs various types of data sources, including third parties such as VirusTotal, external intelligence feeds, and events data from endpoints, applications, and SIEM in the network, into a centralized intelligence platform. The security analyst uses the analytics tools provided by the software to make magic: All sorts of information flow in, and intelligence comes out. Understanding how that magic works is the tricky part.

Tactical vs. strategic

Definitions matter, so let’s get the first one out of the way: Threat intelligence helps IT and security staff make security decisions. The decision may be as straightforward as a retailer that wants to ensure the point-of-sale malware hitting other retailers has not infected its terminals, or as difficult as an organization worried about spear phishing attacks against senior executives that could result in intellectual property theft.

“Everything is now [trying to] be threat intelligence. But if it doesn’t help you make a decision about your security, it isn’t threat intelligence,” says Adam Vincent, CEO of ThreatConnect, a threat intelligence provider.

Threat intelligence can be applied tactically or strategically. The most common use case is tactical intelligence, where the security analyst takes the knowledge gleaned from the available information to generate rules that can be applied to firewalls, SIEMs, or other security products.

For example, the security analyst learns through the threat intelligence portal that a particular PoS malware family always connects to the same command-and-control server. The analyst can get the IP address from the portal and proactively configure the firewall to block all connections to that IP address. The analyst can generate Snort rules that detect the malicious file and deploy them to determine when the infection occurs. The analyst can also hunt through available logs and network data to determine whether a payment terminal has already been infected with the file or has communicated with the IP address.

Strategic intelligence is harder to achieve, and existing solutions aren’t as good as delivering on this front as they are with the tactical side. Strategic intelligence lets security analysts assess the organization’s security profile and decide how to mitigate the risk. It’s similar to how enterprises use business intelligence. In both cases, analyzing different sets of data and putting them in context with each other will help the enterprise make the decision.

Likewise, the organization may learn from a report (provided as part of an intelligence feed or derived from the threat intelligence platform) that an attack group has been targeting similar-sized organizations within the same industry. This attack group always goes after a specific application, transfers data to a FTP server, and creates a user account on the compromised server with the same name. Since the organization runs one of the applications under attack, the security team can strengthen controls to shut down FTP by closing port 21 and deploy new defenses around the application to make it harder for that attack group to succeed.

For the most part, when organizations start out with threat intelligence, they are thinking tactically. “For strategic intelligence, there is room for improvement,” says Rick Holland, vice president of strategy at Digital Shadows and a former Forrester Research analyst.

Information does not equal intelligence

There is a tendency to conflate information with intelligence, but they are entirely different. Information is data alone, and there’s a ton of it. While some data can be useful on its own, most simply contribute to the overload. Defenders have too much data and no idea what to do with it.

Intelligence has context, which helps defenders figure out how that data can be used to solve a problem or answer a question. Context can take many forms, including the nature of the attack activity, the freshness of the information, what industry verticals the data comes from, and the types and sizes of businesses that have been hit by those attacks. Context turns information into intelligence.

Threat intelligence data feeds may contain indicators such as domain names, IP addresses, registry keys, filenames, and hashes of files. On their own, they don’t mean anything. But if a feed flags files with a particular hash as malicious and able to communicate with a remote IP address, the security analyst needs to know.

“What everyone really needs is not more data, but more intelligence,” Vincent says.

1. Know what to buy

But the sheer number of threat intelligence providers and possible data feeds can be overwhelming for defenders trying to decide which ones to buy. There are feeds from private intelligence providers, public-private partnerships, industry groups, and even open source. There are aggregators, those providers that combine feeds from multiple sources, remove duplicates, and add insights to create their own threat intel flavor. It’s not always clear at the outset what kind of intelligence is provided or even if there is overlap across feeds.

“It’s like the GMO problem, the ingredients aren’t clearly labeled,” says Chase Cunningham, director of threat intelligence at Armor, a secure cloud computing provider.

The other challenge is figuring out what to buy. Some providers sell intelligence feeds, which refers to information collected and analyzed by the provider’s own analysts to add appropriate levels of context. This isn’t a data feed to bad IP addresses or blacklisted domain names, but rather a list containing actionable intelligence. Digital Shadows is an example of a company that sells intelligence feeds. Other providers sell both the feed and analytics software for security analysts to connect all data sources and uncover relationships and patterns within the data. ThreatConnect sells the software along with its own intelligence feed.

If the enterprise buys only the intelligence feed, then it needs to have something into which to plug the data. That could be the company’s existing SIEM, or it could be a threat intelligence platform from another provider.

2. Evaluate the feed

This is a case where more is not necessarily better. Buying — or subscribing to — too many intelligence feeds only contributes to information overload. If the security analyst can’t work with the provided indicators, then it becomes part of the noise. The analyst has to spend a lot of time trying to correlate different pieces of information with the indicators. If the feed doesn’t provide the right level of detail or relevant insights, that’s time and energy wasted.

When deciding which feeds to buy, consider context such as industry sector and size of business. Premium feeds make sense for focused areas such as critical infrastructure, but if the defender is not operating in such an environment, the feeds won’t be useful.

“Don’t buy APT-related commercial feeds,” says Stan Black of Citrix. Most IT teams have other threats to worry about before they need to think about beating back APT groups.

Security teams need to have a specific question or problem they are trying to solve and map the intelligence to those objectives. If the security team’s top concern is spear phishing attacks against senior executives, they won’t benefit from intelligence describing which group uses which malware family, for example. The security team may decide to scrutinize incoming mail for spear phishing campaigns, monitor executives’ laptops for unexpected behavior patterns, or track the network for unusual activity. Each approach would require a different type of intelligence.

If the biggest concern is about attackers stealing account credentials and intellectual property, “I need feeds which I can do something about, such as what IP address to block on my firewall,” says Black.

Open source intelligence — frequently derided by commercial providers — can be useful to get a general sense of existing threats. Security teams need to assess whether the open source feeds provide insights specific to the industry or organization type before deciding whether to buy.

The same goes for industry-specific feeds. A financial services organization needs to focus on the threats targeting the financial sector and not worry about the health care sector, for example. While as a general rule it’s a nice idea to be aware of attacks impacting other industries since groups have been known to switch targets, very few security teams have the time and money to worry about what’s happening outside their realm.

“Would I worry about Zika if I am not flying to South America right now?” Cunningham asks. There are enough fires to put out and risks to address without looking at other industries.

Don’t blindly buy feeds and later try to figure out what to do with them. Instead, first establish security goals, then look for intelligence to apply. Otherwise, the feeds themselves become overwhelming and analysts struggle to prioritize the threats. For example, an organization may receive data feeds listing known bad IP addresses and malicious domain names. But if the feeds provide IP addresses of command-and-control servers, security teams trying to get ahead of phishing campaigns won’t benefit as much from the list.

“It’s like being told, ‘Driving on highways is dangerous.’ OK, but how does that help me?” Black asks. “There is a cornucopia of threats I don’t care about.”

3. Know what you have

Amid the hoopla surrounding threat intelligence and how it can help organizations detect breaches, a simple fact is often overlooked: All the threat intelligence programs in the world won’t be of any use if the security teams don’t have a clear idea of the problems that need fixing. The security team must have a thorough understanding of the environment and its intricacies, along with where the data is stored. To do intelligence right, security professionals have to know what kind of information they have and what their capabilities are before they can figure out what to buy.

The first place to start is with the logs. There is a wealth of data available, since there are logs for networks, applications, and endpoints. IT teams can even discover logs they didn’t know about or logs that failed to generate because of a configuration issue. Figure out what kind of sensors are present and what kind of information is collected. Identify all the running processes and the kinds of data associated with each. Be familiar with what the firewall is blocking and letting through. Bring in information from incident response systems, vulnerability and risk management tools, and network defense solutions.

“Have you actually mined your own data and figured out what you have?” Cunningham asks.

Before committing human resources and limited budget dollars trying to ingest outside threat data, look at how the internal data sources are aggregated and continuously analyzed. Centralize the information — whether in a threat intelligence platform or a SIEM — and make sure someone is studying it. Add in third-party information, such as domain names data from OpenDNS and Domain Tools, and malware hashes from VirusTotal and VM Ray. By centralizing, the analyst can normalize, categorize, and analyze the information.

Because every organization is different — even if they are in the same industry sector or are direct competitors — intelligence derived from internal sources can be extremely valuable because it reflects the organization’s reality. Analysts can take into account the enterprise’s own requirements and risk appetite when analyzing internal data sources.

“That intelligence can’t be bought; it has to be created by your own team,” Vincent says.

Consider what happens with a professional sports team. Once the coaches know who the team is playing, they analyze how the team performed against that opponent in the past. The coaches analyze their own performance in the game footage and create playbooks. Only after all that is done do they watch footage of other teams playing the opponent to gain additional insights they can use to tweak the playbook. In the same manner, security teams can determine which security improvements to make by examining their own logs.

If the security team knows the enterprise has been attacked several times over the past few months, then it has to find and address the deficiencies, either by deploying new controls or adding defenses. By understanding what is actually happening, the team can prioritize what must be done to remedy the threats. The network defender can prioritize what to fix, what indicators need a follow-up, and what attacks to watch for. From a security perspective, the enterprise can either mitigate the risk or make the decision to accept the risk (and not do anything at all).

Intelligence isn’t derived from the traditional defenses alone, such as the firewall, Web application firewall, endpoint security software. Threat intelligence has to cross all areas, including vulnerability management, SIEM, and incident response.

Look at all the event logs from applications, network devices, and endpoints. Find ways to hook into cloud services and mobile. Scan the enterprise’s IP address blocks through specialized search engines such as SHODAN to see what systems may be exposed on the Internet. Even spreadsheets — such as a list of all deployed endpoints containing the MAC addresses, IP addresses, and the username of the user owning the system — should be included. More input leads to better decision making.

“The very best data about your environment is yours,” Vincent says.

4. Know what comes next

Don’t buy threat intelligence sight unseen. That’s easier said than done, since many providers provide only Web demos and pregenerated reports during the sales cycle. Try before you buy, regardless of whether you are buying the feeds alone or the software platform. Look for the providers who will offer a trial run, at minimum, of 60 days, so the security team can access all the intelligence feeds, analytics tools, and reports. Several experts agreed that 60 days was necessary to gauge whether the indicators in the feeds were relevant, tactical, and useful.

“Not all threat intelligence is created equal,” says Holland.

For the feed, consider the effort required to connect the intelligence feed to the centralized platform. See how the feeds can be consumed by internal systems and how the intelligence can be integrated with internal data sources.

The intelligence has to be useful and timely. One of the biggest problems with threat intelligence is the fact that if the indicators are stale and irrelevant, the intelligence derived from them is useless. The intelligence should complement what the organization already has in its own data sets and provide extra insights.

Remember that sports team analogy? The benefit of external threat intelligence lies in the additional insights it can provide. Don’t waste the money buying a product or a service that repeats what is already known. 

“If the feed overlaps with what you already see from your firewall, then it has no value [to you],” Cunningham says.

For the threat intelligence platform, evaluate the analytics and the tools. Visualization tools are available to present threat intelligence in charts and graphs, much like business intelligence.

Find out whether intelligence can be translated into an actionable plan that can be pushed out to or used to create defense tools. This could be a firewall configuration file, Snort rules, scripts for IPS/IDS, or automatic data inputs for the SIEM. The instructions can be entered manually by the analysts and security operations teams or automatically sent to the corresponding security systems.

The value of the threat intelligence platform comes from the analysis and how the resulting insights are fed into automated and manual workflows designed to protect the organization. Enterprises need to work with providers that provide intelligence analysis and operations support to complement existing corporate security teams, or offer organizations lacking in-house analysts with support to make sense of what they have.

“Threat intelligence is a process, not an end result,” Vincent says. A successful intelligence program continually tunes, assesses, and modifies itself according to the changing threat landscape, shifting priorities, and adjustments to the risk profile. The IT and security teams revisit all the data sources — externally and internally — on a regular basis to ensure they remain relevant. Too many threat intelligence programs fail because no one is looking at how to mine the information and act on what’s found.

If the organization has evidence of attacks against an application, and the insights provided from the threat intelligence platform indicates the attacks are performed by a group that tends to steal credit card numbers, it falls upon the security operations team to protect the application or the credit card numbers. All the intelligence gathering and analytics do no good if nothing happens as a result. Security teams that understand that intelligence is both a strategic and tactical operation will get more value from threat intelligence than those that don’t.

 “Threat intelligence is the brain. The devices and the rest of the network are the arms, legs, and eyes,” Vincent says.