CircleCityCon: Threat intelligence programs need improving

This weekend hackers travel to Indianapolis for the second annual CircleCityCon

Indianapolis 148492252

  

Credit: Thinkstock

The second annual CircleCityCon is off to a running start this weekend in Indianapolis, as more than 500 hackers gather to talk shop and educate each other.

Opening day was light, with a few talks and training on topics including threat intelligence, digital forensics, and incident response. But on Saturday and the schedule will be full of talks on a number of topics and skill level.

One of the themes on opening day centered on threat intelligence (TI). In his keynote speech, Space Rogue, Tenable’s resident strategist, commented that organizations were overlooking one of their largest assets when it comes to threat intelligence – their logs. Instead, they focus on other TI offerings from vendors that are more or less data streams with little actionable intelligence.

“You’re spending a fortune on that external threat intelligence, which, seriously, isn’t very intelligent,” Rogue said.

“In most cases it’s a list of malware signatures and bad IP addresses, you’re spending a fortune on that external threat intelligence, and yet you have a virtual goldmine of threat intelligence right there on your own networks for free.”

Warning: This video (uploaded and recorded by Irongeek)contains adult language.

Iftach (Ian) Amit, Vice President at ZeroFox, followed that with a talk on obtaining actionable threat intelligence.

The problem with most TI programs and vendor delivered feeds is that they’re not tailored to the organization, they’re generic data feeds. It isn’t that the feed data is bad, but organizations are struggling to turn the raw data feeds into intelligence they can use to improve their security posture.

Amit’s talk centered on the types of actionable intelligence that organizations can collect, along with the point that some alerts and intelligence hits don’t need to go to IT. Instead, they should go to other parts of the organization where the information will have the most impact.

He also addressed the classification of various intelligence levels. For example, preemptive intelligence – intelligence that focuses on global events or events that an organization can plan for in advance – are data points that can go to risk managers who would then assign a measure of importance to them; or triage them before IT has to take any action.

After that, there’s reactive intelligence – or intelligence that focuses on events that have already happened. In this scenario the IT department may need to assess their IR plans to deal with an active threat targeting a given vertical, or they’ll address patch management plans due to the disclosure of a new bug – e.g. Shellshock or Heartbleed.

Finally, there is ongoing intelligence, which is something an organization has to deal with on a case-by-case basis because the nature of the threat is constantly changing.

Amit’s talk (uploaded and recorded by Irongeek) is worth watching:

Later today, Salted Hash will be walking the halls of CircleCityCon as the show moves into a full day of operation. Further updates to follow…

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.