Threat intelligence can be a great value-added tool for businesses if it is data collection capabilities are used effectively.
Speaking at RSA Conference in San Francisco, Mark Orlando, director of cyber operations at Foreground Security said that there is “a lot more to intelligence than indicators and leveraging it for response”.
He said that as a tool for defence, threat intelligence is dead as IDS signatures are not subject to quality control, have a short shelf life, cannot be used for long and take cycles away from defence. “We are shifting our understanding of adversary and means and methods creates a false sense of security in our view,” he said,
“Yet processed properly it can be used to get us closer to an adversary’s tactics and the things they cannot change and question becomes if threat intelligence is not dead, how can we make sure it is useful? It could be another defender tool – it just has to be collected and applied well.”
With a market of options ranging from no cost to commercial vendor-specfic offers to internal offers, Orlando said it was important to understand what your monitoring goals are, namely: protecting your business; detecting bad guys; or action and prosecution?
He said: “What are your defensive capabilities? If you want to leverage threat intelligence in defence, you don’t want to take them out of your feed without understanding the feed. It sounds like a simple problem, but what is your awareness in the environment and how does an attacker get in? If you can get to their objectives and if don’t understand them, it is best to stop right there.”
In terms of bad indicators, Orlando said that with very expensive commercial solutions, if you are paying $100,000 you don’t want it acting like a souped up IDS.
“No one intelligence provider has all of the information on all of the threats, so it helps to cast a wide net,” he said. “So if you leverage open source or use industry knowledge, then use it all as long as you are normalising, embedding and ingesting it all.”
Looking forward, Orlando said that if intelligence is collected and used properly, you can do data-driven analysis and do analysis on the data in most contexts.
“Intelligence is a terrible tool for alerting; it should be an engine for incident and historical information,” he said. “Build on a better data collection and investigative methods and let threat intelligence drive that process.”