Inadequate intelligence integration

Many organizations flirt with the notion of threat intelligence. Academically it makes sense. You’re going to proactively learn about malicious IPs, domains, URLs and anonymous proxies before anyone in your environment starts interacting with them so that you can theoretically be better prepared to prevent, detect and respond to incidents related to these malicious corners of the Internet.

You are also going to join some industry consortiums so you can get more specialized information as it relates to your business vertical. This is very popular in some verticals such as financial services and critical infrastructure.

You may even go further to learn about malicious individuals and groups that are targeting you and trading in your intellectual property as gleaned from multilingual counterintelligence analysts operating in chat rooms, old school dial-up BBS and other locations where malware, nefarious services, credit card numbers and classified information is bought and sold. This goes beyond general cyber threat intelligence and often requires relationship building with the FBI and other federal agencies if the information is going to be acted upon. As such, we’ll stick with cyber intelligence for the sake of this piece.

Intelligence operationalization

So far the promise of intelligence sounds pretty good. Why wouldn’t you want more intelligence so you can be better prepared and more informed? Many critics of threat intelligence cite intelligence operationalization as being a fundamental flaw and that is certainly a big part of the story.  

Most organizations do not have a large enough threat intelligence and/or counterintelligence organization to process all the received intelligence in an efficient and effective way. As such, intelligence becomes little more than a lagging indicator. The malicious IPs, domains, URLs, Tor proxies and the like are constantly growing and moving. The volume of data from free, paid and hybrid intelligence services is overwhelming and brings baggage like: 

• Duplicate information – x is bad, x is bad, x is bad…
• Conflicting details – x is bad – no x is good
• Outdated data – x is bad – at least it was in 2001
• Information that is simply wrong – x is bad – sorry, our bad, didn’t mean to put your entire ISP on a blacklist
• Information that is too general to act upon – we’ve seen bad stuff associated with top-level domain .cn – maybe you should disallow access to anything that is .cn

The other issue is that you are dealing in millions of intelligence variables. Operationalizing all those details with a SIEM, firewall, IPS and so on isn’t practical. Organizations are still trying to tune their SIEMS to address the basics as outlined in my previous blog SIEMs sometimes suck. These systems are not built to handle a rotating active list of approximately 5 million bad IPs, for example, at any given time.

In the end you are left with trying to prioritize the intelligence for yourself into a manageable subset that you consider to be the most critical, timely and accurate. You make an educated guess in terms of what to ignore and what to integrate. The net is that you are guessing when it comes to intelligence integration because you don’t have many other choices.

While free threat intelligence is the most common source of intelligence for most organizations, there are some vendors that provide enhanced paid services that aggregate, de-duplicate, verify, etc. and even build rules and signatures. This improves the overall threat intelligence experience and is far better than the guessing alternative. But beyond intelligence operationalization there is another missing variable:  threat intelligence personalization. 

Intelligence personalization

ISACs are extremely beneficial and help organizations hone their intelligence focus. But even if you are getting specialized, industry-specific intelligence from an industry group such as the Financial Services ISAC, the Retail ISAC or any number of other ISACs, it’s still not personalized to your organization’s defensive stack.

Because it’s not personalized there isn’t a clear path to integrate and evaluate the intelligence across your incident prevention, incident detection and incident response capabilities, especially if you want to look beyond your technology and evaluate the effectiveness of your people and processes. This lack of personalization means that you can’t answer simple questions about your environment. For example:

• Can I verify that my firewalls and proxies are preventing access to my list of bad domains?
• Can I verify that when access is attempted and even allowed that my controls are detecting it?
• Do I know if inbound or outbound connections are made with these malicious sites my security team will know how to respond?
• Am I sure that there is a clear process to follow that is either automated or manual that my IR team is using?
• Are all of these variables measurable so that I can determine if my combination of people, process and technology is working effectively and improving over time?

What to do

Don’t throw your threat intelligence strategy out. There are many ways to help you get value; here are three you should consider.

First, when it comes to threat intelligence you often get what you pay for. Intelligence that’s free isn’t without value, but you might need to put a lot more time and resources into it to get that value than you could from a paid service that addresses some of the baggage I wrote about above. The paid service could very well end up costing you less. And, you don’t want to be in a situation where by the time you figure out what’s worth keeping, it’s outdated. Speed matters with intelligence.

Second, take advantage of the threat intelligence from your ISACs. You will have some industry-specific intelligence. But beyond that you’ll be able to build industry relationships and hopefully discuss with others in your industry how they are operationalizing their threat intelligence.

Third, leverage a solution that will allow you to personalize your threat intelligence by validating if your controls on your network are preventing, detecting and responding to your threat intelligence information. These solutions should be able to evaluate your people, processes and technology in your production environment, safely and continuously. By implementing a solution like this you have an automated method of understanding the juxtaposition of your threat intelligence and your security posture so you can focus your resources on managing the gaps.

Threat intelligence doesn’t have to be an academic pursuit or a lagging indicator. With some time and effort and investments in the right areas it can add a predictive level of security to your overall security posture to complement incident prevention, detection and response before your organization is even targeted.