HackDig : Dig high-quality web security articles for hackers

Building a Threat Intelligence Program [New Series]

2015-07-22 19:30

Security practitioners have been falling behind relative to the adversaries, launch new attacks using new techniques daily. Furthermore, defenders remain hindered by the broken negative security model of looking for attacks you’ve seen before (mostly due to ineffective compliance mandates), resulting in consistently missing these attacks. If your organization hasn’t seen the attacks and updated your controls and monitors to look for these new patterns – oh well.

Threat Intelligence has made a significant difference in how organizations focus their resources. In the Applied Threat Intelligence paper, we highlighted how organizations can benefit from the misfortune of others and leverage this external information in use cases including security monitoring/advanced detection, incident response, and even within some active controls to block malicious activity.

These tactical uses certainly help advance security, but we made an important point at the end of the Applied Threat Intelligence research. The industry needs to move past these tactical TI use cases, which usually involve: 1) Get hit with attack. 2) See if TI vendor knew about attack before you did. 3) Buy data and pump into monitors/controls. 4) Repeat. Yet that’s not the way we roll. Our philosophy always drives us to take a programmatic approach to security. As such, it’s time to advance the use of threat intelligence into the broader and more structured TI program to ensure systematic, consistent and repeatable value.

We believe this Building a Threat Intelligence Program report can act as the map to build this program and leverage threat intelligence within your security program. So that’s what this new series is all about – taking the tactical use cases and turning those into a more strategic TI capability.

We like thank our potential licensee on this project, BrightPoint Security, who allow us to use our Totally Transparent Methodology to publish our research. As always, we’ll post everything up to the blog first and take feedback from folks that know more about this stuff than we do (yes, I’m referring to you).

The Value of TI

Even though we’ve published a lot of research on TI, let’s revisit the basics. What do we even mean when we say “benefiting from the misfortune of others?” Generally it means that odds are someone else will be hit by an attack before you will. You’d be able to see attacks without being directly attacked, learning from higher profile targets. This other targets figure out how they were attacked and how to isolate and remediate the attack. With that information, you can search your environment to see if that attack has already been used against you, and significantly cut detection time. Cool huh?

If you haven’t seen the malicious activity yet, it’s likely just a matter of time; so you can start looking for those indicators within your active controls and security monitors. Let’s briefly revisit the use cases we’ve highlighted for Threat Intelligence:

  • Active Controls: In this use case, threat intelligence gives you the information to block malicious activity using your active controls. Of course since you are actually blocking traffic you’ll want to be careful about what you block versus what you alert on, but there are some activities that are clearly malicious and should be stopped.
  • Security Monitoring: Given that an Achilles Heel of security monitoring is the need to know what you are looking for, TI balances the equation a bit by expanding that view. You use the indicators found by other organizations to look for malicious activity within your environment, even if you’ve never seen it.
  • Incident Response: The last primary use case is to use TI to help streamline an incident response. Once adversary activity is detected within your environment, you have a lot of ground to cover to find the root cause of the attack and contain it quickly. TI can yield clues as to who is attacking you, their motives and their tactics, enabling the organization to narrow the focus of the response.

The TI Team

As we mentioned above, the use of TI isn’t really new. Security vendors have been using dynamic data within their own products/services for a long time. What’s different is treating the data as something separate from the product/service. But data doesn’t help detect adversaries or block attacks, so more mature security organizations have been staffing up threat intelligence groups, tasking these groups with providing context for which of the countless threats out there actually need to be dealt with; and what needs to be done to prevent, detect, and/or investigate potential attacks. These internal TI organizations consume external data to supplement internal collection and research efforts, and have been willing to pay for it, which created a new market for security data.

The TI Program

Organizations that build their own TI capability at some point need to put in place a repeatable process to collect, analyze and apply the information. That’s what this series is all about. First we’ll outline the structure of the program here and then dig into each aspect of the process in subsequent posts.

  1. Gathering Threat Intel: This step involves focusing your efforts on reliably finding the intelligence sources that can help with adversaries you face and identifying the specific data types whether that’s malware indicators, compromised devices, IP reputation, command and control indicators, etc. Then you procure the data you need and integrate it into a system/platform to use the TI. A programmatic process involves identifying new and interesting data sources, constantly tuning the use of the TI within your controls, and evaluating sources based on effectiveness/value.
  2. Using TI: After you’ve aggregated the TI, now you put it into action. The difference when structuring activity within a program are the policies and rules of engagement that govern how and when you’ll use the TI. Tactically you can be a little less structured about how the data is used, although when evolving to a program this structure is a necessity.
  3. Marketing the Program: When doing a tactical threat intelligence initiative, you focus on solving a specific problem and then moving onto the next. Broadening the use of TI requires a more specific and ongoing evaluation of effectiveness and value. You’ll need to define externally quantifiable success for the program, gathering the data to substantiate results, and communicate those results – like any other business function.
  4. Sharing the Intelligence: Finally, if there is one thing that tends to be overlooked when focused on how the intelligence can help you, it’s how sharing the inteligence can help others. Which is interesting given the entire power of TI comes from organizations willing to share information. Yet even if you want to share TI, it needs to happen safely and securely to protect your interests and control organizational liability.

As we proceed through the series, we’ll incrementally write the plan that you can then use to build your own TI program.

- Mike Rothman (0) Comments


Source: seires-wen-margorp-ecnegilletni-taerht-a-gnidliub/golb/moc.sisoruces.www

Read:3148 | Comments:0 | Tags:No Tag

“Building a Threat Intelligence Program [New Series]”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud