CyberWire-X 12.11.22
Ep 42 | 12.11.22

Commercial threat intelligence proves invaluable for the public sector.


Rick Howard: Hey, everyone. Welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer at N2K and the chief analyst and senior fellow at the CyberWire, an N2K brand. And today's episode is called Commercial Cyber Threat Intelligence. A program note, each "CyberWire-X" special features two segments. In the first part, we'll hear from industry experts on the topic at hand. And in the second part, we'll hear from our show's sponsor for their point of view. And since I brought it up, here's a word from today's sponsor, LookingGlass Cyber, a global leader in cybersecurity.

Rick Howard: In terms of cybersecurity first principles, I've made the case in my career that in order to reduce the probability of material impact due to a cyber event, there are a handful of strategies that will have the greatest impact - zero trust, resilience, automation and intrusion kill chain prevention. That last one is the strategy that applies to this show. Intrusion kill chain prevention is the notion that network defenders should not simply block the one-off tools that hackers use to compromise their digital victims without any relation to the overall plan. We should instead be trying to prevent the entire plan. 

Rick Howard: We know from experience that when cyber adversaries attack their victims, they don't simply do one thing. They have to accomplish a series of things to achieve their goals. Call it their attack sequence. And according to the famous Lockheed Martin kill chain paper published in 2010, network defenders have opportunities to defeat the attack sequence at every stage of the attack campaign. But in order to do that, they need some kind of cyber threat intelligence capability dedicated to tracking adversary behavior across the intrusion kill chain, and developing and deploying prevention and detection controls for their own security stacks designed to defeat the campaign. 

Rick Howard: The problem is that this is expensive. And unless you're a medium- to Fortune 500-size company, you probably don't have the resources in-house to do this alone. You likely will have to supplement this effort with a commercial cyber threat intelligence service. Wayne Moore is the chief information security officer for Simply Business, a small-sized business growing into a medium-sized business in terms of revenue. And he has just recently contracted a commercial threat intelligence service. I asked him what drove him to make that decision now. 

Wayne Moore: We just adopted the MITRE ATT&CK framework a while ago now as part of how we design our defenses. Without a way to prioritize, if you're going to take all threat actors into account and you have to implement every possible defense in the MITRE ATT&CK framework, that is a heck of a lot of work and a lot to maintain. One of the reasons for getting some threat intelligence into the program was to be able to prioritize which of the threat actors most likely will be going for us in our industry or us specifically, and allow us to narrow down where we need to focus first. 

Rick Howard: So I want you to explain what your business is. What do you guys do? You're in the financial sector, right? 

Wayne Moore: That's right. So we are in the business insurance sector. But we focus on the micro-businesses, so ranging from, you know, small corner shops to IT contractors, to landlords. That kind of thing. 

Rick Howard: What do you think your most likely threat is? Is it, you know, nation state? Is it criminals? Is it - what do you guys worry about? 

Wayne Moore: It's mostly cybercrime. And we're talking largely ransomware gangs. We're talking out of the, you know, the main areas where those gangs operate. So that's probably, you know, besides the script kiddies and, you know - there not much hacktivism focused on us. But it's largely that cybercrime group, the ones looking to get, you know, payment data or customer credentials or access to cloud services to exploit, you know, those resources - those types of actors, largely cybercrime. 

Rick Howard: And it's twofold for you because you have customers that you service in the financial sector. But also, those same cybercriminals could come after your organization specifically. So it's kind of a twofold thing, right? 

Wayne Moore: Absolutely. Yeah. So it's - you know, that's why when we're looking at the reason for bringing threat intelligence on board is that, obviously, there's some free resources in that out there that we can kind of use to say, OK, well, we know that these - you know, that these types of actors attack the insurance industry, as an example. But the threat intelligence - the commercial threat intelligence allows us to hone that even further, to say, OK, well, you know, there's also these threat actors that are likely to target you. And we've seen that perhaps because there's some chatter on the dark web or something like that. So it gives us - you know, it gives us a bit more targeted intelligence to design our defense program around. 

Rick Howard: So you guys just recently brought on board a commercial cyber threat intelligence group. What services are you paying them? Are they doing that dark web kind of recon for you? Or are they providing tactics, techniques and procedures across the kill chain? What exactly are they doing for you? 

Wayne Moore: Yeah, exactly - a few things, actually. So definitely, one is around the threat actor stuff, so TTPs, you know, what sort of intruding we expect from them, their motives, intent, that kind of thing. Dark web monitoring is another one. So anything - any stuff on the forums, data leaks or, you know, even password dumps and things like that, that perhaps have a link to some of our services and things, they're monitoring all that kind of stuff. You know, there's also takedown services. So anyone trying to impersonate or, you know, typosquat any of our domains, there's some takedown service options there. They provide a lot more than pure threat actor-related information. There's actually a lot of other services they tend to provide, including, like I said, the takedown services, but also brand monitoring, as well, on the dark web and executive monitoring. You know, so if people are setting up Twitter accounts or other social media accounts that are mimicking executives in the business, you kind of get visibility of that. So, you know, it starts to give us a nice component into a more exposure management program, which I think is something Gartner is pushing a bit termswise, but kind of managing that external exposure as well. 

Rick Howard: I have a real love-hate relationship with brand monitoring services 'cause I used to run a commercial cyber intelligence group many years ago, and we had - we offered that as a service. And what typically happened was we'd find stuff in the first month - right? - and then that - for that customer. And that customer cleaned their act up, and then we'd never find anything again. So when it came time for renewals - right? - they said, well, this isn't very useful. 


Rick Howard: So good luck with that service, though. 

Wayne Moore: Yes. Well, it's - yeah, exactly. Well, it's early days for us, so that might actually - it may end up being the case for us, we don't know. Because it was - you know, there was a flurry of activity in the start, for sure. 

Rick Howard: In order to be able to use a commercial cyber threat intelligence group - OK? - you have to have somebody on your organization - a team or a person, somebody - who has to receive that information and make something useful. How do you guys do it at your place? 

Wayne Moore: So initially, all that information has been going into our SOC. But we have, since onboarding our commercial threat intelligence provider, we have dedicated one person in the SOC, kind of carved them out to focus on the program, you know? How do we best set up - set ourselves up to make best use of threat intelligence? Where is it going to be integrated? What are the response processes around alerts that perhaps come out of their investigation processes? You know, also using that data to create, you know, reports on information we may need for planning or strategy or things like that. So that's what we've done. We've kind of - we've started to carve out some dedicated capacity within our SOC to look into how best to leverage threat intelligence. 

Rick Howard: So you're just beginning down the path, dedicating one person. And as your team grows and matures, there might be more. One of the things you - that kind of piqued my interest there, Wayne, was I've always said - I've been doing cyber intelligence for a long time - the difference between a journalist and a cyber intelligence analyst is the analyst has to go the one step closer and make recommendations about what to do with the information. You know, if you don't help leaders make decisions with that information, then you're just reporting the news, right? So have you thought about it in that way, that we should be looking - we should be able to make some decisions based on the intelligence coming in? 

Wayne Moore: Yes, absolutely. So the person that is really dedicated has started to look at things like intelligence requirements or priority intelligence requirements - you know, the IRs, the PIRs, those kinds of things. In some cases, you know, being able - one might be - identify the threat actors with a motive to target us, as an example. You know, that's a kind of a common one. 

Rick Howard: There's this lexicon in cyber intelligence - in intelligence in general. We call them IRs and PIRs and CIRs. How do you define them in your organization? 

Wayne Moore: OK, yeah. So we've got intelligence requirements, priority intelligence requirements, PIRs, and then specific intelligence requirements. Now, again, this is still in active development, but how we describe sort of the intelligence requirements is these are for - more requirements for the general threat environment. You know, that's like, what are the threat actors likely to target, et cetera? And the priority intelligence requirements - these are the most - these are most critical to be answered for the organization, such as more detailed and operationally focused and aligned to the IRs. They typically are general statements or questions that intelligence can answer, things like, what types of adversaries have historically expressed an interest in our business, or what are the emerging threats to our industry and industry peers? You know, that kind of information will be useful for especially emerging stuff - really helps with strategy and budgeting as well, things like that. 

Rick Howard: So that lexicon comes out of the military. It came out of World War II when military leaders asked their intelligence folks, you know, what the hell did they do during the war? And they came up with this CIR, PIR, IR thing - right? - to describe what they did. And so CIRs are, in the military, are command information requirements, right? And those things don't change that often. You know, they're big-picture things like, how long would it take me to get to Berlin during World War II? For a commercial organization, these would be your ideas about what intelligence you need to gather - right? - and make decisions on, or even better, would be coming from the CEO, right? What is the CEO worried about? You update those once a year. They're kind of general purpose things. And then the PIRs, the priority information requirements, they're kind of breaking the big CIRs into smaller pieces, smaller digestible pieces. What do I need to know and answer the boss's first question? Just problem solving, basically. That's how we get that lexicon. So I'm glad to see that you guys are pursuing that. 

Rick Howard: If you have an intelligence program that you use to support your internal intrusion kill chain strategy, the other thing you can do is share that intelligence with peers in some sort of ISAC or ISAO. U.S. President Clinton established the first ISACs, information sharing and analysis centers, back in 1999 for officially designated critical infrastructure verticals like finance, communications, health care, et cetera. In 2015, U.S. President Obama established the first ISAOs, information sharing and analysis organizations to encourage intelligence sharing for everybody else. Steve Winterfeld is the Akamai Advisory CISO and a regular visitor here at the CyberWire's Hash Table. Here's what he had to say about the value of sharing organizations like ISACs and ISAOs. 

Steve Winterfeld: The value of an ISAC is twofold. One, it gives you a chance to talk to your peers in a way that you can take the lawyers out of the loop. I would go into FS-ISAC and be able to trade information and talk about proprietary things because, again, security is not the competitive advantage. Taking care of customers is the most important thing, and we compete in other ways. And so I think there's a huge advantage in how you can communicate in a collaborative way. 

Wayne Moore: We've been a member for the ISAC for a couple of years now, I would say. You know, we've gotten on a few calls and things with people and attended some of the events and things that are there to - more in a consumption manner then contribution. And the hope is that now that we start to develop our capability, we'll be able to share a bit more. 

Rick Howard: So you were just down this road. Any words of wisdom for other folks that are considering this option, this bringing in commercial cyber intelligence? 

Wayne Moore: I think more general-purpose advice - well, at least one of them - general-purpose advice for anything before adopting a vendor is I personally like to get the process right. You know, think about how are - you know, what is it you're trying to achieve, what outcomes are you expecting, what would that process look like? And then find the vendor or the tool that fits that. I think there's a tendency to, right, let's bring a tool in, and then we'll build ourselves around that. And I think the problem then is you haven't necessarily thought of the full scope of what it - of the problem you're trying to solve, you know? That is something we did set out to think - we did think about a bit more about, what is the - what is it - what is - what are the outcomes we expect from bringing in threat intelligence? How are we going to use it? And then we went out and found the right vendor for that. 

Rick Howard: That's perfect. The other kind of iconography in the threat intelligence space is the threat lifecycle, the intelligence lifecycle. Basically what it is, is you get CIRs from the boss and then the intelligence team says, OK, what do I really need to answer to answer those big questions? And then the very next question you have to ask is, do I have that intelligence coming into my organization? If I do, then I can answer the questions. If I don't, then I need to go get that intelligence somehow, either open source or talking to your buddy with an ISAC, or you go by a commercial intelligence group. So and then what you said is absolutely correct, I think is we have very specific requirements and then we need to see if the commercial vendor can actually meet those requirements so I can answer the boss's question. You know, in a perfect world - right? - that's how it should be done. But it's not always a perfect world, is it, Wayne? 

Wayne Moore: No, no, no. I just know from experience. I've been down that road too many times. Bring in the vendor, then work out the process, and it tends to be - you end up having to do a lot of rework that way because you haven't really thought about what it is you need. You just think that this thing is going to solve... 

Rick Howard: Yeah, what you really need. 

Wayne Moore: ...Your problems. Yeah. Yeah. 

Rick Howard: Yeah, that's exactly right. 

Wayne Moore: But the other thing I would say about this stuff, Rick, is that, you know, from an information-sharing perspective, which is what the FS-ISACs are all about, is that it's something that I think is we're getting that the industry, you know, as in cybersecurity and security in organization things, are getting better at sharing. But we've always been a bit hesitant, I think, in many ways, to share information. And the problem with that is we all know that the - our adversaries are all sharing information, right? That's - it's just natural for them to do all of that. And there's power that comes with that. And if we don't start doing that, if we don't - it's going to be very, very hard for us to counter that level of sophistication if we don't find a better way of sharing with each other. 

Rick Howard: I think it's a mindset change, right? Because I've - you know, I've been involved in various sharing organizations in my career. The one argument that gets people over the hump is when you explain it like this - we are not sharing intelligence on how we were hacked or how our customers were hacked or customer PII. That's not what we're sharing. The thing that's valuable to share is tactics, techniques and procedures that the adversary uses against other organizations, because that's the thing that's valuable. That's the thing that if it happens to Joe down the road, and he shares it with me, that means I'm protected from that same adversary that went after him. And when you can have that kind of conversation, then it makes it easier to share that kind of intelligence. Are those the conversations you had when you brought those guys in? 

Wayne Moore: Yes, that's right. And, you know, your - I love the way that you've framed that. I think if you presented it in that way, it's much more acceptable. But, yes, that is the approach that... 

Rick Howard: Yeah, palatable. 

Wayne Moore: Yeah, palatable, that's a good way. 

Rick Howard: Excellent. So any last words, Wayne, or did we cover it all? 

Wayne Moore: There's this typical adage, which I've always been quite uncomfortable with that I've heard, and it's just like, well, let's just make ourselves more secure than our neighbor. You know, a bit like if we've got the alarm system on our house and our neighbor doesn't, then they'll just go after the neighbor. Now, OK, I get that. But it just doesn't sit well with me. Like, you know, if that's the attitude we take... 

Rick Howard: Right. 

Wayne Moore: ...To say, let's just be more secure than our neighbors, and they get attacked. We still lose in the end in that way, right? Because we're linked in some way. We all need to work on this together (laughter). 

Rick Howard: I'm so glad that you said that, right? Because most people say what you - what they - you know, what you just described, right? We just need to be better than neighbors. So it's only about me. 

Wayne Moore: Yes, yes. 

Rick Howard: All right? That's it. I don't want to protect anybody else, when we all know it's an ecosystem, right? So and especially in the various verticals. If one vertical gets hammered, if one customer in a vertical gets hammered, then the other one's experience - customers lose... 

Wayne Moore: Faith. 

Rick Howard: ...Respect for the vertical, right? And yeah, all that stuff. So it has that combination. I'm so glad (laughter). 

Wayne Moore: Exactly. It just doesn't feel right, you know, when you say, OK, well, forget the neighbor. As long as we're secure... 

Rick Howard: Yeah, no. 

Wayne Moore: ...That's fine. You know, it's like, no, no, no. 

Rick Howard: That's right. 

Wayne Moore: That's our neighbor. 

Rick Howard: Next up is my colleague Dave Bittner's conversation with Bryan Ware, the CEO at LookingGlass Cyber. 

Bryan Ware: The word threat intelligence, when people use it in the cyber context, generally means fairly specific tactical indicators, understanding if this is a suspicious IP address or domain or something along those lines. But in the spirit of your question, I think it's a much bigger concept than that. Intelligence is - should be an exquisite asset not available to everyone that enables the consumers of it to make better business decisions, strategic decisions and mission decisions, right? And so intelligence has to give you an advantage. And I think the only way that you get an advantage from intelligence, from threat intelligence or any other kind of intelligence is if it's unique and specific to you and what you're trying to do. And if it's not all that specific and it's not all that useful and it's not all that unique, it's probably not actually intelligence. 

Dave Bittner: And so where do we find ourselves today when it comes to, you know, the spectrum of threat intelligence offerings that are out there? 

Bryan Ware: I think that, truthfully, most intelligence offerings are just data - sometimes commodity data, but just data. And if it's something that can be seen from the internet, then that generally means that almost anyone with the right machinery can see it from the internet. I'd say that kind of the state of cyber visibility is such that, you know, most tools don't provide you with quite the intelligence that you need. And so there's value in data lookups. But I think what's being missed is the opportunity to really make that data - transform that data into unique insights and into intelligence. And we really don't see a lot of that in - certainly not in the product ecosystem, the traditional cyber threat intelligence product ecosystem, but even, maybe more broadly, in just the practice of the industry today. 

Dave Bittner: So when we think about the public sector, what has their history been in terms of interacting or consuming or generating even their own threat intelligence? 

Bryan Ware: Yeah. I think, mostly, the government doesn't generate a whole lot of their own threat intelligence - the public sector. I'd say that they generally - you know, probably the most common use case - and I wish I had statistics on this. It seems like a good research project. But the most common use case is, you're sitting in your security operations center. There's something that's unusual is happening for some reason. It's an unusual IP address or an unusual domain. And you use your threat intelligence tools to kind of see what other information you can find on that IP address or that domain. And that's a very common use case of our products and our users. But I'd say that, as important as that is and as necessary as that is, you know, even as I describe that, it's kind of transactional. It's very human intensive. It's reactive. It's on a kind of a point-to-point basis. And so, you know, I believe that there are significant opportunities, you know, ahead for really building on - certainly building on that same kind of data, but assembling that data in different ways to really produce intelligence. 

Dave Bittner: You mentioned it being reactive. Can you kind of flesh out for us the difference between a proactive versus a reactive use of something like threat intelligence? 

Bryan Ware: Yeah. I think that, you know, reactive really means something is already happening, right? And you're just trying to figure out how suspicious, how concerning or not concerning that may be. And again, in general, we see a lot of these cases where some security system has flagged something as potentially suspicious or new or novel. Typically, a user is then responding, an analyst is responding to that and doing a lookup, so inherently reactive because something has already happened. I think that there are more proactive ways to use that same exact data. One of those is just by working to take that human user out of the loop and build machine-to-machine connections so that, even though it's still reactive, it's reactive in milliseconds and not, you know, minutes or days. And so you've got an endpoint sensor of some sort that sees that suspicious IP, issues an API call to a threat intelligence service, gets back a risk score. We call them TIC scores on our platform. That's our kind of proprietary score. And then, based on that score, automating an action. So that's kind of moving - that's collapsing the timeline - still, you know, fairly reactive, but reactive in milliseconds. 

Bryan Ware: And then, of course, more proactive is using intelligence to see how your organization looks from the internet - and said differently, how it would look to an adversary - how you present to that adversary, what vulnerabilities you have to prioritize so that you can close those vulnerabilities. And of course, one of the ways to prioritize those vulnerabilities is not only seeing them, which can be hard, and seeing them from the way that adversaries see them, which is even harder. But, you know, one of the things that we're able to provide is intelligence on what adversaries are doing, what kinds of companies they're targeting, what kinds of TTPs they're using. And so I think the more proactive, more strategic is trying to close the gap between your defensive posture and the myriad adversaries' offensive postures, trying to get ahead of where they're likely to go. 

Bryan Ware: And the only reason I say this - if you go all the way back to what we were talking about with, like, what is intelligence, really? - the state of the world is that there are way too many vulnerabilities in software and in networks to patch all of them, certainly to patch all of them in the most timely manner. And new vulnerabilities pop up all the time. There are just too many of them to patch. And there's consequences or impacts, business impacts, of patching. And so what intelligence can provide is a way to prioritize the things that you're going to patch first because they're critical vulnerabilities that are being exploited that you have connected to the internet and that adversaries seek to exploit right now against companies like yours. Like, that's a proactive and intelligence-driven prioritization in this case. 

Dave Bittner: What about the things that you might not know that you don't know? I remember having a conversation once with a security person at a food processing company, and he was saying that one of the things that he relies on threat intelligence for is to know if maybe there's conversations going on out there about protests. You know, not a technical thing, but those are dots that you need to connect. 

Bryan Ware: We see a lot of this in practice, in maybe a couple of different kinds of things that you don't know. You know, there's a fairly mature set of cybersecurity tools to help manage your assets, identify the assets that you have, and fairly mature set of tools to scan those for vulnerabilities to help manage your vulnerability management process of, you know, patching those, remediating them. But what we're seeing in 100% of our hands-on customer cases is that there are internet visible assets that the organization did not know that they had. They - the engineering team spun up a subdomain to test out some new software and didn't implement good security controls, or there's an exchange server that got left behind from a merger and acquisition, you know, that happened six months ago and it's still out there, but it has valid credentials. Or a VoIP system, a phone system that you're using, and that VoIP provider also has some vulnerabilities, and your subdomains and access and credentials into your system. Those kinds of unknowns are real risks to you that are not visible in traditional tools. They're not visible when you take a network-centric, you know, what's on my network view. There - you have to take a view from the internet and gleaning intelligence from those is incredibly important. And I think, in the spirit of your question, has to be proactive. 

Bryan Ware: And then also, like, just kind of following on the conversation you had with this guy from the food industry, we monitor dark web forums, which oftentimes are the very earliest indicator of targeting because we will see adversaries seeking to buy compromised credentials for specific types of companies or even very specific companies and government agencies. So they're looking for - do you have credentials? Do you have an access? Do you have some infrastructure that they can leverage to accomplish whatever their objectives are? And, of course, we see them for sale there, as well. And so if you're on that defensive side, you're protecting your business, that earliest signal of your company or your sector is being mentioned in these forums that are seeking to sell or gain access for some future exploit, that's just invaluable information to kind of get ahead of, you know, the risk that's coming your way. 

Dave Bittner: When we talk about, you know, teaming up the public and private sectors here, how much of this is an issue of being nimble? I mean, I would imagine that an organization like yours can operate - pivot more quickly than a big government agency. 

Bryan Ware: Well, having spent some time in government, nimble and agile are not words that we usually describe government operations with. They're big, which oftentimes is important, with a tremendous amount of resources and knowledge and capabilities, but not necessarily the most agile and nimble. And you're right. I mean, one of the advantages of being a commercial entity, a private sector entity, and, in our case, a small business that is focused exclusively on intelligence - and I think that's important in the sense that this isn't just another thing that we do when our main product might be providing some IT service and we happen to collect a lot of threat intelligence that we can also sell. We are very, very focused exclusively on the state of the internet, the vulnerabilities that are present and then the intentions of actors and adversaries. And we are constantly seeking those things out. 

Bryan Ware: But also to your point, we're reacting to them as quickly as we can. And so from the engineering all the way up through analysis, engineering is, how fast can I see everything that's on the internet? How current can I see, you know, what's taking place? That guides the way that we collect data and organize data and develop machine learning to find changes and anomalies and interesting developments. And then, of course, our analytical teams are starting, oftentimes, with hypothesis or standing questions from customers and kind of seeking things proactively that, you know, that would be of interest and concern and leveraging the tools that we provide. And so that - you know, adversaries generally - the offense generally moves faster than the defense anyway. And so this idea of agility is essential when, you know, they've got many, many things that they can target with fairly low expense and very high speed. And so we supporting, you know, defensive operations have to try to match their time and, you know, their time advantages as closely as we can to keep them from being able to accomplish their objectives. 

Rick Howard: We'd like to thank Bryan Ware, the CEO at LookingGlass Cyber, Wayne Moore, the CISO at Simply Business, and Steve Winterfeld, the advisory CISO at Akamai, for helping us get some clarity about the value of threat intelligence. And we'd like to thank LookingGlass for sponsoring our show. CyberWire-X is a production of the CyberWire. It is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. And on behalf of my colleague Dave Bittner, this is Rick Howard signing off. Thanks for listening.