Rendition Infosec founder Jake Williams was recently interviewed by a reporter for eSecurityPlanet.com on the topic of threat intelligence. As the reporter noted, there is a lot of confusion out there about precisely what threat intelligence is and isn’t. The article was recently published and you can read it here. Since Jake’s full responses paint a more complete picture of Cyber Threat Intelligence (CTI) Rendition is publishing them here for the broader community to benefit.
Can you help me differentiate CTI from the various other labels on the go such as advanced threat detection, cyber security, cyber security analytics, advanced threat analytics, advanced threat detection, etc. I’m sure there is plenty of overlap, but I’m looking to clearly define the CTI playing field as different from other areas of cyber security, and what aspects CTI includes and what it doesn’t.
CTI means different things to different people. Ask 15 analysts and you’ll get 15 definitions. I tell clients that CTI is applying the standard intelligence lifecycle to the cyber domain, using intelligence collection, processing and exploitation, analysis, and dissemination to gain insight about threats to the organization that exist in the cyber domain. If you’re not using models (like the cyber kill chain and the diamond model) and processes (like analysis of competing hypothesis) then you’re not doing good CTI. Because so much of CTI is analyst dependent, it is critical to use structured models to show academic rigor. Structured models also improve process standardization across teams. Finally, it helps separate intelligence hobbyists (most in infosec professionals) from true intelligence analysts.
CTI is not just about buying an indicator feed and applying those indicators in your environment. While that is part of a CTI function, CTI is about applying the entire intelligence lifecyle.
What would be the ideal set up in terms of threat intelligence being supported by what elements of security, action based on detected threats and so on. And where does this tend to break down?
CTI and incident response (IR) teams are very tightly related. Some tactical CTI functions used to be performed by IR teams (and in many cases still are). However,
What is the technology backbone of threat intelligence, and who are the main vendors who specialize in it? Are these mainly proprietary or open source?
Indicator feeds and threat intelligence platforms are the backbone of threat intelligence operations. Threat indicator feeds are the actual threat data (malicious IP addresses, domains, file hashes, etc.) that the threat intelligence team will consume from external parties and search for in their own network. The threat intelligence platform (TIP) is a software platform for analyzing these threat feeds. Some TIP help analysts enrich data through transformations (such as automatically obtaining registration data for a malicious domain).
I won’t get into specific vendors of either – they are a dime a dozen and differentiation in this saturated market is relatively difficult. I recommend that organizations consider trying out an open source TIP before investing in a commercial offering. Find out what features you really need, what you don’t, and then shop for a platform.
How about the soft skill side? So what kind of personnel and processes need to be involved to make it effective?
As with all things in infosec, we recommend to our clients that they focus on people and process first and then adopt technologies that effectively augment their workflow. Soft skills are vital in CTI. The only ROI that most management sees from the CTI team will be the reports they issue. I’ve seen some really great team issue some really lousy reports. Effective writing is critical. A good technology background is also critical. I’ve seen several former government intelligence analysts enter the commercial workforce without the necessary technical skills to validate and correctly interpret CTI. These people generally learned a process unique to classified government tools without really understanding the technological underpinnings of CTI. When building a new team, I recommend that you not focus on tools at all. Define what you want to accomplish, how you want to accomplish it (what capabilities do you need), and then choose tools that best fill those capabilities.
What types of threats does CTI detect the best and where it is weakest?
CTI is best focused on APT threats. These attackers have a high dwell time in networks and tend to reuse tools across intrusions. By observing the data from an intrusion in one organization’s network, another organization can benefit by searching for those same indicators of compromise (IOCs). Short lived, drive by style attacks (like ransomware) don’t benefit as much from tactical level CTI. Attackers know that security software will move to block malicious IP addresses and domains quickly, so their campaigns with any specific malware variant are measured in minutes to hours. Tactical CTI simply doesn’t move fast enough to operationalize this data in most cases.
Anything else you wish to add?
It is the use of structured analysis techniques and formal models, not tools, that separate professionals from hobbyists when it comes to CTI. Just as a good rifle makes some soldiers deadlier than others, so do CTI tools. Like the rifle is to the soldier, CTI tools are simply mission enablers to the analyst. And just because a tool works (even exceedingly well) for one organization, it doesn’t mean it will work well universally. Coming back to the soldier analogy, imagine how much deadlier a Navy Seal is with a sniper rifle than your average person. Technology enables the mission, but people and process make it happen.
If you take anything away from this post, please make it that Cyber Threat Intelligence is not a purely vendor driven activity. There is far more to CTI than technology, you need to hone your people and processes to be most effective. If you need help setting up a CTI program for your organization or simply taking your organization’s CTI program to the next level, please contact Rendition Infosec and we’ll be happy to assist.